SolarWinds Process Disabling Services via Registry

  1[metadata]
  2creation_date = "2020/12/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this
 11technique to manipulate relevant security services.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.registry-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "SolarWinds Process Disabling Services via Registry"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating SolarWinds Process Disabling Services via Registry
 31
 32SolarWinds software is integral for network management, often requiring deep system access. Adversaries may exploit this by altering registry settings to disable critical services, evading detection. The detection rule identifies changes to service start types by specific SolarWinds processes, flagging potential misuse aimed at disabling security defenses. This proactive monitoring helps mitigate risks associated with unauthorized registry modifications.
 33
 34### Possible investigation steps
 35
 36- Review the process name involved in the alert to confirm it matches one of the specified SolarWinds processes, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe".
 37- Examine the registry path in the alert to ensure it corresponds to the critical service start type locations, such as "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start".
 38- Check the registry data value to verify if it has been set to "4" (disabled), indicating a potential attempt to disable a service.
 39- Investigate the timeline of the registry change event to identify any preceding or subsequent suspicious activities on the host.
 40- Correlate the alert with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related malicious activities or patterns.
 41- Assess the impacted service to determine its role in security operations and evaluate the potential impact of it being disabled.
 42- Contact the system owner or administrator to verify if the registry change was authorized or part of a legitimate maintenance activity.
 43
 44### False positive analysis
 45
 46- Routine updates or maintenance by SolarWinds software may trigger registry changes. Verify if the process corresponds to a scheduled update or maintenance task and consider excluding these specific processes during known maintenance windows.
 47- Legitimate configuration changes by IT administrators using SolarWinds tools can appear as registry modifications. Confirm with the IT team if the changes align with authorized configuration activities and create exceptions for these known activities.
 48- Automated scripts or tools that utilize SolarWinds processes for legitimate network management tasks might cause false positives. Review the scripts or tools in use and whitelist them if they are verified as safe and necessary for operations.
 49- Temporary service modifications for troubleshooting purposes by SolarWinds processes can be mistaken for malicious activity. Ensure that any troubleshooting activities are documented and create temporary exceptions during these periods.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further unauthorized registry modifications and potential lateral movement by the adversary.
 54- Terminate any suspicious SolarWinds processes identified in the alert, such as "SolarWinds.BusinessLayerHost*.exe" or "NetFlowService*.exe", to halt any ongoing malicious activity.
 55- Restore the registry settings for the affected services to their original state, ensuring that critical security services are re-enabled and configured to start automatically.
 56- Conduct a thorough review of the affected system for additional signs of compromise, including unauthorized user accounts, scheduled tasks, or other persistence mechanisms.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
 58- Implement enhanced monitoring on the affected system and similar environments to detect any future unauthorized registry changes, leveraging data sources like Sysmon and Microsoft Defender for Endpoint.
 59- Review and update access controls and permissions for SolarWinds processes to limit their ability to modify critical system settings, reducing the risk of future exploitation."""
 60references = [
 61    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
 62]
 63risk_score = 47
 64rule_id = "b9960fef-82c6-4816-befa-44745030e917"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Defense Evasion",
 71    "Tactic: Initial Access",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Sysmon",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: SentinelOne",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83registry where host.os.type == "windows" and event.type == "change" and registry.value : "Start" and
 84  process.name : (
 85      "SolarWinds.BusinessLayerHost*.exe",
 86      "ConfigurationWizard*.exe",
 87      "NetflowDatabaseMaintenance*.exe",
 88      "NetFlowService*.exe",
 89      "SolarWinds.Administration*.exe",
 90      "SolarWinds.Collector.Service*.exe",
 91      "SolarwindsDiagnostics*.exe"
 92  ) and
 93  registry.path : (
 94    "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
 95    "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start",
 96    "MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start"
 97  ) and
 98  registry.data.strings : ("4", "0x00000004")
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1112"
106name = "Modify Registry"
107reference = "https://attack.mitre.org/techniques/T1112/"
108
109[[rule.threat.technique]]
110id = "T1562"
111name = "Impair Defenses"
112reference = "https://attack.mitre.org/techniques/T1562/"
113[[rule.threat.technique.subtechnique]]
114id = "T1562.001"
115name = "Disable or Modify Tools"
116reference = "https://attack.mitre.org/techniques/T1562/001/"
117
118
119
120[rule.threat.tactic]
121id = "TA0005"
122name = "Defense Evasion"
123reference = "https://attack.mitre.org/tactics/TA0005/"
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1195"
128name = "Supply Chain Compromise"
129reference = "https://attack.mitre.org/techniques/T1195/"
130[[rule.threat.technique.subtechnique]]
131id = "T1195.002"
132name = "Compromise Software Supply Chain"
133reference = "https://attack.mitre.org/techniques/T1195/002/"
134
135
136
137[rule.threat.tactic]
138id = "TA0001"
139name = "Initial Access"
140reference = "https://attack.mitre.org/tactics/TA0001/"