SolarWinds Process Disabling Services via Registry
Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this
11technique to manipulate relevant security services.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "SolarWinds Process Disabling Services via Registry"
18references = [
19 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
20]
21risk_score = 47
22rule_id = "b9960fef-82c6-4816-befa-44745030e917"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Defense Evasion",
37 "Tactic: Initial Access",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: Sysmon",
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46registry where host.os.type == "windows" and registry.path : (
47 "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
48 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
49 ) and
50 registry.data.strings : ("4", "0x00000004") and
51 process.name : (
52 "SolarWinds.BusinessLayerHost*.exe",
53 "ConfigurationWizard*.exe",
54 "NetflowDatabaseMaintenance*.exe",
55 "NetFlowService*.exe",
56 "SolarWinds.Administration*.exe",
57 "SolarWinds.Collector.Service*.exe",
58 "SolarwindsDiagnostics*.exe")
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1112"
66name = "Modify Registry"
67reference = "https://attack.mitre.org/techniques/T1112/"
68
69[[rule.threat.technique]]
70id = "T1562"
71name = "Impair Defenses"
72reference = "https://attack.mitre.org/techniques/T1562/"
73[[rule.threat.technique.subtechnique]]
74id = "T1562.001"
75name = "Disable or Modify Tools"
76reference = "https://attack.mitre.org/techniques/T1562/001/"
77
78
79
80[rule.threat.tactic]
81id = "TA0005"
82name = "Defense Evasion"
83reference = "https://attack.mitre.org/tactics/TA0005/"
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1195"
88name = "Supply Chain Compromise"
89reference = "https://attack.mitre.org/techniques/T1195/"
90[[rule.threat.technique.subtechnique]]
91id = "T1195.002"
92name = "Compromise Software Supply Chain"
93reference = "https://attack.mitre.org/techniques/T1195/002/"
94
95
96
97[rule.threat.tactic]
98id = "TA0001"
99name = "Initial Access"
100reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Suspicious Explorer Child Process
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate