Attempt To Stop Security Service

Description

This search looks for attempts to stop security-related services on the endpoint.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

This search looks for attempts to stop security-related services on the endpoint.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Impair Defenses

Disable or Modify Tools

MITRE Threat Groups

BRONZE BUTLER
FIN6
Gamaredon Group
Gorgon Group
Kimsuky
Lazarus Group
Night Dragon
Putter Panda
Rocke
Turla
Wizard Spider

Kill Chain Phases

Installation
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Attempt To Stop Security Service Help

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. The search is shipped with a lookup file, security_services.csv, that can be edited to update the list of services to monitor. This lookup file can be edited directly where it lives in $SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/lookups, or via the Splunk console. You should add the names of services an attacker might use on the command line and surround with asterisks (*), so that they work properly when searching the command line. The file should be updated with the names of any services you would like to monitor for attempts to stop the service.,

   Search

Open in Search