T1668 Splunk · SPL

Detect Exclusive Control in Splunk

This detection identifies adversary behaviors consistent with T1668 Exclusive Control, where a threat actor attempts to maintain sole access to a compromised system by eliminating competition. Detection focuses on four primary behavioral clusters: (1) disabling vulnerable services via sc.exe or net.exe by non-standard parent processes, (2) adding inbound-blocking firewall rules via netsh.exe outside of legitimate administrative context, (3) mass process termination targeting known malware or cryptominer process names suggestive of competitor eviction, and (4) privilege stripping from local administrator accounts to prevent other actors from using those credentials. These behaviors are particularly associated with ransomware groups, initial access brokers protecting their footholds, and cryptomining malware that aggressively kills competing miners.

MITRE ATT&CK

Tactic
Persistence
Technique
T1668 Exclusive Control
Canonical reference
https://attack.mitre.org/techniques/T1668/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval image_lower = lower(Image)
| eval cmdline_lower = lower(CommandLine)
| eval parent_lower = lower(ParentImage)
| eval detection_type = case(
    (image_lower LIKE "%\\sc.exe" OR image_lower LIKE "%\\net.exe" OR image_lower LIKE "%\\net1.exe")
        AND (cmdline_lower LIKE "%disable%" OR cmdline_lower LIKE "%stop%" OR cmdline_lower LIKE "%delete%")
        AND (cmdline_lower LIKE "%remote%" OR cmdline_lower LIKE "%rdp%" OR cmdline_lower LIKE "%winrm%" OR cmdline_lower LIKE "%smb%" OR cmdline_lower LIKE "%termservice%" OR cmdline_lower LIKE "%wuauserv%")
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%tiworker%" OR parent_lower LIKE "%trustedinstaller%" OR parent_lower LIKE "%svchost%"),
    "ServiceDisable",
    image_lower LIKE "%\\netsh.exe"
        AND cmdline_lower LIKE "%add rule%"
        AND (cmdline_lower LIKE "%dir=in%" OR cmdline_lower LIKE "%direction=in%")
        AND cmdline_lower LIKE "%block%"
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%svchost%"),
    "FirewallInboundBlock",
    (image_lower LIKE "%\\taskkill.exe" OR image_lower LIKE "%\\tskill.exe")
        AND (cmdline_lower LIKE "%xmrig%" OR cmdline_lower LIKE "%minerd%" OR cmdline_lower LIKE "%kinsing%" OR cmdline_lower LIKE "%watchbog%" OR cmdline_lower LIKE "%cryptonight%" OR cmdline_lower LIKE "%sysrv%" OR cmdline_lower LIKE "%masscan%"),
    "CompetitorMalwareKill",
    (image_lower LIKE "%\\net.exe" OR image_lower LIKE "%\\net1.exe")
        AND cmdline_lower LIKE "%localgroup%"
        AND cmdline_lower LIKE "%administrators%"
        AND cmdline_lower LIKE "%/delete%"
        AND NOT (parent_lower LIKE "%msiexec%" OR parent_lower LIKE "%dsregcmd%"),
    "PrivilegeStripping",
    1=1, null()
)
| where isnotnull(detection_type)
| eval user_account = coalesce(User, "unknown")
| eval parent_proc = coalesce(ParentImage, "unknown")
| stats
    count as event_count,
    values(detection_type) as detection_types,
    values(CommandLine) as commands,
    values(parent_proc) as parent_processes,
    min(_time) as first_seen,
    max(_time) as last_seen
    by host, user_account
| eval type_count = mvcount(detection_types)
| eval risk_score = case(
    type_count >= 2, "High",
    mvfind(detection_types, "CompetitorMalwareKill") >= 0, "High",
    mvfind(detection_types, "PrivilegeStripping") >= 0, "High",
    mvfind(detection_types, "FirewallInboundBlock") >= 0, "Medium",
    1=1, "Low"
)
| where risk_score="High" OR risk_score="Medium"
| convert ctime(first_seen) ctime(last_seen)
| table last_seen, host, user_account, detection_types, commands, parent_processes, event_count, risk_score
| sort - last_seen
high severity medium confidence

Detects T1668 Exclusive Control patterns in Sysmon Event ID 1 (process creation) logs. Identifies service disabling, inbound firewall blocking rules, mass termination of competitor malware process names, and privilege stripping from the local Administrators group. Results are aggregated per host with risk scoring elevated when multiple behavioral patterns occur on the same system.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Security hardening automation (Ansible, Chef, Puppet) disabling unnecessary services per CIS or STIG baselines
  • Incident response tooling that applies firewall blocks as containment during active investigations
  • Antivirus or EDR products terminating detected malicious processes during remediation — these will match on miner names if AV is cleaning infected hosts
  • Help desk scripts removing ex-employees from local admin groups as part of automated offboarding
  • Legitimate sysadmin activity on jump hosts where multiple administrative tools are run manually
Download portable Sigma rule (.yml)

Other platforms for T1668

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Service Disable via sc.exe (Simulating Exclusive Control of Entry Vector)

    Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinRM' and 'config WinRM start= disabled'. Windows Event ID 7036: WinRM service entered stopped state. Windows Event ID 7040: Start type of WinRM service changed from auto to disabled.

  2. Test 2Inbound Firewall Block Rule Addition (Simulating Port Blocking for Competitor Lockout)

    Expected signal: Sysmon Event ID 1: netsh.exe with CommandLine containing 'add rule', 'dir=in', 'action=block'. Windows Firewall audit log entry showing new inbound DROP rule creation.

  3. Test 3Simulated Competitor Process Termination (Cryptominer Name)

    Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine '/f /im xmrig.exe'. Sysmon Event ID 5 (ProcessTerminate) for the xmrig.exe process. Parent process of taskkill.exe will be cmd.exe.

  4. Test 4Privilege Stripping — Remove Account from Local Administrators

    Expected signal: Sysmon Event ID 1 for net.exe with CommandLine 'localgroup Administrators AtomicTestUser /delete'. Windows Security Event ID 4733 (member removed from security-enabled local group). Security Event ID 4720 and 4726 for account creation and deletion.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1668 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1053.005Scheduled TaskT1543Create or Modify System ProcessT1133External Remote ServicesT1556.003Pluggable Authentication ModulesT1546.013PowerShell ProfileT1205.002Socket FiltersT1574.007Path Interception by PATH Environment VariableT1496Resource HijackingT1485Data Destruction

Same Tactic: Persistence

Popular Detections