Techniques
Sample rules
Windows Event For Service Disabled
- source: splunk
- technicques:
- T1562.001
- T1562
Description
This analytic will identify suspicious system event of services that was modified from start to disabled. This technique is seen where the adversary attempts to disable security app services, other malware services to evade the defense systems on the compromised host
Detection logic
`wineventlog_system` EventCode=7040 EventData_Xml="*disabled*"
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Name UserID service ServiceName
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_event_for_service_disabled_filter`