Detection: Windows Service Stop Win Updates

Updated Date: 2024-05-20 ID: 0dc25c24-6fcf-456f-b08b-dd55a183e4de Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects the disabling of Windows Update services, such as "Update Orchestrator Service for Windows Update," "WaaSMedicSvc," and "Windows Update." It leverages Windows System Event ID 7040 logs to identify changes in service start modes to 'disabled.' This activity is significant as it can indicate an adversary's attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.

Search

1`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled) 
2| stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4 
3| rename Computer as dest 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `windows_service_stop_win_updates_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
Windows Event Log System 7040	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:System'`	N/A

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_service_stop_win_updates_filter	`search *`

windows_service_stop_win_updates_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1489	Service Stop	Impact

KillChainPhase.ACTIONS_ON_OBJECTIVES

NistCategory.DE_AE

Cis18Value.CIS_10

Indrik Spider

LAPSUS$

Lazarus Group

Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints (like Windows system.log Event ID 7040)

Known False Positives

Network administrator may disable this services as part of its audit process within the network. Filter is needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Windows update services $service_name$ was being disabled on $dest$	49	70	70

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:System`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:System`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2