Service-Disabling — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/service-disabling/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Excessive Windows Service Disabling Eventshttps://feed.craftedsignal.io/briefs/2024-01-excessive-disabled-services/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-excessive-disabled-services/An adversary may disable critical Windows services to evade defenses or disrupt system operations, detected by monitoring for an excessive number of service-disabled events on a single host.This threat brief addresses the potential for adversaries to disable critical Windows services as a means of defense evasion or to facilitate destructive actions. The detection focuses on identifying hosts that exhibit an unusually high volume of service-disabled events within a short timeframe. This behavior is often indicative of malicious activity, particularly when security-related services are targeted. Monitoring for excessive service disabling events is crucial because it can reveal attempts to weaken or bypass security controls, allowing attackers to operate with greater impunity. The analytic leverages Windows Event Logs (EventCode 7040) to detect multiple service state changes on a single host.

Attack Chain

  1. Initial Access: The attacker gains initial access to the target system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.
  2. Privilege Escalation: The attacker escalates privileges to gain administrative or SYSTEM-level access, which is required to modify service configurations.
  3. Service Enumeration: The attacker enumerates installed services to identify potential targets for disabling. This may involve using tools like sc.exe or PowerShell cmdlets like Get-Service.
  4. Identify Target Services: The attacker identifies security solutions, logging mechanisms, or critical system components that are running as services.
  5. Service Disabling: The attacker disables the targeted services using tools like sc.exe config <service_name> start= disabled, PowerShell’s Set-Service cmdlet, or by directly modifying the service’s registry keys.
  6. Defense Evasion: Disabling security services allows the attacker to evade detection and monitoring, hindering incident response efforts.
  7. Lateral Movement/Persistence: With defenses weakened, the attacker can move laterally within the network or establish persistent access without being detected.
  8. Objective Completion: The attacker achieves their final objectives, which may include data theft, ransomware deployment, or system disruption, without interference from security controls.

Impact

Successful exploitation can lead to a significant degradation of the target’s security posture. The disabling of security services can blind defenders, allowing attackers to move laterally, exfiltrate data, or deploy ransomware with little or no resistance. This can result in significant financial losses, reputational damage, and operational disruption. The CISA AA23-347A advisory highlights that adversaries often disable or impair security tools before deploying ransomware or conducting other malicious activities.

Recommendation

  • Deploy the provided Sigma rule Excessive Windows Service Disabled Events to detect hosts exhibiting an unusual number of service-disabled events (Windows Event Log System 7040). Tune the threshold (count >=10) based on your environment’s baseline.
  • Investigate any alerts generated by the Excessive Windows Service Disabled Events Sigma rule to determine the cause of the service state changes.
  • Enable Windows Event Logging for System events (EventCode 7040) to ensure the necessary data source is available.
  • Review the Talos Intelligence blog post on Olympic Destroyer (https://blog.talosintelligence.com/2018/02/olympic-destroyer.html) for insights into how service disabling is used in destructive attacks.
]]>highadvisorydefense-evasionservice-disablingwindows