SolarWinds Process Disabling Services via Registry

Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/14"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this
13technique to manipulate relevant security services.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "SolarWinds Process Disabling Services via Registry"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
26]
27risk_score = 47
28rule_id = "b9960fef-82c6-4816-befa-44745030e917"
29severity = "medium"
30tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and registry.path : (
36    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
37    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
38  ) and
39  registry.data.strings : ("4", "0x00000004") and
40  process.name : (
41      "SolarWinds.BusinessLayerHost*.exe",
42      "ConfigurationWizard*.exe",
43      "NetflowDatabaseMaintenance*.exe",
44      "NetFlowService*.exe",
45      "SolarWinds.Administration*.exe",
46      "SolarWinds.Collector.Service*.exe",
47      "SolarwindsDiagnostics*.exe")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1562"
55name = "Impair Defenses"
56reference = "https://attack.mitre.org/techniques/T1562/"
57[[rule.threat.technique.subtechnique]]
58id = "T1562.001"
59name = "Disable or Modify Tools"
60reference = "https://attack.mitre.org/techniques/T1562/001/"
61
62
63
64[rule.threat.tactic]
65id = "TA0005"
66name = "Defense Evasion"
67reference = "https://attack.mitre.org/tactics/TA0005/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1195"
72name = "Supply Chain Compromise"
73reference = "https://attack.mitre.org/techniques/T1195/"
74[[rule.threat.technique.subtechnique]]
75id = "T1195.002"
76name = "Compromise Software Supply Chain"
77reference = "https://attack.mitre.org/techniques/T1195/002/"
78
79
80
81[rule.threat.tactic]
82id = "TA0001"
83name = "Initial Access"
84reference = "https://attack.mitre.org/tactics/TA0001/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top