CLOP Ransomware Service Installation
Known CLOP Persistence Mechanism - Event ID 7045
CLOP Ransomware Service Installation - Known persistence mechanism used by CLOP ransomware family
clop
ransomware
persistence
t1543
malware
threat-simulation
XML Format
13 Fields
Low Frequency
Generator
Overview
Simulates CLOP ransomware service installation events. CLOP is a sophisticated ransomware family that uses specific service names ('SecurityCenterIBM', 'WinCheckDRVs') for persistence and privilege escalation. This template generates events matching known CLOP TTPs for detection rule testing and SOC training.
When Generated:
- During CLOP ransomware deployment phase
- For persistence establishment on compromised Windows systems
- In red team exercises simulating CLOP campaign tactics
- For detection rule validation and SOC analyst training
Security Relevance:
CriticalCompliance:
MITRE ATT&CK T1543.003 (Create or Modify System Process: Windows Service)
NIST Cybersecurity Framework - Detect (DE.CM)
SANS TOP 20 Critical Security Controls
PCI DSS Requirement 10 (Logging and Monitoring)
Frequency Notes:
Very low frequency in legitimate environments - any occurrence should trigger immediate investigation
Resources
Documentation
- Mandiant CLOP Ransomware Analysis reference
- VirusTotal CLOP Ransomware Deep Dive community
- MITRE ATT&CK - T1543.003 Windows Service reference
- Splunk CLOP Detection Rule community
- Windows Event ID 7045 Reference reference
Tools
-
Splunk Enterprise Security
Primary SIEM platform for CLOP detection and response
-
Sysmon
Enhanced Windows logging for detailed process and service monitoring
-
YARA Rules for CLOP
Pattern matching rules for CLOP ransomware identification
-
Windows Defender ATP
Microsoft's endpoint detection and response platform
Generation Configuration
Base Frequency: 0.2 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 1.5x
Night Hours Multiplier: 2.0x
Weekend Multiplier: 1.8x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
Provider
Source: Static values for Service Control Manager
|
Object | Required | — | Event provider information - always Service Control Manager for Event ID 7045 |
{"Name": "Service Control Manager", "Guid": "{555908d1-a6d7-4695-8e1e-26931d2012f4}"}
|
— |
|
EventID
Source: Static value 7045
|
Integer | Required | — | Windows Event ID - always 7045 for service installation |
7045
|
— |
|
TimeCreated
Source: current_timestamp() | timestamp_to_iso
|
DateTime | Required |
ISO 8601 with microseconds
|
Timestamp when the service was installed |
2024-03-04T04:38:23.109986200Z
|
— |
|
EventRecordID
Source: random_int(100000, 999999)
|
Integer | Required | — | Unique record identifier for this event log entry |
168102
|
— |
|
ProcessID
Source: random_int(500, 2000)
|
Integer | Required | — | Process ID of the Service Control Manager process |
592
|
— |
|
ThreadID
Source: random_int(600, 1000)
|
Integer | Required | — | Thread ID within the Service Control Manager process |
688
|
— |
|
Computer
Source: registry.get_random_device().hostname | default(random_hostname())
|
String | Required | — | Hostname/FQDN of the computer where service was installed |
ar-win-dc.attackrange.local
|
— |
|
UserID
Source: registry.get_random_user().sid | default(generated SID)
|
String | Required |
Windows SID format
|
Security identifier (SID) of the user account that installed the service |
S-1-5-21-3344543075-1022232225-2459664213-500
|
— |
|
ServiceName
Source: random_choice(['SecurityCenterIBM', 'WinCheckDRVs'])
|
String | Required | — | CLOP ransomware uses specific service names for persistence |
SecurityCenterIBM
|
SecurityCenterIBM
— Primary CLOP ransomware service name - mimics legitimate security software
WinCheckDRVs
— Secondary CLOP ransomware service name - appears to be driver checking utility
|
|
ImagePath
Source: random_choice() weighted toward CLOP-typical paths
|
String | Required | — | CLOP often uses suspicious executable paths or system utilities for living-off-the-land attacks |
cmd.exe
|
cmd.exe
— Direct command execution - classic CLOP tactic for initial payload execution
C:\Temp\*.exe
— Temporary directory execution - common staging area for CLOP payloads
C:\Windows\System32\*.exe
— System masquerading - CLOP attempts to blend with legitimate system processes
|
|
ServiceType
Source: random_choice() from valid service types
|
String | Required | — | Type of Windows service being installed |
user mode service
|
user mode service
— Standard user-mode service
kernel driver
— Kernel-level driver service
file system driver
— File system filter driver
|
|
StartType
Source: random_choice() from valid start types
|
String | Required | — | Service startup configuration |
auto start
|
auto start
— Starts automatically at boot
demand start
— Starts manually when requested
disabled
— Service is disabled
|
|
AccountName
Source: random_choice() from service accounts
|
String | Required | — | Account under which the service will run |
LocalSystem
|
LocalSystem
— Highest privilege system account
LocalService
— Limited system account
NetworkService
— Network-capable limited account
|
Details
13
Fields
Low
Frequency
6
Tags
clop_persistence
Event Type
Tags:
clop
ransomware
persistence
t1543
malware
threat-simulation
Feedback
No ratings yet