← Library
splApache-2.0from splunk/security_content

Excessive Attempt To Disable Services

The following analytic identifies a suspicious series of command-line executions attempting to disable multiple services. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes where "sc.exe" is used with parameters like "config" or "Disabled" within a short time frame. This activity is significant as it may indicate an adversary's attempt to disable security or other critical services to further compromise the system. If confirmed malicious, this could lead to the attacker achieving persistence, evading detection, or disabling security mechanisms, thereby increasing the risk of further exploitation.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/excessive_attempt_to_disable_services.yml
| tstats `security_content_summariesonly` values(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process) as parent_process values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product  count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name = "sc.exe"
    AND
    Processes.process="*config*"
    OR
    Processes.process="*Disabled*"
  BY Processes.process_name Processes.parent_process_name Processes.dest
     Processes.user _time span=1m
| where count >=4
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_attempt_to_disable_services_filter`
Excessive Attempt To Disable Services · SPL rule | DetectionLint