Excessive Attempt to Disable Services

Rule added on 20th February, 2024

Prerequisite:

The rule requires auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule is designed to detect security threats by identifying instances where there are numerous and rapid attempts to disable system services. The focus is on recognizing patterns of behavior indicative of a malicious actor attempting to disrupt or compromise critical services on the system.

Data source:

Windows: application log, process, script, network traffic

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0040 - Impact, TA0005 - Defense Evasion

Techniques: T1485 - Data Destruction, T1562 - Impair Defenses

Sub-techniques: T1562.001 - Impair Defenses: Disable or Modify Tools

Criteria:

Command line contains config: This condition checks the command line arguments used to launch a process. If "config" is present within these arguments, it might indicate someone is trying to configure a service.

Command line contains Disabled:This condition further narrows down the search by looking for the keyword "Disabled" within the command line arguments. This suggests the configuration being attempted might be related to disabling something.

Process name ends with sc.exe:This condition focuses on processes whose names end with "sc.exe". "sc.exe" is a legitimate Windows program used for managing services.

When to enable this rule:

Enable this rule when the user wants to detect attempts to tamper with security measures. This correlation rule monitors for excessive and rapid attempts to disable system services, focusing on recognizing patterns of behavior that might indicate a malicious actor trying to disrupt critical system functionality or compromise security software.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST Cybersecurity Framework (CSF): DE.CM (Security Continuous Monitoring), especially DE.CM-7 for security continuous monitoring.
  • CIS Control:5 (Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers) to ensure secure configurations and prevent unauthorized changes.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.