From 70018d2fbabc7227c06f7f9f85d5ebe0b9851bb8 Mon Sep 17 00:00:00 2001
From: mr-tz <moritz.raabe@mandiant.com>
Date: Fri, 16 Jun 2023 16:32:08 +0200
Subject: [PATCH 1/2] add rule

---
 .../enumerate-devices-by-category.yml         |  1 +
 host-interaction/service/continue-service.yml | 19 +++++++++++++++++++
 host-interaction/service/pause-service.yml    | 19 +++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 host-interaction/service/continue-service.yml
 create mode 100644 host-interaction/service/pause-service.yml

diff --git a/host-interaction/hardware/enumerate-devices-by-category.yml b/host-interaction/hardware/enumerate-devices-by-category.yml
index 0f8c10da6..50e1b7368 100644
--- a/host-interaction/hardware/enumerate-devices-by-category.yml
+++ b/host-interaction/hardware/enumerate-devices-by-category.yml
@@ -19,3 +19,4 @@ rule:
       - optional:
         - description: class identifier (CLSID) of the device category
         - bytes: 10 B3 0B 86 01 5D D0 11 BD 3B 00 A0 C9 11 CE 86 = CVidCapClassManager
+        - bytes: 62 A7 D9 33 C8 90 D0 11 BD 43 00 A0 C9 11 CE 86 = CWaveinClassManager
diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml
new file mode 100644
index 000000000..34601a8d4
--- /dev/null
+++ b/host-interaction/service/continue-service.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: continue service
+    namespace: host-interaction/service
+    authors:
+      - "@mr-tz"
+    scope: function
+    att&ck:
+      - Persistence::Create or Modify System Process::Windows Service [T1543.003]
+    examples:
+      - Practical Malware Analysis Lab 17-02.dll_:0x1000bd79
+  features:
+    - and:
+      - optional:
+        - match: get service handle
+      - number: 0x3 = SERVICE_CONTROL_CONTINUE
+      - or:
+        - api: advapi32.ControlService
+        - api: advapi32.ControlServiceEx
diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml
new file mode 100644
index 000000000..7311b6d3f
--- /dev/null
+++ b/host-interaction/service/pause-service.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: pause service
+    namespace: host-interaction/service
+    authors:
+      - "@mr-tz"
+    scope: function
+    att&ck:
+      - Persistence::Create or Modify System Process::Windows Service [T1543.003]
+    examples:
+      - Practical Malware Analysis Lab 17-02.dll_:0x1000bccd
+  features:
+    - and:
+      - optional:
+        - match: get service handle
+      - number: 0x2 = SERVICE_CONTROL_PAUSE
+      - or:
+        - api: advapi32.ControlService
+        - api: advapi32.ControlServiceEx

From 0929c9cdb5bf45413c057d77c98d788b5d0f3150 Mon Sep 17 00:00:00 2001
From: mr-tz <moritz.raabe@mandiant.com>
Date: Fri, 16 Jun 2023 17:40:18 +0200
Subject: [PATCH 2/2] tighten rule via basic block subscope

---
 host-interaction/service/continue-service.yml  | 10 ++++++----
 host-interaction/service/pause-service.yml     | 10 ++++++----
 host-interaction/service/stop/stop-service.yml | 10 ++++++----
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml
index 34601a8d4..dd481e8b0 100644
--- a/host-interaction/service/continue-service.yml
+++ b/host-interaction/service/continue-service.yml
@@ -13,7 +13,9 @@ rule:
     - and:
       - optional:
         - match: get service handle
-      - number: 0x3 = SERVICE_CONTROL_CONTINUE
-      - or:
-        - api: advapi32.ControlService
-        - api: advapi32.ControlServiceEx
+      - basic block:
+        - and:
+          - number: 0x3 = SERVICE_CONTROL_CONTINUE
+          - or:
+            - api: advapi32.ControlService
+            - api: advapi32.ControlServiceEx
diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml
index 7311b6d3f..91bbafe99 100644
--- a/host-interaction/service/pause-service.yml
+++ b/host-interaction/service/pause-service.yml
@@ -13,7 +13,9 @@ rule:
     - and:
       - optional:
         - match: get service handle
-      - number: 0x2 = SERVICE_CONTROL_PAUSE
-      - or:
-        - api: advapi32.ControlService
-        - api: advapi32.ControlServiceEx
+      - basic block:
+        - and:
+          - number: 0x2 = SERVICE_CONTROL_PAUSE
+          - or:
+            - api: advapi32.ControlService
+            - api: advapi32.ControlServiceEx
diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml
index 80a60bc89..d1426f20b 100644
--- a/host-interaction/service/stop/stop-service.yml
+++ b/host-interaction/service/stop/stop-service.yml
@@ -14,7 +14,9 @@ rule:
     - and:
       - optional:
         - match: get service handle
-      - number: 0x1 = SERVICE_CONTROL_STOP
-      - or:
-        - api: advapi32.ControlService
-        - api: advapi32.ControlServiceEx
+      - basic block:
+        - and:
+          - number: 0x1 = SERVICE_CONTROL_STOP
+          - or:
+            - api: advapi32.ControlService
+            - api: advapi32.ControlServiceEx