Techniques
Sample rules
Windows Service Stop Win Updates
- source: splunk
- technicques:
- T1489
Description
The following analytic identifies a windows update service being disabled in Windows OS. This technique is being abused by adversaries or threat actors to add defense mechanisms to their malware implant in the targeted host. Disabling windows update will put the compromised host vulnerable in some zero day exploit or even some update features against threats. RedLine Stealer kills this service as part of its defense evasion mechanism.
Detection logic
`wineventlog_system` EventCode=7040 (service_name IN ("Update Orchestrator Service for Windows Update", "WaaSMedicSvc", "Windows Update") OR param1 IN ("UsoSvc", "WaaSMedicSvc", "wuauserv")) AND (param3=disabled OR start_mode = disabled)
| stats count min(_time) as firstTime max(_time) as lastTime by Computer Error_Code service_name start_mode param1 param2 param3 param4
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_stop_win_updates_filter`