Disabled Update Service

Description

Splunk can detect the status of services, allowing us to find hosts where the Windows Update service is disabled.


Use Case

Security Monitoring

Category

Endpoint Compromise

Security Impact

It is not uncommon for malware to somehow hamstring the Windows Update service, so that Microsoft can't push out fixes to patches, or push out their periodic malware removal tools. Regardless, finding hosts that aren't receiving updates should always be a big priority, as they leave you literally vulnerable.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Disabling Security Tools

MITRE Threat Groups

Carbanak
Dragonfly 2.0
Gorgon Group
Kimsuky
Lazarus Group
Night Dragon
Putter Panda
Threat Group-3390
Turla

Data Sources

Endpoint Detection and Response

   How to Implement

If you are using the Windows Forwarder with the WinHostMon://Service input configured, this search should work automatically. If you're using another source to detect Service status, you may need to adjust the search string to match your data source.

   Known False Positives

No known false positives at this time.

   How To Respond

When Windows Update is disabled, the immediate question is why. Ask the user if they disabled it, look for software installations that might have done it, or look for any errors related to the Windows Update Service (wuauserv.exe).

   Help

Disabled Update Service Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Windows Service logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standard sourcetypes.

SPL for Disabled Update Service

Demo Data

First we bring in our basic demo dataset. This dataset includes service status reported via WinHostMon (a part of the Universal Forwarder). We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Then search for where the service doesn't start automatically
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we bring in our basic dataset of service status reported via WinHostMon (a part of the Universal Forwarder). We also search for where the service doesn't start automatically
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.
Stats summarizes the status of across the entire environment for better performance.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Screenshot of Demo Data