SolarWinds Process Disabling Services via Registry
Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this
13technique to manipulate relevant security services.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "SolarWinds Process Disabling Services via Registry"
20references = [
21 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
22]
23risk_score = 47
24rule_id = "b9960fef-82c6-4816-befa-44745030e917"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Tactic: Initial Access",
32 "Data Source: Elastic Endgame",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35 "Data Source: Microsoft Defender for Endpoint",
36 "Data Source: SentinelOne",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and
43 process.name : (
44 "SolarWinds.BusinessLayerHost*.exe",
45 "ConfigurationWizard*.exe",
46 "NetflowDatabaseMaintenance*.exe",
47 "NetFlowService*.exe",
48 "SolarWinds.Administration*.exe",
49 "SolarWinds.Collector.Service*.exe",
50 "SolarwindsDiagnostics*.exe"
51 ) and
52 registry.path : (
53 "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
54 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
55 "MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
56 ) and
57 registry.data.strings : ("4", "0x00000004")
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1112"
65name = "Modify Registry"
66reference = "https://attack.mitre.org/techniques/T1112/"
67
68[[rule.threat.technique]]
69id = "T1562"
70name = "Impair Defenses"
71reference = "https://attack.mitre.org/techniques/T1562/"
72[[rule.threat.technique.subtechnique]]
73id = "T1562.001"
74name = "Disable or Modify Tools"
75reference = "https://attack.mitre.org/techniques/T1562/001/"
76
77
78
79[rule.threat.tactic]
80id = "TA0005"
81name = "Defense Evasion"
82reference = "https://attack.mitre.org/tactics/TA0005/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1195"
87name = "Supply Chain Compromise"
88reference = "https://attack.mitre.org/techniques/T1195/"
89[[rule.threat.technique.subtechnique]]
90id = "T1195.002"
91name = "Compromise Software Supply Chain"
92reference = "https://attack.mitre.org/techniques/T1195/002/"
93
94
95
96[rule.threat.tactic]
97id = "TA0001"
98name = "Initial Access"
99reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
A highly evasive attacker leverages a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute SUNBURST malware.
Read More
Related rules
- Suspicious Explorer Child Process
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process