Ransomware Service Manipulation

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Service Enumeration ▶

Prerequisites

Admin or SYSTEM privileges already established on target system
Target security, backup, and database services are running (cannot stop what is not running)

Input Attacker has SYSTEM privileges on the target system

Chokepoint Actor enumerates running services to build the kill list via sc query, Get-Service, wmic, or equivalent

Observable Sysmon EID 1 showing sc.exe query, wmic service get, or Get-Service commands. Multiple service enumeration commands in rapid succession from the same process or user context.

Why unavoidable

Ransomware cannot stop what it cannot find. Service enumeration precedes every observed kill sequence across all documented families. sc.exe stop and delete require Admin or SYSTEM privileges, so no privilege escalation means immediate failure before enumeration can complete

Data Sources

Sysmon Event ID 1 (sc.exe query / wmic service get / Get-Service)
Windows Security Event ID 4688 (Process Creation)

View rule →

↓ Service kill list has been built via enumeration

2 Bulk Service Stop ▶

Input Service kill list has been built via enumeration

Chokepoint Security, backup, and database services are stopped in rapid succession via sc.exe, net stop, taskkill, or WMI StopService. Multiple services within a short window

Observable Windows System EID 7036 showing multiple security/backup services transitioning to "stopped" state within 60 seconds. Sysmon EID 1 showing repeated sc stop or net stop commands.

Why unavoidable

Files locked by running services cannot be encrypted. Stop must precede encryption in every observed ransomware family without exception

Data Sources

Windows System Event ID 7036 (Service State Change — stopped)
Windows System Event ID 7040 (Service Start Type Changed — disabled)
Sysmon Event ID 1 (sc.exe / net.exe / taskkill.exe process creation)

⚠ Bypass risk: Purpose-built EDR killers (BYOVD drivers, EDRKillShifter) bypass service-stop detection by killing the EDR process at kernel level. Monitor Sysmon EID 6 for suspicious driver loads immediately before bulk service termination

View rule →

↓ Target services have been stopped

3 Service Deletion ▶

Input Target services have been stopped

Chokepoint Stopped services are deleted or permanently disabled to prevent automatic restart during the encryption phase

Observable Sysmon EID 1 showing sc.exe delete or sc.exe config start= disabled commands targeting security and backup services. Registry changes under HKLM\SYSTEM\CurrentControlSet\Services\ confirming service deletion.

Why unavoidable

Without deletion, Windows service recovery policies restart stopped services and interfere with encryption. Deletion is confirmed across all major documented families

Data Sources

Sysmon Event ID 1 (sc.exe delete / sc.exe config start= disabled)
Sysmon Event ID 12/13 (Registry key deletion under Services hive)

View rule →

Variations 5 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

BlackBasta 2022 Legacy ▶

Targets AV, EDR, Veeam backup, SQL databases; avg TTR 6-12 hours; last victim posted January 2025; internal Matrix chat logs leaked February 2025; considered inactive by March 2025 after (196k messages) leaked by disgruntled member; former members migrated to CACTUS and SafePay

Command / artifacts

Executed via batch script or cmd.exe after gaining SYSTEM via Qakbot/Cobalt Strike. Targets AV, EDR, Veeam backup, SQL databases. Average TTR 6-12 hours from initial access.

sc stop SophosService
sc stop veeam
sc stop MSSQLSERVER
sc stop wbengine
sc delete SophosService
sc config veeam start= disabled

Sysmon EID 1: sc.exe with stop and security/backup service name
Sysmon EID 1: sc.exe with delete or config start= disabled
Windows System EID 7036: Multiple services stopped within 60 seconds
Windows System EID 7040: Service start type changed to disabled

Same chokepoint: SYSTEM access → sc.exe enumerates services → bulk sc stop/delete → encryption begins

Source: reliaquest.com →

Alphv/BlackCat 2021 Legacy ▶

Targets Sophos, Defender, VSS, SQL; cross-platform (Windows and Linux/ESXi); FBI disruption December 2023; exited via scam March 2024 after $22M Change Healthcare ransom. Leadership withheld affiliate commissions and shut down infrastructure

Command / artifacts

Cross-platform (Windows Rust, Linux C). Windows variant embeds a service kill list. Also uses vssadmin to delete shadow copies. FBI disruption Dec 2023, exit scam March 2024.

# Windows Rust binary with embedded service list:
net stop "Sophos Agent" /y
net stop "vss" /y
net stop "MSSQL$SQLEXPRESS" /y
wmic service where "name like '%backup%'" call stopservice

Sysmon EID 1: net.exe or net1.exe with stop and service name
Sysmon EID 1: wmic.exe with service and stopservice
Sysmon EID 1: vssadmin.exe with delete shadows
Windows System EID 7036: Bulk service stops

Same chokepoint: SYSTEM → embedded kill list → net stop / wmic stopservice → vssadmin delete shadows → encryption

Source: www.cisa.gov →

Akira 2023 Active ▶

Prioritizes Defender and backup agents; targets VPN appliances for initial access

Command / artifacts

Prioritizes Defender and backup agents. Initial access via VPN appliances (Cisco, Fortinet). Uses PowerShell for service manipulation alongside sc.exe.

powershell -Command "Get-Service -Name *sophos*, *veeam*, *sql*, *backup* | Stop-Service -Force"
sc config WinDefend start= disabled
net stop WinDefend /y

Sysmon EID 1: powershell.exe with Stop-Service -Force and wildcard service names
Sysmon EID 1: sc.exe with config WinDefend start= disabled
Windows System EID 7036: Defender + backup services stopped

Same chokepoint: Admin via VPN compromise → PowerShell Get-Service enumeration → Stop-Service -Force → sc config disable

Source: www.cisa.gov →

Qilin 2022 Active ▶

Originally tracked as Agenda (Golang); rebranded to Qilin and rewrote in Rust in 2022; fully operational RaaS by February 2023; targets EDR, Veeam, databases; VMware ESXi variant active; surged to prominence with NHS/Synnovis attack June 2024

Command / artifacts

Rewritten in Rust (2022). Uses Windows API directly for service manipulation, reducing sc.exe command-line artifacts. ESXi variant kills VM processes before encrypting VMDK files.

# Rust binary — service manipulation via Windows API, not sc.exe:
qilin.exe --kill-services --paths \\DC\SYSVOL\domain\scripts\
# ESXi variant:
esxcli vm process list
esxcli vm process kill --type=force --world-id=<id>

Windows System EID 7036: EDR/backup services stopped without sc.exe CLI
Sysmon EID 1: Qilin binary execution with --kill-services
ESXi: esxcli process kill events in hostd.log

Same chokepoint: SYSTEM → Windows API service stop (no sc.exe) → service state changes (EID 7036) → encryption

Source: socradar.io →

LockBit 3.0 2022 Declining ▶

Comprehensive kill list (50+ services); Group Policy abuse for domain-wide deployment; Operation Cronos (February 2024) seized 28 servers, source code, and 1000+ decryption keys. Significantly reduced operational capacity

Command / artifacts

Most comprehensive kill list (50+ services). Uses Group Policy for domain-wide deployment. Disables Windows recovery and deletes shadow copies. Operation Cronos (Feb 2024) seized infrastructure.

# Domain-wide via Group Policy scheduled task:
schtasks /create /tn "Windows Update" /tr "C:\windows\temp\lockbit.exe" /sc once /st 00:00 /ru SYSTEM
# Kill list (50+ services):
sc stop SophosFileScanner
sc stop CrowdStrike
sc stop SentinelAgent
sc stop veeam
sc stop MSSQLSERVER
sc stop wbengine
sc stop VSS
# ... 40+ more services
vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled No

Sysmon EID 1: 50+ sc.exe stop commands in rapid succession
Sysmon EID 1: vssadmin.exe delete shadows /all /quiet
Sysmon EID 1: bcdedit.exe /set recoveryenabled No
Sysmon EID 1: schtasks.exe /create with SYSTEM context
Windows System EID 7036: 50+ services stopped in under 5 minutes
Security EID 4698: Scheduled task created across multiple hosts

Same chokepoint: Domain admin → GPO scheduled task → 50+ sc stop commands → vssadmin + bcdedit → domain-wide encryption

Source: www.trendmicro.com →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Service Enumeration

2 Bulk Service Stop

Service stop + delete combination for security or backup services in rapid su...

Hunt Med FP

▶

Goal

Service stop + delete combination for security or backup services in rapid succession

Log Sources

Windows System Event ID 7036 (Service State Change)
Windows System Event ID 7040 (Service Start Type Change)
Sysmon Event ID 1 (Process Creation for sc.exe, net.exe)

FP Rate

Medium

Use Case

Hunt for ransomware preparation activity; identifies pre-encryption service manipulation

Detection Logic

sc.exe, net.exe, powershell.exe, or taskkill.exe with CommandLine containing stop AND a service keyword (sophos, defender, veeam, backup, acronis, mssql, mysql), followed within 60 seconds by a delete or disable of the same service via sc.exe. Also fires when 3+ security/backup services stop within 5 minutes from the same process or session.

Sigma Rule — Hunt Level

GitHub → Download

title: Multiple Security or Backup Services Stopped or Deleted in Rapid Succession
id: c5d9e1f3-a5b7-4c9d-1e3f-3a5b7c9d1e3f
status: experimental
description: >
  Detects sc.exe/net.exe/taskkill.exe stopping or deleting security and backup services,
  with focus on stop-then-delete sequences within 60 seconds.
references:
  - https://attack.mitre.org/techniques/T1562.001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  selection_stop_tools:
    Image|endswith:
      - '\sc.exe'
      - '\net.exe'
      - '\net1.exe'
      - '\taskkill.exe'
  # Service stop commands targeting security/backup services
  selection_stop_action:
    CommandLine|contains:
      - ' stop '
      - ' delete '
      - '/IM '  # taskkill /IM
  selection_security_targets:
    CommandLine|contains:
      # Sophos
      - 'Sophos'
      - 'sophos'
      - 'SAVService'
      - 'SophosFileScanner'
      # Windows Defender
      - 'WinDefend'
      - 'Sense'
      - 'WdNisSvc'
      - 'WdFilter'
      - 'MsMpEng'
      # Veeam
      - 'Veeam'
      - 'veeam'
      # Volume Shadow Copy
      - 'VSS'
      - 'vss'
      - 'wbengine'
      # SQL / Database
      - 'MSSQL'
      - 'SQLWriter'
      - 'MySQL'
      - 'postgresql'
      # Acronis
      - 'Acronis'
      - 'acronis'
      # Generic backup patterns
      - 'backup'
      - 'Backup'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: selection_stop_tools and selection_stop_action and selection_security_targets and not filter_legit_software
falsepositives:
  - Planned maintenance by system administrators (compare against change management records)
  - AV/EDR product uninstallation during software upgrade cycles
  - IT operations during system decommissioning
level: medium

Network logon + bulk service termination targeting specific security/backup s...

Analyst Low FP

▶

Goal

Network logon + bulk service termination targeting specific security/backup services within a tight window

Log Sources

Sysmon Event ID 1 (Process Creation)
Windows Security Event ID 4624 (Logon)
Windows System Event ID 7036 (Service State)
Windows System Event ID 7040/7045 (Service Config)

FP Rate

Low

Use Case

SOC alerting; ransomware pre-encryption detection with minimal time to respond

Detection Logic

Network logon (4624 LogonType 3) or local admin session running sc.exe/net.exe/taskkill.exe stops 5+ services in 10 minutes targeting security (SophosFileScanner, SAVService, WinDefend, Sense, MsMpEng), backup (Veeam*, VeeamDeploymentService, VSS, wbengine, *acronis*), or database (MSSQL*, SQLWriter, MySQL*, postgresql*), with a service delete attempted within 2 minutes. Weight after-hours activity or unusual source IP.

Sigma Rule — Analyst Level

GitHub → Download

title: Ransomware Pre-Encryption — Bulk Service Termination Targeting Sophos File Scanner
id: d6e0f2a4-b6c8-4d0e-2f4a-4b6c8d0e2f4a
status: experimental
description: >
  Detects sc.exe stopping then deleting a named security service. Strong pre-encryption
  indicator observed in Alphv/BlackCat, BlackBasta, and LockBit campaigns.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
  - https://www.mandiant.com/m-trends
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc_stop:
    Image|endswith: '\sc.exe'
    CommandLine|contains|all:
      - 'stop'
      - 'SophosFileScanner'
  selection_sc_delete:
    Image|endswith: '\sc.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'SophosFileScanner'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: (selection_sc_stop or selection_sc_delete) and not filter_legit_software
falsepositives:
  - Sophos product uninstallation by authorized IT staff
  - Sophos version upgrade process (stop old, install new)
level: high

3 Service Deletion

Identify security or backup service state changes (stopped)

Research High FP

▶

Goal

Identify security or backup service state changes (stopped)

Log Sources

Windows System Event ID 7036 (Service State Change)
Windows System Event ID 7040 (Service Start Type Change)

FP Rate

High

Use Case

Baseline service stop frequency and patterns; identify maintenance windows vs. anomalies

Detection Logic

EID 7036 Stopped events where Service Name contains sophos, defender, veeam, backup, or antivirus.

Sigma Rule — Research Level

GitHub → Download

title: Security or Backup Service Stopped
id: b4c8d0e2-f4a6-4b8c-0d2e-2f4a6b8c0d2e
status: experimental
description: >
  Detects security and backup service state changes to stopped. Baseline rule for
  understanding normal service stop patterns in your environment.
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://attack.mitre.org/techniques/T1489/
  - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - attack.impact
  - attack.t1489
  - detection.maturity.research
logsource:
  product: windows
  service: system
detection:
  selection_event:
    EventID: 7036
    # "The X service entered the stopped state."
    Message|contains: 'entered the stopped state'
  selection_security_services:
    Message|contains:
      # Sophos
      - 'Sophos'
      - 'sophos'
      # Microsoft Defender
      - 'WinDefend'
      - 'Windows Defender'
      - 'Sense'
      - 'WdNisSvc'
      # Generic AV/EDR patterns
      - 'Antivirus'
      - 'antivirus'
      # Backup services
      - 'Veeam'
      - 'veeam'
      - 'Volume Shadow Copy'
      - 'VSS'
      - 'wbengine'
      - 'Acronis'
      - 'acronis'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Message|contains:
      - 'placeholder_tune_for_your_env'
  condition: selection_event and selection_security_services and not filter_legit_software
falsepositives:
  - System reboots (all services stop)
  - AV/EDR product updates (service restarts)
  - Maintenance windows (planned service stops)
  - Backup service completion cycles (Veeam, etc. stop between jobs)
level: low

Raw Log Samples 5 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 1 Sysmon sc.exe used to stop a backup service - first service in rapid bulk-stop sequence ▶

EventID: 1 (Process Create) UtcTime: 2024-06-17 22:11:03.447 ProcessId: 5532 Image: C:\Windows\System32\sc.exe CommandLine: sc stop VeeamBackupSvc ParentImage: C:\Windows\System32\cmd.exe

EID 7036 Windows Event Log Veeam backup service stopped as part of ransomware pre-encryption service kill ▶

EventID: 7036 (The service entered the stopped state) TimeCreated: 2024-06-17T22:11:03.8834120Z Channel: System param1: Veeam Backup Service param2: stopped

EID 1 Sysmon sc.exe disables service to prevent automatic restart ▶

EventID: 1 (Process Create) UtcTime: 2024-06-17 22:11:04.112 ProcessId: 5540 Image: C:\Windows\System32\sc.exe CommandLine: sc config VeeamBackupSvc start= disabled ParentImage: C:\Windows\System32\cmd.exe

EID 7040 Windows Event Log Backup service start type changed to disabled - prevents auto-restart ▶

EventID: 7040 (The start type of the service was changed) TimeCreated: 2024-06-17T22:11:04.2201830Z Channel: System param1: Veeam Backup Service param2: disabled

EID 1 Sysmon Service deleted to remove backup infrastructure entirely ▶

EventID: 1 (Process Create) UtcTime: 2024-06-17 22:11:07.883 ProcessId: 5548 Image: C:\Windows\System32\sc.exe CommandLine: sc delete VeeamBackupSvc ParentImage: C:\Windows\System32\cmd.exe

Emulation

ATT&CK: T1562.001 Simulates bulk service stop, disable, and delete pattern used by ransomware pre-encryption powershell ▶

⚠ Lab use only. Requires Administrator. Creates dummy test services. Optionally targets VSS. Lab VM only.

POWERSHELL

GitHub → Download

#Requires -Version 5.1
# MITRE ATT&CK: T1562.001 / T1489 — Impair Defenses / Service Stop
# Simulates ransomware pre-encryption steps: VSS deletion and backup service termination.

[CmdletBinding()]
param(
    [int]$TargetCount = 3,
    [switch]$TargetVss,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

$ServicePrefix = 'RansomTestSvc'

function Remove-Artefacts {
    for ($i = 1; $i -le $TargetCount; $i++) {
        $svcName = "$ServicePrefix$i"
        if (Get-Service -Name $svcName -ErrorAction SilentlyContinue) {
            sc.exe stop $svcName 2>&1 | Out-Null
            sc.exe delete $svcName 2>&1 | Out-Null
        }
    }
    Write-Ok "All test services cleaned up"
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
    [Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Error "Administrator privileges required. Rerun as Administrator."
    exit 1
}

Write-Host ""
Write-Host "=== Ransomware Service Manipulation Emulation ===" -ForegroundColor Magenta
Write-Host "    T1562.001 + T1489 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Creating $TargetCount dummy test services"
Write-Verbose "  These stand in for real targets: VeeamBackupSvc, WinDefend, VSS, SQLWriter"

# Dummy binary path (does not exist — service won't start, but can be stopped/deleted)
$DummyBin = 'C:\Windows\Temp\ransom_test_svc.exe'
for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"
    $result = sc.exe create $svcName binPath= $DummyBin start= auto `
        displayname= "Ransom Test Service $i (SAFE TO DELETE)" 2>&1
    Write-Ok "Created: $svcName — $result"
}

Start-Sleep -Milliseconds 300

Write-Step "Step 2/3 — Bulk service stop + disable (WEL 7036, 7040, Sysmon EID 1)"
Write-Verbose "  Pattern: 3+ services stopped within 5-min window = Hunt trigger"
Write-Verbose "  Pattern: 5+ services stopped = Analyst threshold"

$StoppedCount = 0
for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"

    # Stop (generates WEL 7036)
    $stopOut = sc.exe stop $svcName 2>&1
    Write-Ok "sc stop $svcName`: $stopOut"
    $StoppedCount++

    # Disable (generates WEL 7040)
    $disableOut = sc.exe config $svcName start= disabled 2>&1
    Write-Ok "sc config $svcName start=disabled: $disableOut"

    Start-Sleep -Milliseconds 200   # rapid but observable
}

Write-Ok "Bulk stop complete: $StoppedCount services stopped in rapid succession"
if ($StoppedCount -ge 5) {
    Write-Ok "Analyst threshold exceeded ($StoppedCount >= 5 services)"
} elseif ($StoppedCount -ge 3) {
    Write-Ok "Hunt threshold met ($StoppedCount >= 3 services)"
}

Start-Sleep -Milliseconds 300

if ($TargetVss) {
    Write-Step "Step 2b — Stopping VSS and wbengine (Volume Shadow + Windows Backup)"
    Write-Warn "Stopping VSS temporarily. Will re-enable. No shadow copies will be deleted."

    sc.exe stop VSS 2>&1 | ForEach-Object { Write-Ok "VSS: $_" }
    sc.exe stop wbengine 2>&1 | ForEach-Object { Write-Ok "wbengine: $_" }

    Start-Sleep -Milliseconds 500

    sc.exe start VSS 2>&1 | Out-Null
    sc.exe start wbengine 2>&1 | Out-Null
    Write-Ok "VSS + wbengine re-enabled"
}

Write-Step "Step 3/3 — Service delete (sc delete — ransomware persistence removal step)"
Write-Verbose "  Combined with bulk stop: meets Analyst rule criteria"

for ($i = 1; $i -le $TargetCount; $i++) {
    $svcName = "$ServicePrefix$i"
    $deleteOut = sc.exe delete $svcName 2>&1
    Write-Ok "sc delete $svcName`: $deleteOut"
    Start-Sleep -Milliseconds 100
}

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  WEL 7036 — service name matches security/backup keyword list"         -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 1 (sc.exe stop + delete) + WEL 7036/7040 within 60s window"      -ForegroundColor DarkYellow
Write-Host "  [Analyst]   $TargetCount+ services stopped in 10 min + service deletes"                      -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Note: Analyst rule checks service NAMES against a security/backup list." -ForegroundColor DarkGray
Write-Host "  'RansomTestSvc' names may not match — use -TargetVss for real target names (VSS/wbengine)" -ForegroundColor DarkGray
Write-Host "  For highest fidelity, target WinDefend + VSS + MSSQL names (in lab with those services)" -ForegroundColor DarkGray
Write-Host ""