Try in Splunk Security Cloud

Description

This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-03-24
  • Author: Michael Haag, Splunk
  • ID: 04207f8a-e08d-4ee6-be26-1e0c4488b04a

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
Kill Chain Phase
  • Installation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE
1
2
3
4
5
`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_start_or_stop_service_filter`

Macros

The SPL above uses the following Macros:

:information_source: powershell_start_or_stop_service_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • EventCode
  • ScriptBlockText
  • Computer

How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

This behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
10.0 50 20 PowerShell was identified attempting to start or stop a service on $Computer$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1