Detection rules › Splunk
Service Stop Commands (Windows Event Log)
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.001 Impair Defenses: Disable or Modify Tools |
| Impact | T1489 Service Stop |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4656 | A handle to an object was requested. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '5367.5470'
title: Service Stop Commands
description: 'Adversaries may stop or disable services on a system to render those
services unavailable to legitimate users. Stopping critical services can inhibit
or stop response to an incident or aid in the adversary''s overall objectives to
cause damage to the environment. Threat Actor Association: APT29/Nobelium/Cozy Bear,
FIN6, Kimsuky, Lapsus$, Lazarus, TA2541, Traveling Spider - Software Association:
BlackByte, Blackcat/ALPHV, Black Basta, Conti, Cring, Cuba, GhostShell, Lockbit,
Nefilim, Prometheus / Spook, Ryuk, TeamTNT, WatchDog, WhisperGate, XingLocker --
Atomics T1489 #Test1 Atomics T1489 #Test2 Atomics T1489 #Test3 -- #TrendingThreat
#Russia #Ukraine'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (EventCode=4656 OR EventCode=4688
OR "EventID>4688<" OR "EventID>4656<") ((TERM(sc.exe) OR TERM(sc) OR TERM(net) OR
TERM(net.exe) ) AND TERM(stop) AND (TERM(ShellHWDetection) OR TERM(AVPSUS) OR TERM(McAfeeDLPAgentService)
OR TERM(mfewc) OR TERM(eventlog) OR (TERM(BMR) AND TERM(SERVICE)))) OR ( TERM(taskkill)
AND ( TERM(/IM) OR TERM(/PID) OR TERM(/T) ) AND TERM(/F)) OR ((TERM(sc.exe) OR TERM(sc))
AND TERM(CONFIG) AND TERM(START=) AND TERM(DISABLED)) | eval process2=mvappend(Object_Server,
Accesses, Object_Name), process=mvappend(process,process2) | regex process="(?i)(stop.*(ShellHWDetection|AVPSUS|McAfeeDLPAgentService|mfewc|eventlog|BMR.*service))|(taskkill)|(start=.*disabled)"
| table _time, host, user event_id, parent_process, parent_process_id, parent_process_name,
parent_process_path, process, process_current_directory, process_id, process_name,
process_path, signature_id, user_id | bin span=1s | stats values(*) as * by _time,
host '
techniques:
- defense-evasion:impair defenses:disable or modify tools
- impact:service stop
technique_id:
- T1562.001
- T1489
data_category:
- Windows event logs
- Process command-line parameters
references:
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lockergoga-ransomware-family-used-in-targeted-attacks/
- https://kcm.trellix.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91373/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20LockerGoga.pdf
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (EventCode=4656 OR EventCode=4688 OR "EventID>4688<" OR "EventID>4656<") ((TERM(sc.exe) OR TERM(sc) OR TERM(net) OR TERM(net.exe) ) AND TERM(stop) AND (TERM(ShellHWDetection) OR TERM(AVPSUS) OR TERM(McAfeeDLPAgentService) OR TERM(mfewc) OR TERM(eventlog) OR (TERM(BMR) AND TERM(SERVICE)))) OR ( TERM(taskkill) AND ( TERM(/IM) OR TERM(/PID) OR TERM(/T) ) AND TERM(/F)) OR ((TERM(sc.exe) OR TERM(sc)) AND TERM(CONFIG) AND TERM(START=) AND TERM(DISABLED))
Stage 2: eval
| eval process2=mvappend(Object_Server, Accesses, Object_Name), process=mvappend(process,process2)
Stage 3: regex
| regex process="(?i)(stop.*(ShellHWDetection|AVPSUS|McAfeeDLPAgentService|mfewc|eventlog|BMR.*service))|(taskkill)|(start=.*disabled)"
Stage 4: table
| table _time, host, user event_id, parent_process, parent_process_id, parent_process_name, parent_process_path, process, process_current_directory, process_id, process_name, process_path, signature_id, user_id
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "EventID>4688<" |
| 1 | "EventID>4656<" |
| 1 | TERM |
| 1 | sc.exe |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | net |
| 1 | TERM |
| 1 | net.exe |
| 1 | TERM |
| 1 | stop |
| 1 | TERM |
| 1 | ShellHWDetection |
| 1 | TERM |
| 1 | AVPSUS |
| 1 | TERM |
| 1 | McAfeeDLPAgentService |
| 1 | TERM |
| 1 | mfewc |
| 1 | TERM |
| 1 | eventlog |
| 1 | TERM |
| 1 | BMR |
| 1 | TERM |
| 1 | SERVICE |
| 1 | TERM |
| 1 | taskkill |
| 1 | "/IM" |
| 1 | "/PID" |
| 1 | "/T" |
| 1 | "/F" |
| 1 | TERM |
| 1 | sc.exe |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | CONFIG |
| 1 | "START=" |
| 1 | TERM |
| 1 | DISABLED |