The hypothesis is that the detection rule identifies adversaries attempting to stop critical services as part of a ransomware attack to disrupt operations and cover their tracks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential ransomware activity early and mitigate impact.
KQL Query
// Attempts to stop services and allow ransomware execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and
ProcessCommandLine has "stop-service"
and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange"
id: a1c2f319-21a9-4f63-a130-cc1875123fe5
name: doppelpaymer-stop-services
description: |
This query was originally published in the threat analytics report, Doppelpaymer: More human-operated ransomware. There is also a related blog.
DoppelPaymer is ransomware that is spread manually by human operators. These operators have exhibited extensive knowledge of system administration and common network security misconfigurations. They often use stolen credentials from over-privileged service accounts to turn off security software, run malicious commands, and spread malware throughout an organization.
The following query detects attempts to stop security services.
The See also section below lists links to other queries associated with DoppelPaymer.
References:
https://msrc-blog.microsoft.com/2019/11/20/customer-guidance-for-the-dopplepaymer-ransomware/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoppelPaymer!MTB&threatId=-2147205372
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Defense evasion
query: |
// Attempts to stop services and allow ransomware execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName startswith "psexe" and FileName =~ "powershell.exe" and
ProcessCommandLine has "stop-service"
and ProcessCommandLine has "sql" and ProcessCommandLine has "msexchange"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task is running to stop and restart services as part of routine system maintenance or patching.
Filter/Exclusion: process.parent_process_name != "Task Scheduler" or process.name != "schtasks.exe"
Scenario: Manual Service Restart by Admin
Description: An administrator manually stops services using the command line or GUI tools (e.g., net stop, services.msc) during troubleshooting or configuration changes.
Filter/Exclusion: process.name != "cmd.exe" or process.name != "services.msc" or process.parent_process_name != "explorer.exe"
Scenario: Automated Backup Job Stopping Services
Description: A backup tool (e.g., Veeam, Acronis) temporarily stops services to ensure data consistency during a backup operation.
Filter/Exclusion: process.name != "veeam.exe" or process.name != "acronis.exe" or process.command_line contains "backup"
Scenario: Windows Update Service Stop During Patching
Description: Windows Update temporarily stops services to apply updates, which is a normal part of the Windows patching process.
Filter/Exclusion: process.name != "wuauserv.exe" or process.command_line contains "wuau" or "update"
Scenario: Third-Party Monitoring Tool Service Management
Description: A monitoring tool (e.g., Nagios, Zabbix) stops services to check their status or perform health checks.
Filter/Exclusion: process.name != "nagios.exe" or process.name != "zabbix_agentd.exe" or process.command_line contains "check_service"