SolarWinds Process Disabling Services via Registry Modification

This threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as SolarWinds.BusinessLayerHost*.exe and NetFlowService*.exe, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.

Attack Chain

1. Initial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.
2. Deployment of a malicious module or payload within the SolarWinds environment.
3. Execution of a SolarWinds process, such as SolarWinds.BusinessLayerHost*.exe.
4. The SolarWinds process modifies the registry to change the start type of a service.
5. The registry modification targets the HKLM\SYSTEM\ControlSet*\Services\*\Start path.
6. The Start value is set to “4” or “0x00000004”, which disables the targeted service.
7. Disabling critical security services allows the attacker to evade detection and further compromise the system.
8. Attacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.

Impact

Successful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.

Recommendation

• Deploy the Sigma rule SolarWinds Process Disabling Services via Registry to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.
• Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.
• Review and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.
• Investigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.
• Utilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).
• Monitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.