{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-event-log-security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Event Log Security","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","endpoint","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly attempt to disable or stop security services on compromised endpoints to evade detection and facilitate further malicious activities. This involves using built-in Windows utilities like \u003ccode\u003esc.exe\u003c/code\u003e (Service Control) and \u003ccode\u003enet.exe\u003c/code\u003e, as well as the \u003ccode\u003eStop-Service\u003c/code\u003e PowerShell cmdlet. Disabling these services can allow attackers to deploy malware, escalate privileges, exfiltrate data, or cause widespread damage without being detected. This activity is a strong indicator of compromise and requires immediate investigation to prevent further damage to the organization. Campaigns like WhisperGate and destructive malware targeting Ukrainian organizations have used this technique to amplify their impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the Windows endpoint through various means, such as phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative rights, which are required to stop security services.\u003c/li\u003e\n\u003cli\u003eService Discovery: The attacker enumerates the running services to identify security-related services (e.g., antivirus, EDR, logging).\u003c/li\u003e\n\u003cli\u003eStop Security Service (sc.exe): The attacker uses the \u003ccode\u003esc.exe stop \u0026lt;service_name\u0026gt;\u003c/code\u003e command to attempt to stop a targeted service.\u003c/li\u003e\n\u003cli\u003eStop Security Service (net.exe): Alternatively, the attacker uses \u003ccode\u003enet stop \u0026lt;service_name\u0026gt;\u003c/code\u003e to disable the service.\u003c/li\u003e\n\u003cli\u003eStop Security Service (PowerShell): The attacker employs the \u003ccode\u003eStop-Service \u0026lt;service_name\u0026gt;\u003c/code\u003e PowerShell cmdlet to halt the service.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: With security services disabled, the attacker can now execute malicious code, install malware, or exfiltrate data without triggering alerts.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Impact: The attacker moves laterally to other systems or achieves their objective, such as data theft, ransomware deployment, or system destruction.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of security services can lead to a significant degradation of an organization\u0026rsquo;s security posture. This may result in widespread malware infections, data breaches, and system compromise. Organizations that have experienced these attacks have suffered financial losses, reputational damage, and operational disruptions. Examples include data destruction campaigns observed in the WhisperGate attacks and other destructive malware incidents targeting Ukrainian organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Service Stop via sc.exe\u003c/code\u003e to identify attempts to stop services via the command line.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Service Stop via PowerShell\u003c/code\u003e to identify attempts to stop services via the PowerShell cmdlet.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation logs (Sysmon Event ID 1 or Windows Event Log Security 4688) to capture the necessary command-line details for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules above immediately to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eEnsure that appropriate access controls are in place to restrict the ability to stop critical security services to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-stop-security-service/","summary":"An attacker attempts to stop security services on a Windows endpoint using sc.exe, net.exe, or PowerShell Stop-Service cmdlet to weaken defenses for further malicious activity.","title":"Windows Attempt to Stop Security Service","url":"https://feed.craftedsignal.io/briefs/2024-01-03-stop-security-service/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Event Log Security","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the disabling of audit policies on a Windows Active Directory domain controller, a critical security event that can signify malicious activity. The detection uses Windows Security Event Logs, specifically EventCode 4719, to monitor for changes where success or failure auditing is removed. Attackers often disable audit policies to evade detection after gaining unauthorized access to a domain controller. This activity can be a precursor to more severe attacks, including data theft, privilege escalation, and full network compromise. The analytic leverages a Splunk search query designed to identify alterations to audit policies and provide context through lookups to identify the specific policies affected. The original Splunk detection was published on 2026-05-05.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to a domain controller, often through credential theft or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates their privileges to a level sufficient to modify audit policies, such as through exploiting a privilege escalation vulnerability or using compromised administrator credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify existing audit policies and their configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Auditing:\u003c/strong\u003e The attacker disables specific audit policies on the domain controller using tools native to the operating system or by directly modifying Group Policy Objects (GPOs). This action generates Windows Security Event Log 4719.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion:\u003c/strong\u003e By disabling auditing, the attacker attempts to evade detection by security monitoring tools and personnel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft/Privilege Escalation:\u003c/strong\u003e With auditing disabled, the attacker can now perform lateral movement, data theft, or further privilege escalation without generating the usual audit logs that would alert defenders.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the compromised domain controller, such as creating rogue accounts or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of audit policies on a domain controller can have severe consequences. It allows attackers to operate undetected within the network, potentially leading to data theft, privilege escalation, and complete network compromise. Without proper auditing, security teams lose visibility into malicious activities, making incident response and forensic investigations significantly more difficult. The impact is magnified by the central role domain controllers play in network authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Log EventCode 4719 on all domain controllers (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune it for your environment (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of EventCode 4719 where audit policies are disabled on domain controllers to determine the source and intent of the change (reference: Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-domain-controller-audit-disabled/","summary":"Detection of disabled audit policies on a Windows domain controller by monitoring Windows Security Event Logs for EventCode 4719, indicative of an attacker attempting to evade detection and potentially leading to data theft, privilege escalation, and full network compromise.","title":"Windows AD Domain Controller Audit Policy Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-domain-controller-audit-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Event Log Security","version":"https://jsonfeed.org/version/1.1"}