{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-disabling/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","service-disabling","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the potential for adversaries to disable critical Windows services as a means of defense evasion or to facilitate destructive actions. The detection focuses on identifying hosts that exhibit an unusually high volume of service-disabled events within a short timeframe. This behavior is often indicative of malicious activity, particularly when security-related services are targeted. Monitoring for excessive service disabling events is crucial because it can reveal attempts to weaken or bypass security controls, allowing attackers to operate with greater impunity. The analytic leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the target system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative or SYSTEM-level access, which is required to modify service configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Enumeration:\u003c/strong\u003e The attacker enumerates installed services to identify potential targets for disabling. This may involve using tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell cmdlets like \u003ccode\u003eGet-Service\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Target Services:\u003c/strong\u003e The attacker identifies security solutions, logging mechanisms, or critical system components that are running as services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disabling:\u003c/strong\u003e The attacker disables the targeted services using tools like \u003ccode\u003esc.exe config \u0026lt;service_name\u0026gt; start= disabled\u003c/code\u003e, PowerShell\u0026rsquo;s \u003ccode\u003eSet-Service\u003c/code\u003e cmdlet, or by directly modifying the service\u0026rsquo;s registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Disabling security services allows the attacker to evade detection and monitoring, hindering incident response efforts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Persistence:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network or establish persistent access without being detected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e The attacker achieves their final objectives, which may include data theft, ransomware deployment, or system disruption, without interference from security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a significant degradation of the target\u0026rsquo;s security posture. The disabling of security services can blind defenders, allowing attackers to move laterally, exfiltrate data, or deploy ransomware with little or no resistance. This can result in significant financial losses, reputational damage, and operational disruption. The CISA AA23-347A advisory highlights that adversaries often disable or impair security tools before deploying ransomware or conducting other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eExcessive Windows Service Disabled Events\u003c/code\u003e to detect hosts exhibiting an unusual number of service-disabled events (Windows Event Log System 7040). Tune the threshold (count \u0026gt;=10) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eExcessive Windows Service Disabled Events\u003c/code\u003e Sigma rule to determine the cause of the service state changes.\u003c/li\u003e\n\u003cli\u003eEnable Windows Event Logging for System events (EventCode 7040) to ensure the necessary data source is available.\u003c/li\u003e\n\u003cli\u003eReview the Talos Intelligence blog post on Olympic Destroyer (\u003ca href=\"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html\"\u003ehttps://blog.talosintelligence.com/2018/02/olympic-destroyer.html\u003c/a\u003e) for insights into how service disabling is used in destructive attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-excessive-disabled-services/","summary":"An adversary may disable critical Windows services to evade defenses or disrupt system operations, detected by monitoring for an excessive number of service-disabled events on a single host.","title":"Excessive Windows Service Disabling Events","url":"https://feed.craftedsignal.io/briefs/2024-01-excessive-disabled-services/"}],"language":"en","title":"CraftedSignal Threat Feed — Service-Disabling","version":"https://jsonfeed.org/version/1.1"}