T1489

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill.

Microsoft Sentinel / Defender

kusto

let TargetedServices = dynamic([
  // Backup and recovery
  "vss", "VSS", "wbengine", "SDRSVC", "VeeamBackupSvc", "VeeamTransportSvc",
  "AcronisAgent", "BackupExecAgentAccelerator", "BackupExecAgentBrowser",
  "BackupExecDeviceMediaService", "BackupExecJobEngine", "BackupExecManagementService",
  "BackupExecRPCService", "SQLBackupMon",
  // Security / AV / EDR
  "WinDefend", "MsMpSvc", "SecurityHealthService", "Sense", "WdNisSvc",
  "CrowdStrike", "CSAgent", "CSFalconService", "McShield", "McTaskManager",
  "MfeEERM", "mfemms", "mfevtp", "SAVService", "SepMasterService",
  "Symantec", "SNAC", "TmCCSF", "SentinelAgent", "CarbonBlack",
  // Database and email
  "MSSQLSERVER", "MSSQL$", "SQLWriter", "SQLSERVERAGENT", "MsDtsServer",
  "ReportServer", "MSSQLFDLauncher", "MySQL", "OracleService",
  "MSExchangeIS", "MSExchangeTransport", "MSExchangeEdgeSync",
  "MSExchangeFDS", "MSExchangeMailboxAssistants", "MSExchangeRPC",
  "MSExchangeSA", "MSExchangeThrottling",
  // IT infrastructure
  "IISADMIN", "W3SVC", "WAS"
]);
let StopCommands = dynamic([
  "stop ", "config ", "delete ", "/stop", "/im"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sc.exe", "net.exe", "net1.exe", "taskkill.exe", "powershell.exe", "pwsh.exe", "wmic.exe")
| where ProcessCommandLine has_any (TargetedServices)
    or (
        (FileName in~ ("sc.exe") and ProcessCommandLine has_any ("stop", "config", "delete"))
        or (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "stop")
        or (FileName in~ ("taskkill.exe") and ProcessCommandLine has "/f")
        or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Stop-Service", "Set-Service", "sc.exe stop", "sc stop"))
        or (FileName in~ ("wmic.exe") and ProcessCommandLine has_any ("service", "call", "stopservice", "ChangeStartMode"))
    )
| extend StopMethod = case(
    FileName in~ ("sc.exe") and ProcessCommandLine has "stop", "sc stop",
    FileName in~ ("sc.exe") and ProcessCommandLine has "config" and ProcessCommandLine has "disabled", "sc disable",
    FileName in~ ("sc.exe") and ProcessCommandLine has "delete", "sc delete",
    FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "stop", "net stop",
    FileName in~ ("taskkill.exe"), "taskkill",
    FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "Stop-Service", "PowerShell Stop-Service",
    FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "Set-Service", "PowerShell Set-Service",
    FileName in~ ("wmic.exe"), "WMIC service call",
    "other"
  )
| extend TargetsSecurityService = ProcessCommandLine has_any ("WinDefend", "MsMpSvc", "Sense", "CrowdStrike", "CSFalconService", "SentinelAgent", "CarbonBlack", "McShield", "SAVService", "SepMasterService", "WdNisSvc", "SecurityHealthService")
| extend TargetsBackupService = ProcessCommandLine has_any ("vss", "VSS", "wbengine", "VeeamBackupSvc", "SDRSVC", "BackupExec", "AcronisAgent", "SQLBackupMon")
| extend TargetsDatabaseService = ProcessCommandLine has_any ("MSSQLSERVER", "MySQL", "OracleService", "MSExchangeIS", "MSExchangeTransport", "SQLWriter")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators performing legitimate service maintenance, patch cycles, or decommissioning of services via sc.exe or net stop
IT automation platforms (Ansible, Chef, Puppet, SCCM) stopping services before updates or configuration changes
Backup software agents that stop VSS or database services as part of a legitimate quiesced backup procedure
Monitoring and patch management tools that restart services during scheduled maintenance windows
Development and QA environments where engineers frequently stop and restart database or web services during testing

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\sc.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\taskkill.exe"
   OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wmic.exe")
| eval cl=lower(CommandLine)
| eval StopMethod=case(
    match(Image, "sc\\.exe") AND match(cl, "\\bstop\\b"), "sc stop",
    match(Image, "sc\\.exe") AND match(cl, "config") AND match(cl, "disabled"), "sc disable",
    match(Image, "sc\\.exe") AND match(cl, "\\bdelete\\b"), "sc delete",
    match(Image, "net1?\\.exe") AND match(cl, "\\bstop\\b"), "net stop",
    match(Image, "taskkill\\.exe"), "taskkill",
    match(Image, "powers?hell\\.exe") AND match(cl, "stop-service"), "PS Stop-Service",
    match(Image, "powers?hell\\.exe") AND match(cl, "set-service"), "PS Set-Service",
    match(Image, "wmic\\.exe") AND match(cl, "service"), "WMIC service",
    1=1, "other"
  )
| eval TargetsSecurityService=if(match(cl, "(windefend|msmpeng|wdnissvc|sense|securityhealthservice|crowdstrike|csfalconservice|csfcsc|sentinelagent|carbonblack|mcshield|mcafee|savservice|sepmasterservice|symantec|trendmicro)")
    , 1, 0)
| eval TargetsBackupService=if(match(cl, "(vss|wbengine|sdrsvc|veea?mbackup|veea?mtransport|acronis|backupexec|sqlbackupmon|bedbg)"), 1, 0)
| eval TargetsDatabaseService=if(match(cl, "(mssqlserver|mssql\$|sqlwriter|sqlserveragent|mysql|oracleservice|msexchange)"), 1, 0)
| eval RiskScore=TargetsSecurityService*3 + TargetsBackupService*3 + TargetsDatabaseService*2
| where StopMethod != "other" OR RiskScore > 0
| eval IsHighRisk=if(RiskScore >= 3, "YES", "NO")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService,
        RiskScore, IsHighRisk
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators performing legitimate service maintenance, patch cycles, or decommissioning of services via sc.exe or net stop
IT automation platforms (Ansible, Chef, Puppet, SCCM) stopping services before updates or configuration changes
Backup software agents that stop VSS or database services as part of a legitimate quiesced backup procedure
Monitoring and patch management tools that restart services during scheduled maintenance windows
Development and QA environments where engineers frequently stop and restart database or web services during testing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  devicehostname AS Hostname,
  username AS AccountName,
  "filename" AS ProcessName,
  "URL" AS CommandLine,
  CATEGORYNAME(category) AS EventCategory,
  CASE
    WHEN LOWER("URL") MATCHES '.*\\bsc\.exe.*\bstop\b.*' THEN 'sc stop'
    WHEN LOWER("URL") MATCHES '.*\\bsc\.exe.*\bconfig\b.*\bdisabled\b.*' THEN 'sc disable'
    WHEN LOWER("URL") MATCHES '.*\\bsc\.exe.*\bdelete\b.*' THEN 'sc delete'
    WHEN LOWER("URL") MATCHES '.*\\bnet1?\.exe.*\bstop\b.*' THEN 'net stop'
    WHEN LOWER("URL") MATCHES '.*\\btaskkill\.exe.*' THEN 'taskkill'
    WHEN LOWER("URL") MATCHES '.*\\bpowershell.*stop-service.*' THEN 'PS Stop-Service'
    WHEN LOWER("URL") MATCHES '.*\\bpowershell.*set-service.*' THEN 'PS Set-Service'
    WHEN LOWER("URL") MATCHES '.*\\bwmic\.exe.*service.*' THEN 'WMIC service'
    ELSE 'other'
  END AS StopMethod,
  CASE WHEN LOWER("URL") MATCHES '.*(windefend|msmpeng|wdnissvc|sense|securityhealthservice|crowdstrike|csfalconservice|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice).*' THEN 1 ELSE 0 END AS TargetsSecurityService,
  CASE WHEN LOWER("URL") MATCHES '.*(vss|wbengine|sdrsvc|veeambackup|veeamtransport|acronis|backupexec|sqlbackupmon).*' THEN 1 ELSE 0 END AS TargetsBackupService,
  CASE WHEN LOWER("URL") MATCHES '.*(mssqlserver|mssql\$|sqlwriter|sqlserveragent|mysql|oracleservice|msexchange).*' THEN 1 ELSE 0 END AS TargetsDatabaseService
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'A new process has been created')
  AND (
    LOWER("filename") IN ('sc.exe', 'net.exe', 'net1.exe', 'taskkill.exe', 'powershell.exe', 'pwsh.exe', 'wmic.exe')
  )
  AND (
    LOWER("URL") MATCHES '.*(vss|wbengine|sdrsvc|veeambackup|acronisagent|backupexec|sqlbackupmon|windefend|msmpeng|securityhealthservice|sense|wdnissvc|crowdstrike|csfalconservice|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec|mssqlserver|sqlwriter|sqlserveragent|mysql|oracleservice|msexchangeis|msexchangetransport|iisadmin|w3svc).*'
    OR LOWER("URL") MATCHES '.*(sc\.exe|net\.exe|net1\.exe).*\bstop\b.*'
    OR LOWER("URL") MATCHES '.*taskkill.*\/f.*'
    OR LOWER("URL") MATCHES '.*powershell.*(stop-service|set-service).*'
    OR LOWER("URL") MATCHES '.*wmic.*service.*(stopservice|changestartmode).*'
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM Windows event forwarding via QRadar WinCollect

Required Tables

events

False Positives

Scheduled maintenance scripts run by domain admin accounts during change windows
Software deployment pipelines (SCCM, Ansible) stopping services before upgrade
Legitimate DBA operations stopping SQL services for backup rotation

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" OR EventID = "4688"
| where Image matches "*\\sc.exe" OR Image matches "*\\net.exe" OR Image matches "*\\net1.exe"
  OR Image matches "*\\taskkill.exe" OR Image matches "*\\powershell.exe"
  OR Image matches "*\\pwsh.exe" OR Image matches "*\\wmic.exe"
| eval CommandLineLower = toLowerCase(CommandLine)
| where (
    (Image matches "*\\sc.exe" AND (CommandLineLower matches "*stop*" OR CommandLineLower matches "*config*disabled*" OR CommandLineLower matches "*delete*"))
    OR (Image matches "*\\net*.exe" AND CommandLineLower matches "*stop*")
    OR (Image matches "*\\taskkill.exe" AND CommandLineLower matches "*/f*")
    OR ((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND (CommandLineLower matches "*stop-service*" OR CommandLineLower matches "*set-service*"))
    OR (Image matches "*\\wmic.exe" AND (CommandLineLower matches "*stopservice*" OR CommandLineLower matches "*changestartmode*disabled*"))
  )
| eval StopMethod = if(Image matches "*\\sc.exe" AND CommandLineLower matches "*stop*", "sc stop",
    if(Image matches "*\\sc.exe" AND CommandLineLower matches "*config*disabled*", "sc disable",
    if(Image matches "*\\sc.exe" AND CommandLineLower matches "*delete*", "sc delete",
    if(Image matches "*\\net*.exe" AND CommandLineLower matches "*stop*", "net stop",
    if(Image matches "*\\taskkill.exe", "taskkill",
    if((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND CommandLineLower matches "*stop-service*", "PS Stop-Service",
    if((Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe") AND CommandLineLower matches "*set-service*", "PS Set-Service",
    if(Image matches "*\\wmic.exe", "WMIC service", "other"))))))))
| eval TargetsSecurityService = if(CommandLineLower matches "*(windefend|msmpeng|wdnissvc|sense|securityhealthservice|crowdstrike|csfalconservice|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice)*", 1, 0)
| eval TargetsBackupService = if(CommandLineLower matches "*(vss|wbengine|sdrsvc|veeambackup|veeamtransport|acronis|backupexec|sqlbackupmon)*", 1, 0)
| eval TargetsDatabaseService = if(CommandLineLower matches "*(mssqlserver|mssql$|sqlwriter|sqlserveragent|mysql|oracleservice|msexchange)*", 1, 0)
| eval RiskScore = (TargetsSecurityService * 3) + (TargetsBackupService * 3) + (TargetsDatabaseService * 2)
| where StopMethod != "other" OR RiskScore > 0
| eval IsHighRisk = if(RiskScore >= 3, "YES", "NO")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, StopMethod,
    TargetsSecurityService, TargetsBackupService, TargetsDatabaseService, RiskScore, IsHighRisk
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Sysmon Source (Windows) Sumo Logic Windows Security Event Source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Enterprise endpoint management platforms stopping services during patch cycles
Security tooling (CrowdStrike, Defender) self-update processes
IT automation frameworks such as Puppet or Chef managing service states

Google Chronicle / SecOps

yaral

rule t1489_service_stop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1489 Service Stop — adversaries stopping backup, security, or database services via sc.exe, net stop, taskkill, PowerShell, or WMIC"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1489"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1489/"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(\\sc\.exe|\\net\.exe|\\net1\.exe|\\taskkill\.exe|\\powershell\.exe|\\pwsh\.exe|\\wmic\.exe)$/
    (
      (
        $e.principal.process.file.full_path = /(?i)\\sc\.exe$/ and
        $e.target.process.command_line = /(?i)\b(stop|config|delete)\b/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\net1?\.exe$/ and
        $e.target.process.command_line = /(?i)\bstop\b/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\taskkill\.exe$/ and
        $e.target.process.command_line = /(?i)\/f/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\(powershell|pwsh)\.exe$/ and
        $e.target.process.command_line = /(?i)(Stop-Service|Set-Service|sc\.exe stop|sc stop)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\wmic\.exe$/ and
        $e.target.process.command_line = /(?i)(stopservice|ChangeStartMode.*disabled)/
      )
    )
    $e.target.process.command_line = /(?i)(vss|wbengine|sdrsvc|veeambackup|veeamtransport|acronisagent|backupexec|sqlbackupmon|windefend|msmpeng|securityhealthservice|sense|wdnissvc|crowdstrike|csfalconservice|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec|mssqlserver|sqlwriter|sqlserveragent|mysql|oracleservice|msexchangeis|msexchangetransport|iisadmin|w3svc)/
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $cmdline = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM via Windows Sysmon ingestion Chronicle UDM via Microsoft Defender for Endpoint ingestion Chronicle UDM via Windows Event Forwarding

Required Tables

UDM events — PROCESS_LAUNCH event type

False Positives

Authorized change management windows where admins stop SQL or Exchange services
Endpoint security product self-healing or update procedures
Backup software agents stopping VSS as part of normal snapshot lifecycle

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| FileName = /^(sc|net|net1|taskkill|powershell|pwsh|wmic)\.exe$/i
| CommandLine = /(?i)(vss|wbengine|sdrsvc|veeambackupsvc|veeamtransportsvc|acronisagent|backupexecagent|backupexecjobengine|sqlbackupmon|windefend|msmpeng|securityhealthservice|sense|wdnissvc|csfalconservice|crowdstrike|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec|mssqlserver|sqlwriter|sqlserveragent|mysql|oracleservice|msexchangeis|msexchangetransport|iisadmin|w3svc)/
OR (
  FileName = /^sc\.exe$/i AND CommandLine = /(?i)\b(stop|config.*disabled|delete)\b/
)
OR (
  FileName = /^net1?\.exe$/i AND CommandLine = /(?i)\bstop\b/
)
OR (
  FileName = /^taskkill\.exe$/i AND CommandLine = /(?i)\/f/
)
OR (
  FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)(stop-service|set-service|sc\.exe stop|sc stop)/
)
OR (
  FileName = /^wmic\.exe$/i AND CommandLine = /(?i)(stopservice|changestartmode.*disabled)/
)
| eval StopMethod = case(
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)\bstop\b/, "sc stop",
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)config.*disabled/, "sc disable",
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)\bdelete\b/, "sc delete",
    FileName = /^net1?\.exe$/i AND CommandLine = /(?i)\bstop\b/, "net stop",
    FileName = /^taskkill\.exe$/i, "taskkill",
    FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)stop-service/, "PS Stop-Service",
    FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)set-service/, "PS Set-Service",
    FileName = /^wmic\.exe$/i, "WMIC service",
    "other"
  )
| eval TargetsSecurityService = if(CommandLine = /(?i)(windefend|msmpeng|wdnissvc|sense|securityhealthservice|csfalconservice|crowdstrike|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec)/, 1, 0)
| eval TargetsBackupService = if(CommandLine = /(?i)(vss|wbengine|sdrsvc|veeambackup|acronis|backupexec|sqlbackupmon)/, 1, 0)
| eval TargetsDatabaseService = if(CommandLine = /(?i)(mssqlserver|mssql\$|sqlwriter|mysql|oracleservice|msexchange)/, 1, 0)
| eval RiskScore = TargetsSecurityService * 3 + TargetsBackupService * 3 + TargetsDatabaseService * 2
| where StopMethod != "other" OR RiskScore > 0
| eval IsHighRisk = if(RiskScore >= 3, "YES", "NO")
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService, RiskScore, IsHighRisk], function=([min(ContextTimeStamp_decimal, as=FirstSeen), max(ContextTimeStamp_decimal, as=LastSeen), count(as=EventCount)]))
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) CrowdStrike Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2

False Positives

IT operations teams using automation scripts for service lifecycle management
Falcon sensor or other EDR self-update processes temporarily stopping services
Backup agents such as Veeam stopping VSS writers as part of snapshot orchestration

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1489 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Service Stop

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections