title: Exclusive Control (T1668)
id: df00tech-t1668
status: experimental
description: "This detection identifies adversary behaviors consistent with T1668 Exclusive Control, where a threat actor attempts to maintain sole access to a compromised system by eliminating competition. Detection focuses on four primary behavioral clusters: (1) disabling vulnerable services via sc.exe or net.exe by non-standard parent processes, (2) adding inbound-blocking firewall rules via netsh.exe outside of legitimate administrative context, (3) mass process termination targeting known malware or cryptominer process names suggestive of competitor eviction, and (4) privilege stripping from local administrator accounts to prevent other actors from using those credentials. These behaviors are particularly associated with ransomware groups, initial access brokers protecting their footholds, and cryptomining malware that aggressively kills competing miners."
references:
  - https://attack.mitre.org/techniques/T1668/
  - https://df00tech.com/detections/T1668
author: df00tech
date: 2026/03/20
tags:
  - attack.t1668
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT hardening scripts that disable unused services (RemoteRegistry, Telnet, SNMP) as part of CIS benchmark compliance"
  - Security team firewall automation adding inbound block rules for known malicious IPs or ports as part of incident response
  - "Endpoint security products (EDR, AV) that terminate known malicious processes during active remediation scans"
  - Help desk administrators removing terminated employees from the local Administrators group during offboarding workflows
  - Patch management systems that stop services prior to applying Windows updates
level: high