So if you’re a Cyber Security Analyst, you should have heard about the supply chain hack!
If not then this is a good read. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
After the read, it was apparent, I could use this intel and do some monitoring using Splunk.(Oddly enough at the same time Fireeye one of the best cyber security companies were also hacked!!!, where do we go from here when they get hacked)
Anyway this blog is not to run through the hack details, but to demonstrate how one could detect if a service in Windows has been disabled using Splunk. As this is what the malware is trying to do based on various conditions, it’s a very stealthy malware, and runs after a 12-14 days and avoids sandbox environments, either way it tries to circumvent common services, such as carbon black and other other AV’s by disabling the Windows service.
Once this is successful, it starts to check as network connectivity for C2 operations, so by monitoring which services are being disabled, one can hopefully detect BAD stuff happening and respond quickly, time is key for cyber hacks.
The malware changes the HKLM\SYSTEM\CurrentControlSet\services\<service_name>\Start to 4 (this is disabled as one of its many functions).
Windows Reference for services settings
0 = Boot
1 = System
2 = Automatic
3 = Manual
4 = Disabled
So here’s a very quick way to checking of any services have been set to disable.
We are going to us the Windows TA https://splunkbase.splunk.com/app/742, this has as part of the inputs a reg key change monitor.
[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.*
proc = .*
type = set|create|delete|rename
index = windows
Once the data comes in you can run a query like the below
index=windows sourcetype=WinRegistry action=modified object=start
| fields _time, action, event_status, object, object_path, registry_value_data, status, registry_value_type
| eval services_state = case(registry_value_data LIKE “%0x00000000(0)%”,”boot”,registry_value_data LIKE “%0x00000001(1)%”,”system”,registry_value_data LIKE “%0x00000002(2)%”,”automatic”,registry_value_data LIKE “%0x00000003(3)%”,”manual”,registry_value_data LIKE “%0x00000004(4)%”,”disabled”, true(),”Other”)
| table _time, action, event_status, object, object_path, registry_value_data, status, registry_value_type, services_state
This gives you a table of the service that shows its status
From here you can run a timechart to see for any services that get set to disabled or set an alarm
index=windows sourcetype=WinRegistry action=modified object=start
| fields _time, host, action, event_status, object, object_path, registry_value_data, status, registry_value_type
| eval services_state = case(registry_value_data LIKE “%0x00000000(0)%”,”boot”,registry_value_data LIKE “%0x00000001(1)%”,”system”,registry_value_data LIKE “%0x00000002(2)%”,”automatic”,registry_value_data LIKE “%0x00000003(3)%”,”manual”,registry_value_data LIKE “%0x00000004(4)%”,”disabled”, true(),”Other”)
| search services_state=disabled
| timechart count by services_state span=1h
You can then set an alarm if you start to see the number of disable services go up by hosts etc
index=windows sourcetype=WinRegistry action=modified object=start
| fields _time, host, action, object, object_path, registry_value_data,
| eval services_state = case(registry_value_data LIKE “%0x00000004(4)%”,”disabled”, true(),”Other”)
| search services_state=”disabled”
| stats count AS total_disable_services by host | where total_disable_services>0
There is still so much more you can do with Splunk such as DNS monitoring (Splunk Stream) which is used for C2, so this is just a small part to help with you cyber defence posture, so adapt this monitoring as you wish
Done!
iOpsMon 