Detect Exclusive Control in Microsoft Sentinel
This detection identifies adversary behaviors consistent with T1668 Exclusive Control, where a threat actor attempts to maintain sole access to a compromised system by eliminating competition. Detection focuses on four primary behavioral clusters: (1) disabling vulnerable services via sc.exe or net.exe by non-standard parent processes, (2) adding inbound-blocking firewall rules via netsh.exe outside of legitimate administrative context, (3) mass process termination targeting known malware or cryptominer process names suggestive of competitor eviction, and (4) privilege stripping from local administrator accounts to prevent other actors from using those credentials. These behaviors are particularly associated with ransomware groups, initial access brokers protecting their footholds, and cryptomining malware that aggressively kills competing miners.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1668 Exclusive Control
- Canonical reference
- https://attack.mitre.org/techniques/T1668/
KQL Detection Query
let lookback = 24h;
let ExclusiveControlBehaviors =
// Pattern 1: Disabling vulnerable/competitor-used services by non-standard processes
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("sc.exe", "net.exe", "net1.exe")
| where ProcessCommandLine has_any ("disable", "stop", "delete")
| where ProcessCommandLine has_any ("RemoteRegistry", "RemoteAccess", "RDP", "TermService", "wuauserv", "WinRM", "snmp", "telnet", "IISADMIN", "W3SVC", "SMB")
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "TiWorker.exe", "TrustedInstaller.exe", "svchost.exe", "services.exe", "MpCmdRun.exe"))
| extend DetectionType = "ServiceDisable"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType;
union
(
// Pattern 2: Inbound blocking firewall rules added by non-standard processes
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has "add rule" and ProcessCommandLine has_any ("dir=in", "direction=in") and ProcessCommandLine has "block"
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "svchost.exe", "setup.exe", "WindowsDefender.exe", "MsMpEng.exe"))
| extend DetectionType = "FirewallInboundBlock"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
),
(
// Pattern 3: Process termination targeting known cryptominer or competitor malware names
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("taskkill.exe", "tskill.exe", "kill.exe")
| where ProcessCommandLine has_any ("xmrig", "minerd", "cryptonight", "kinsing", "watchbog", "kthreaddi", "sysupdates", "update.sh", "networkmanager", "nssm", "sysrv", "masscan", "kerberods")
| extend DetectionType = "CompetitorMalwareKill"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
),
(
// Pattern 4: Privilege stripping — removing accounts from Administrators group
DeviceProcessEvents
| where TimeGenerated > ago(lookback)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup" and ProcessCommandLine has "Administrators" and ProcessCommandLine has "/delete"
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "dsregcmd.exe", "UserAccountControlSettings.exe"))
| extend DetectionType = "PrivilegeStripping"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DetectionType
);
ExclusiveControlBehaviors
| summarize
EventCount = count(),
DetectionTypes = make_set(DetectionType),
Commands = make_set(ProcessCommandLine),
ParentProcesses = make_set(InitiatingProcessFileName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceName, AccountName, bin(TimeGenerated, 1h)
| extend RiskScore = case(
array_length(DetectionTypes) >= 2, "High",
DetectionTypes has "CompetitorMalwareKill", "High",
DetectionTypes has "PrivilegeStripping", "High",
DetectionTypes has "FirewallInboundBlock", "Medium",
"Low"
)
| where RiskScore in ("High", "Medium")
| project LastSeen, FirstSeen, DeviceName, AccountName, DetectionTypes, Commands, ParentProcesses, EventCount, RiskScore
| order by LastSeen descDetects four behavioral clusters associated with T1668 Exclusive Control: (1) disabling vulnerable services (RemoteRegistry, RDP, WinRM, SMB) via sc.exe/net.exe outside legitimate admin contexts, (2) adding inbound-blocking firewall rules via netsh.exe by non-standard parent processes, (3) taskkill targeting known cryptominer and competing malware process names, and (4) removal of accounts from the local Administrators group to prevent credential reuse by competitors. Results are aggregated per host/hour with a risk score elevated when multiple patterns co-occur.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance
- Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
- Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans
- Help desk administrators removing terminated employees from the local Administrators group during offboarding workflows
- Patch management systems that stop services prior to applying Windows updates
Other platforms for T1668
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Service Disable via sc.exe (Simulating Exclusive Control of Entry Vector)
Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinRM' and 'config WinRM start= disabled'. Windows Event ID 7036: WinRM service entered stopped state. Windows Event ID 7040: Start type of WinRM service changed from auto to disabled.
- Test 2Inbound Firewall Block Rule Addition (Simulating Port Blocking for Competitor Lockout)
Expected signal: Sysmon Event ID 1: netsh.exe with CommandLine containing 'add rule', 'dir=in', 'action=block'. Windows Firewall audit log entry showing new inbound DROP rule creation.
- Test 3Simulated Competitor Process Termination (Cryptominer Name)
Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine '/f /im xmrig.exe'. Sysmon Event ID 5 (ProcessTerminate) for the xmrig.exe process. Parent process of taskkill.exe will be cmd.exe.
- Test 4Privilege Stripping — Remove Account from Local Administrators
Expected signal: Sysmon Event ID 1 for net.exe with CommandLine 'localgroup Administrators AtomicTestUser /delete'. Windows Security Event ID 4733 (member removed from security-enabled local group). Security Event ID 4720 and 4726 for account creation and deletion.
References (6)
- https://attack.mitre.org/techniques/T1668/
- https://www.mandiant.com/resources/blog/initial-access-brokers-and-the-underground-economy
- https://news.sophos.com/en-us/2023/03/09/multiple-attackers-a-blessing-or-a-curse/
- https://www.aquasec.com/blog/threat-alert-new-campaign-against-postgres-databases/
- https://cert.at/en/warnungen/2025/1/fortinet-ransomware-angreifer-missbrauchen-cve-2024-55591
- https://www.f-secure.com/v-descs/netsky.shtml
Unlock Pro Content
Get the full detection package for T1668 including response playbook, investigation guide, and atomic red team tests.