Windows Attempt to Stop Security Service

Attackers commonly attempt to disable or stop security services on compromised endpoints to evade detection and facilitate further malicious activities. This involves using built-in Windows utilities like sc.exe (Service Control) and net.exe, as well as the Stop-Service PowerShell cmdlet. Disabling these services can allow attackers to deploy malware, escalate privileges, exfiltrate data, or cause widespread damage without being detected. This activity is a strong indicator of compromise and requires immediate investigation to prevent further damage to the organization. Campaigns like WhisperGate and destructive malware targeting Ukrainian organizations have used this technique to amplify their impact.

Attack Chain

1. Initial Access: An attacker gains initial access to the Windows endpoint through various means, such as phishing, exploiting vulnerabilities, or compromised credentials.
2. Privilege Escalation: The attacker escalates privileges to gain administrative rights, which are required to stop security services.
3. Service Discovery: The attacker enumerates the running services to identify security-related services (e.g., antivirus, EDR, logging).
4. Stop Security Service (sc.exe): The attacker uses the sc.exe stop <service_name> command to attempt to stop a targeted service.
5. Stop Security Service (net.exe): Alternatively, the attacker uses net stop <service_name> to disable the service.
6. Stop Security Service (PowerShell): The attacker employs the Stop-Service <service_name> PowerShell cmdlet to halt the service.
7. Defense Evasion: With security services disabled, the attacker can now execute malicious code, install malware, or exfiltrate data without triggering alerts.
8. Lateral Movement/Impact: The attacker moves laterally to other systems or achieves their objective, such as data theft, ransomware deployment, or system destruction.

Impact

Successful disabling of security services can lead to a significant degradation of an organization’s security posture. This may result in widespread malware infections, data breaches, and system compromise. Organizations that have experienced these attacks have suffered financial losses, reputational damage, and operational disruptions. Examples include data destruction campaigns observed in the WhisperGate attacks and other destructive malware incidents targeting Ukrainian organizations.

Recommendation

• Deploy the Sigma rule Detect Windows Service Stop via sc.exe to identify attempts to stop services via the command line.
• Deploy the Sigma rule Detect Windows Service Stop via PowerShell to identify attempts to stop services via the PowerShell cmdlet.
• Enable and monitor process creation logs (Sysmon Event ID 1 or Windows Event Log Security 4688) to capture the necessary command-line details for detection.
• Investigate any alerts generated by the Sigma rules above immediately to determine the scope and impact of the potential compromise.
• Ensure that appropriate access controls are in place to restrict the ability to stop critical security services to authorized personnel only.