CLOP Ransomware Service Installation | LogForge Templates Registry

clop ransomware persistence t1543 malware threat-simulation

📄 XML Format

📊 13 Fields

✨ Generator

⏱️ Low Frequency

Overview

Simulates CLOP ransomware service installation events. CLOP is a sophisticated ransomware family that uses specific service names ('SecurityCenterIBM', 'WinCheckDRVs') for persistence and privilege escalation. This template generates events matching known CLOP TTPs for detection rule testing and SOC training.

When Generated:

During CLOP ransomware deployment phase
For persistence establishment on compromised Windows systems
In red team exercises simulating CLOP campaign tactics
For detection rule validation and SOC analyst training

Security Relevance: Critical

Compliance: MITRE ATT&CK T1543.003 (Create or Modify System Process: Windows Service) NIST Cybersecurity Framework - Detect (DE.CM) SANS TOP 20 Critical Security Controls PCI DSS Requirement 10 (Logging and Monitoring)

Frequency Notes: Very low frequency in legitimate environments - any occurrence should trigger immediate investigation

Resources

Documentation

Mandiant CLOP Ransomware Analysis reference
VirusTotal CLOP Ransomware Deep Dive community
MITRE ATT&CK - T1543.003 Windows Service reference
Splunk CLOP Detection Rule community
Windows Event ID 7045 Reference reference

Tools

Splunk Enterprise Security - Primary SIEM platform for CLOP detection and response
Sysmon - Enhanced Windows logging for detailed process and service monitoring
YARA Rules for CLOP - Pattern matching rules for CLOP ransomware identification
Windows Defender ATP - Microsoft's endpoint detection and response platform

Generation Configuration

Base Frequency: 0.2 events/hour

Time Patterns: business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 1.8x

Details

clop_persistence

Event Type

Fields

Low

Frequency

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example Value	Possible Values
Provider Source: Static values for Service Control Manager	Object	Required	—	Event provider information - always Service Control Manager for Event ID 7045	`{"Name": "Service Control Manager", "Guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}"}`	—
EventID Source: Static value 7045	Integer	Required	—	Windows Event ID - always 7045 for service installation	`7045`	—
TimeCreated Source: current_timestamp() \| timestamp_to_iso	DateTime	Required	`ISO 8601 with microseconds`	Timestamp when the service was installed	`2024-03-04T04:38:23.109986200Z`	—
EventRecordID Source: random_int(100000, 999999)	Integer	Required	—	Unique record identifier for this event log entry	`168102`	—
ProcessID Source: random_int(500, 2000)	Integer	Required	—	Process ID of the Service Control Manager process	`592`	—
ThreadID Source: random_int(600, 1000)	Integer	Required	—	Thread ID within the Service Control Manager process	`688`	—
Computer Source: registry.get_random_device().hostname \| default(random_hostname())	String	Required	—	Hostname/FQDN of the computer where service was installed	`ar-win-dc.attackrange.local`	—
UserID Source: registry.get_random_user().sid \| default(generated SID)	String	Required	`Windows SID format`	Security identifier (SID) of the user account that installed the service	`S-1-5-21-3344543075-1022232225-2459664213-500`	—
ServiceName Source: random_choice(['SecurityCenterIBM', 'WinCheckDRVs'])	String	Required	—	CLOP ransomware uses specific service names for persistence	`SecurityCenterIBM`	`SecurityCenterIBM` - Primary CLOP ransomware service name - mimics legitimate security software `WinCheckDRVs` - Secondary CLOP ransomware service name - appears to be driver checking utility
ImagePath Source: random_choice() weighted toward CLOP-typical paths	String	Required	—	CLOP often uses suspicious executable paths or system utilities for living-off-the-land attacks	`cmd.exe`	`cmd.exe` - Direct command execution - classic CLOP tactic for initial payload execution `C:\Temp\.exe` - Temporary directory execution - common staging area for CLOP payloads `C:\Windows\System32\.exe` - System masquerading - CLOP attempts to blend with legitimate system processes
ServiceType Source: random_choice() from valid service types	String	Required	—	Type of Windows service being installed	`user mode service`	`user mode service` - Standard user-mode service `kernel driver` - Kernel-level driver service `file system driver` - File system filter driver
StartType Source: random_choice() from valid start types	String	Required	—	Service startup configuration	`auto start`	`auto start` - Starts automatically at boot `demand start` - Starts manually when requested `disabled` - Service is disabled
AccountName Source: random_choice() from service accounts	String	Required	—	Account under which the service will run	`LocalSystem`	`LocalSystem` - Highest privilege system account `LocalService` - Limited system account `NetworkService` - Network-capable limited account