From 710d621de042f31407aa8f0dcedba4e8bd7d7439 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Fri, 18 Dec 2020 13:43:31 -0600
Subject: [PATCH] Create solarwinds_process_disabling_services.yml

---
 .../solarwinds_process_disabling_services.yml  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 queries/apt/solarwinds_process_disabling_services.yml

diff --git a/queries/apt/solarwinds_process_disabling_services.yml b/queries/apt/solarwinds_process_disabling_services.yml
new file mode 100644
index 0000000..9cba3bb
--- /dev/null
+++ b/queries/apt/solarwinds_process_disabling_services.yml
@@ -0,0 +1,18 @@
+title: SolarWinds Process Disabling Services
+description: Detect the modification of service start type by SolarWinds processes.
+author: keyboardcrunch
+date: 18/12/2020
+modified:
+mitre: 
+   tactic: Defense Evasion
+   technique: T1562
+   subtechnique: 001
+operating_system: windows
+query: (RegistryKeyPath RegExp "\bMACHINE\\SYSTEM\\.*ControlSet.*\\Services\\.*\\Start" AND EventType = "Registry Value Modified") AND SrcProcName RegExp "(.*\.)?((SolarWinds.BusinessLayerHost.*|ConfigurationWizard.*|NetflowDatabasemaintenance.*|NetFlowService.*|SolarWinds.Administration.*|SolarWinds.Collector.Service.*|SolarwindsDiagnostics.*).exe)"
+false_positives:
+tags:
+   - UNC2452
+   - DarkHalo
+   - SolarWinds
+references:
+   - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html