T1668 Exclusive Control Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let lookback = 24h;
let ExclusiveControlBehaviors =
// Pattern 1: Disabling vulnerable/competitor-used services by non-standard processes
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("sc.exe", "net.exe", "net1.exe")
| where ProcessCommandLine has_any ("disable", "stop", "delete")
| where ProcessCommandLine has_any ("RemoteRegistry", "RemoteAccess", "RDP", "TermService", "wuauserv", "WinRM", "snmp", "telnet", "IISADMIN", "W3SVC", "SMB")
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe", "svchost.exe", "services.exe", "MpCmdRun.exe"))
| extend DetectionType = "ServiceDisable"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType;
union
(
// Pattern 2: Inbound blocking firewall rules added by non-standard processes
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "add rule" and ProcessCommandLine has_any ("dir=in", "direction=in") and ProcessCommandLine has "block"
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "svchost.exe", "setup.exe", "WindowsDefender.exe", "MsMpEng.exe"))
| extend DetectionType = "FirewallInboundBlock"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
),
(
// Pattern 3: Process termination targeting known cryptominer or competitor malware names
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("taskkill.exe", "tskill.exe", "kill.exe")
| where ProcessCommandLine has_any ("xmrig", "minerd", "cryptonight", "kinsing", "watchbog", "kthreaddi", "sysupdates", "update.sh", "networkmanager", "nssm", "sysrv", "masscan", "kerberods")
| extend DetectionType = "CompetitorMalwareKill"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
),
(
// Pattern 4: Privilege stripping — removing accounts from Administrators group
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup" and ProcessCommandLine has "Administrators" and ProcessCommandLine has "/delete"
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "dsregcmd.exe", "UserAccountControlSettings.exe"))
| extend DetectionType = "PrivilegeStripping"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
);
ExclusiveControlBehaviors
| summarize
    EventCount = count(),
    DetectionTypes = make_set(DetectionType),
    Commands = make_set(ProcessCommandLine),
    ParentProcesses = make_set(InitiatingProcessFileName),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by DeviceName, AccountName, bin(TimeGenerated, 1h)
| extend RiskScore = case(
    array_length(DetectionTypes) >= 2, "High",
    DetectionTypes has "CompetitorMalwareKill", "High",
    DetectionTypes has "PrivilegeStripping", "High",
    DetectionTypes has "FirewallInboundBlock", "Medium",
    "Low"
)
| where RiskScore in ("High", "Medium")
| project LastSeen, FirstSeen, DeviceName, AccountName, DetectionTypes, Commands, ParentProcesses, EventCount, RiskScore
| order by LastSeen desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans
Help desk administrators removing terminated employees from the local Administrators group during offboarding workflows
Patch management systems that stop services prior to applying Windows updates

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval image_lower = lower(Image)
| eval cmdline_lower = lower(CommandLine)
| eval parent_lower = lower(ParentImage)
| eval detection_type = case(
    (image_lower LIKE "%\\sc.exe" OR image_lower LIKE "%\\net.exe" OR image_lower LIKE "%\\net1.exe")
        AND (cmdline_lower LIKE "%disable%" OR cmdline_lower LIKE "%stop%" OR cmdline_lower LIKE "%delete%")
        AND (cmdline_lower LIKE "%remote%" OR cmdline_lower LIKE "%rdp%" OR cmdline_lower LIKE "%winrm%" OR cmdline_lower LIKE "%smb%" OR cmdline_lower LIKE "%termservice%" OR cmdline_lower LIKE "%wuauserv%")
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%tiworker%" OR parent_lower LIKE "%trustedinstaller%" OR parent_lower LIKE "%svchost%"),
    "ServiceDisable",
    image_lower LIKE "%\\netsh.exe"
        AND cmdline_lower LIKE "%add rule%"
        AND (cmdline_lower LIKE "%dir=in%" OR cmdline_lower LIKE "%direction=in%")
        AND cmdline_lower LIKE "%block%"
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%svchost%"),
    "FirewallInboundBlock",
    (image_lower LIKE "%\\taskkill.exe" OR image_lower LIKE "%\\tskill.exe")
        AND (cmdline_lower LIKE "%xmrig%" OR cmdline_lower LIKE "%minerd%" OR cmdline_lower LIKE "%kinsing%" OR cmdline_lower LIKE "%watchbog%" OR cmdline_lower LIKE "%cryptonight%" OR cmdline_lower LIKE "%sysrv%" OR cmdline_lower LIKE "%masscan%"),
    "CompetitorMalwareKill",
    (image_lower LIKE "%\\net.exe" OR image_lower LIKE "%\\net1.exe")
        AND cmdline_lower LIKE "%localgroup%"
        AND cmdline_lower LIKE "%administrators%"
        AND cmdline_lower LIKE "%/delete%"
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%dsregcmd%"),
    "PrivilegeStripping",
    1=1, null()
)
| where isnotnull(detection_type)
| eval user_account = coalesce(User, "unknown")
| eval parent_proc = coalesce(ParentImage, "unknown")
| stats
    count as event_count,
    values(detection_type) as detection_types,
    values(CommandLine) as commands,
    values(parent_proc) as parent_processes,
    min(_time) as first_seen,
    max(_time) as last_seen
    by host, user_account
| eval type_count = mvcount(detection_types)
| eval risk_score = case(
    type_count >= 2, "High",
    mvfind(detection_types, "CompetitorMalwareKill") >= 0, "High",
    mvfind(detection_types, "PrivilegeStripping") >= 0, "High",
    mvfind(detection_types, "FirewallInboundBlock") >= 0, "Medium",
    1=1, "Low"
)
| where risk_score="High" OR risk_score="Medium"
| convert ctime(first_seen) ctime(last_seen)
| table last_seen, host, user_account, detection_types, commands, parent_processes, event_count, risk_score
| sort - last_seen

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security hardening automation (Ansible, Chef, Puppet) disabling unnecessary services per CIS or STIG baselines
Incident response tooling that applies firewall blocks as containment during active investigations
Antivirus or EDR products terminating detected malicious processes during remediation — these will match on miner names if AV is cleaning infected hosts
Help desk scripts removing ex-employees from local admin groups as part of automated offboarding
Legitimate sysadmin activity on jump hosts where multiple administrative tools are run manually

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1668*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans

Google Chronicle / SecOps

yaral

rule detection_t1668 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Exclusive Control - T1668"
    severity = "HIGH"
    mitre_attack = "T1668"
    reference = "https://attack.mitre.org/techniques/T1668/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans

Exclusive Control

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections