https://feed.craftedsignal.io/products/windows-event-log-security/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-stop-security-service/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-stop-security-service/An attacker attempts to stop security services on a Windows endpoint using sc.exe, net.exe, or PowerShell Stop-Service cmdlet to weaken defenses for further malicious activity.Attackers commonly attempt to disable or stop security services on compromised endpoints to evade detection and facilitate further malicious activities. This involves using built-in Windows utilities like sc.exe (Service Control) and net.exe, as well as the Stop-Service PowerShell cmdlet. Disabling these services can allow attackers to deploy malware, escalate privileges, exfiltrate data, or cause widespread damage without being detected. This activity is a strong indicator of compromise and requires immediate investigation to prevent further damage to the organization. Campaigns like WhisperGate and destructive malware targeting Ukrainian organizations have used this technique to amplify their impact.

Attack Chain

1. Initial Access: An attacker gains initial access to the Windows endpoint through various means, such as phishing, exploiting vulnerabilities, or compromised credentials.
2. Privilege Escalation: The attacker escalates privileges to gain administrative rights, which are required to stop security services.
3. Service Discovery: The attacker enumerates the running services to identify security-related services (e.g., antivirus, EDR, logging).
4. Stop Security Service (sc.exe): The attacker uses the sc.exe stop <service_name> command to attempt to stop a targeted service.
5. Stop Security Service (net.exe): Alternatively, the attacker uses net stop <service_name> to disable the service.
6. Stop Security Service (PowerShell): The attacker employs the Stop-Service <service_name> PowerShell cmdlet to halt the service.
7. Defense Evasion: With security services disabled, the attacker can now execute malicious code, install malware, or exfiltrate data without triggering alerts.
8. Lateral Movement/Impact: The attacker moves laterally to other systems or achieves their objective, such as data theft, ransomware deployment, or system destruction.

Impact

Successful disabling of security services can lead to a significant degradation of an organization’s security posture. This may result in widespread malware infections, data breaches, and system compromise. Organizations that have experienced these attacks have suffered financial losses, reputational damage, and operational disruptions. Examples include data destruction campaigns observed in the WhisperGate attacks and other destructive malware incidents targeting Ukrainian organizations.

Recommendation

• Deploy the Sigma rule Detect Windows Service Stop via sc.exe to identify attempts to stop services via the command line.
• Deploy the Sigma rule Detect Windows Service Stop via PowerShell to identify attempts to stop services via the PowerShell cmdlet.
• Enable and monitor process creation logs (Sysmon Event ID 1 or Windows Event Log Security 4688) to capture the necessary command-line details for detection.
• Investigate any alerts generated by the Sigma rules above immediately to determine the scope and impact of the potential compromise.
• Ensure that appropriate access controls are in place to restrict the ability to stop critical security services to authorized personnel only.

]]>highadvisorydefense-evasionendpointwindowshttps://feed.craftedsignal.io/briefs/2024-01-03-domain-controller-audit-disabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-domain-controller-audit-disabled/Detection of disabled audit policies on a Windows domain controller by monitoring Windows Security Event Logs for EventCode 4719, indicative of an attacker attempting to evade detection and potentially leading to data theft, privilege escalation, and full network compromise.This detection identifies the disabling of audit policies on a Windows Active Directory domain controller, a critical security event that can signify malicious activity. The detection uses Windows Security Event Logs, specifically EventCode 4719, to monitor for changes where success or failure auditing is removed. Attackers often disable audit policies to evade detection after gaining unauthorized access to a domain controller. This activity can be a precursor to more severe attacks, including data theft, privilege escalation, and full network compromise. The analytic leverages a Splunk search query designed to identify alterations to audit policies and provide context through lookups to identify the specific policies affected. The original Splunk detection was published on 2026-05-05.

Attack Chain

1. Initial Access: An attacker gains unauthorized access to a domain controller, often through credential theft or exploiting a vulnerability.
2. Privilege Escalation: The attacker escalates their privileges to a level sufficient to modify audit policies, such as through exploiting a privilege escalation vulnerability or using compromised administrator credentials.
3. Discovery: The attacker performs reconnaissance to identify existing audit policies and their configurations.
4. Disable Auditing: The attacker disables specific audit policies on the domain controller using tools native to the operating system or by directly modifying Group Policy Objects (GPOs). This action generates Windows Security Event Log 4719.
5. Evasion: By disabling auditing, the attacker attempts to evade detection by security monitoring tools and personnel.
6. Lateral Movement/Data Theft/Privilege Escalation: With auditing disabled, the attacker can now perform lateral movement, data theft, or further privilege escalation without generating the usual audit logs that would alert defenders.
7. Persistence: The attacker establishes persistence mechanisms to maintain access to the compromised domain controller, such as creating rogue accounts or modifying system configurations.

Impact

Successful disabling of audit policies on a domain controller can have severe consequences. It allows attackers to operate undetected within the network, potentially leading to data theft, privilege escalation, and complete network compromise. Without proper auditing, security teams lose visibility into malicious activities, making incident response and forensic investigations significantly more difficult. The impact is magnified by the central role domain controllers play in network authentication and authorization.

Recommendation

• Enable and monitor Windows Security Event Log EventCode 4719 on all domain controllers (reference: Overview).
• Deploy the Sigma rule provided in this brief to your SIEM and tune it for your environment (reference: Sigma rule).
• Investigate any instances of EventCode 4719 where audit policies are disabled on domain controllers to determine the source and intent of the change (reference: Overview).

]]>highadvisorydefense-evasionwindows