Techniques
Sample rules
Windows Service Stop Win Updates
- source: splunk
- technicques:
- T1489
Description
The following analytic detects the disabling of Windows Update services, such as “Update Orchestrator Service for Windows Update,” “WaaSMedicSvc,” and “Windows Update.” It leverages Windows System Event ID 7040 logs to identify changes in service start modes to ‘disabled.’ This activity is significant as it can indicate an adversary’s attempt to evade defenses by preventing critical updates, leaving the system vulnerable to exploits. If confirmed malicious, this could allow attackers to maintain persistence and exploit unpatched vulnerabilities, compromising the integrity and security of the affected host.
Detection logic
`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled)
| stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_stop_win_updates_filter`