{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-disabled/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","service-disabled","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where a Windows service is disabled, as indicated by Windows Event ID 7040. Threat actors frequently disable security services or other critical system services to bypass security controls, hinder incident response, and maintain persistence on compromised hosts. This action enables attackers to operate with less scrutiny, allowing them to further compromise the system and potentially the network. While legitimate service updates can trigger this event, a sudden or unexpected disabling of a critical service warrants immediate investigation. This activity is often seen post-exploitation, allowing adversaries to prepare the environment for lateral movement or data exfiltration. The Talos report on Olympic Destroyer highlights this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access, required to modify service configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies target services to disable, such as security software, logging, or monitoring tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell to modify the service start type to \u0026ldquo;disabled\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eWindows Event ID 7040 is generated, recording the service configuration change in the system event log.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the service is disabled, preventing it from automatically starting after reboots.\u003c/li\u003e\n\u003cli\u003eWith the targeted services disabled, the attacker performs malicious activities, such as lateral movement or data exfiltration, with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, ensuring continued access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling critical services can severely impair the security posture of a system, potentially leading to complete compromise. Attackers may disable antivirus software, firewalls, or logging services, allowing them to operate undetected. The observed impact can range from data theft to complete system destruction, as seen in attacks like Olympic Destroyer. The number of affected systems depends on the scope of the initial compromise and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Service Disabled via Event ID 7040\u003c/code\u003e to your SIEM to identify instances of service disabling.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on critical system services.\u003c/li\u003e\n\u003cli\u003eEnable Windows Event Logging and ensure that Event ID 7040 is being collected to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the provided reference (\u003ca href=\"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html\"\u003ehttps://blog.talosintelligence.com/2018/02/olympic-destroyer.html\u003c/a\u003e) to understand the context and potential impact of this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-service-disabled/","summary":"Detection of a Windows service being disabled via Event ID 7040, a common tactic used by adversaries to evade defenses and maintain control over compromised systems.","title":"Windows Service Disabled Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-service-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Service-Disabled","version":"https://jsonfeed.org/version/1.1"}