Name:Windows Event For Service Disabled id:9c2620a8-94a1-11ec-b40c-acde48001122 version:5 date:2024-10-17 author:Teoderick Contreras, Splunk status:production type:Hunting Description:The following analytic detects when a Windows service is modified from a start type to disabled. It leverages system event logs, specifically EventCode 7040, to identify this change. This activity is significant because adversaries often disable security or other critical services to evade detection and maintain control over a compromised host. If confirmed malicious, this action could allow attackers to bypass security defenses, leading to further exploitation and persistence within the environment. Data_source:
-Windows Event Log System 7040
search:`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_event_for_service_disabled_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. known_false_positives:Windows service update may cause this event. In that scenario, filtering is needed. References: -https://blog.talosintelligence.com/2018/02/olympic-destroyer.html drilldown_searches:
: tags: analytic_story: - 'Windows Defense Evasion Tactics' - 'RedLine Stealer' asset_type:Endpoint confidence:60 impact:60 message:Service $ServiceName$ was disabled on $dest$ mitre_attack_id: - 'T1562.001' - 'T1562' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'ComputerName' - 'EventCode' - 'Message' - 'User' - 'Sid' risk_score:36 security_domain:endpoint
