Windows Service Disabled Detection

This detection identifies instances where a Windows service is disabled, as indicated by Windows Event ID 7040. Threat actors frequently disable security services or other critical system services to bypass security controls, hinder incident response, and maintain persistence on compromised hosts. This action enables attackers to operate with less scrutiny, allowing them to further compromise the system and potentially the network. While legitimate service updates can trigger this event, a sudden or unexpected disabling of a critical service warrants immediate investigation. This activity is often seen post-exploitation, allowing adversaries to prepare the environment for lateral movement or data exfiltration. The Talos report on Olympic Destroyer highlights this technique.

Attack Chain

1. The attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.
2. The attacker escalates privileges to gain administrative access, required to modify service configurations.
3. The attacker identifies target services to disable, such as security software, logging, or monitoring tools.
4. The attacker uses tools like sc.exe or PowerShell to modify the service start type to “disabled”.
5. Windows Event ID 7040 is generated, recording the service configuration change in the system event log.
6. The attacker confirms the service is disabled, preventing it from automatically starting after reboots.
7. With the targeted services disabled, the attacker performs malicious activities, such as lateral movement or data exfiltration, with reduced risk of detection.
8. The attacker establishes persistence, ensuring continued access to the compromised system.

Impact

Disabling critical services can severely impair the security posture of a system, potentially leading to complete compromise. Attackers may disable antivirus software, firewalls, or logging services, allowing them to operate undetected. The observed impact can range from data theft to complete system destruction, as seen in attacks like Olympic Destroyer. The number of affected systems depends on the scope of the initial compromise and the attacker’s objectives.

Recommendation

• Deploy the Sigma rule Detect Windows Service Disabled via Event ID 7040 to your SIEM to identify instances of service disabling.
• Investigate any alerts generated by the Sigma rule, focusing on critical system services.
• Enable Windows Event Logging and ensure that Event ID 7040 is being collected to provide the necessary data for the Sigma rule.
• Review the provided reference (https://blog.talosintelligence.com/2018/02/olympic-destroyer.html) to understand the context and potential impact of this technique.