T1489 Google Chronicle · YARA-L

Detect Service Stop in Google Chronicle

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill.

MITRE ATT&CK

Tactic
Impact
Technique
T1489 Service Stop
Canonical reference
https://attack.mitre.org/techniques/T1489/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1489_service_stop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1489 Service Stop — adversaries stopping backup, security, or database services via sc.exe, net stop, taskkill, PowerShell, or WMIC"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1489"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1489/"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(\\sc\.exe|\\net\.exe|\\net1\.exe|\\taskkill\.exe|\\powershell\.exe|\\pwsh\.exe|\\wmic\.exe)$/
    (
      (
        $e.principal.process.file.full_path = /(?i)\\sc\.exe$/ and
        $e.target.process.command_line = /(?i)\b(stop|config|delete)\b/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\net1?\.exe$/ and
        $e.target.process.command_line = /(?i)\bstop\b/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\taskkill\.exe$/ and
        $e.target.process.command_line = /(?i)\/f/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\(powershell|pwsh)\.exe$/ and
        $e.target.process.command_line = /(?i)(Stop-Service|Set-Service|sc\.exe stop|sc stop)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)\\wmic\.exe$/ and
        $e.target.process.command_line = /(?i)(stopservice|ChangeStartMode.*disabled)/
      )
    )
    $e.target.process.command_line = /(?i)(vss|wbengine|sdrsvc|veeambackup|veeamtransport|acronisagent|backupexec|sqlbackupmon|windefend|msmpeng|securityhealthservice|sense|wdnissvc|crowdstrike|csfalconservice|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec|mssqlserver|sqlwriter|sqlserveragent|mysql|oracleservice|msexchangeis|msexchangetransport|iisadmin|w3svc)/
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $cmdline = $e.target.process.command_line

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1489 Service Stop behavior. Matches process launch events where sc.exe, net.exe, taskkill.exe, PowerShell, or WMIC is used to stop, disable, or delete known backup, security, database, or infrastructure services.

Data Sources

Chronicle UDM via Windows Sysmon ingestionChronicle UDM via Microsoft Defender for Endpoint ingestionChronicle UDM via Windows Event Forwarding

Required Tables

UDM events — PROCESS_LAUNCH event type

False Positives & Tuning

  • Authorized change management windows where admins stop SQL or Exchange services
  • Endpoint security product self-healing or update procedures
  • Backup software agents stopping VSS as part of normal snapshot lifecycle
Download portable Sigma rule (.yml)

Other platforms for T1489

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender Service via sc.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine='sc.exe stop WinDefend' and 'sc.exe config WinDefend start= disabled'. Security Event ID 4688 (if process creation auditing enabled). System Event ID 7040 (if the config change succeeds: start type changed). System Event ID 7036 (if stop succeeds: service entered stopped state).

  2. Test 2Bulk Service Stop via net.exe (Ransomware Simulation)

    Expected signal: Sysmon Event ID 1: Six separate process creation events for net.exe with stop commands. System Event ID 7036 for any services that were actually running and stopped. The rapid sequence of 6 net.exe executions within seconds triggers the bulk stop hunting query.

  3. Test 3Stop and Disable Service via PowerShell Stop-Service

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Stop-Service' and 'wbengine'. PowerShell ScriptBlock Log Event ID 4104 with the full command. System Event ID 7036 (if service stopped) and 7040 (if startup type changed to Disabled).

  4. Test 4WMIC Service Stop via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'service', 'StopService'. System Event ID 7036 (Windows Event Log service entered stopped state). Note: stopping EventLog will briefly interrupt event logging — telemetry for the stop itself is captured by Sysmon before EventLog stops.

  5. Test 5Disable Service by Modifying Registry Start Value

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Services\wbengine\Start, Details=DWORD (0x00000004). Sysmon Event ID 1: Process Create for reg.exe. Note: this test validates the registry-based hunting path and demonstrates that service disablement can occur without sc.exe or net.exe being called.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1489 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1485Data DestructionT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1562.004Disable or Modify System FirewallT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1543.003Windows ServiceT1078Valid Accounts

Same Tactic: Impact

Popular Detections