T1489 CrowdStrike LogScale · LogScale

Detect Service Stop in CrowdStrike LogScale

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill.

MITRE ATT&CK

Tactic
Impact
Technique
T1489 Service Stop
Canonical reference
https://attack.mitre.org/techniques/T1489/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| FileName = /^(sc|net|net1|taskkill|powershell|pwsh|wmic)\.exe$/i
| CommandLine = /(?i)(vss|wbengine|sdrsvc|veeambackupsvc|veeamtransportsvc|acronisagent|backupexecagent|backupexecjobengine|sqlbackupmon|windefend|msmpeng|securityhealthservice|sense|wdnissvc|csfalconservice|crowdstrike|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec|mssqlserver|sqlwriter|sqlserveragent|mysql|oracleservice|msexchangeis|msexchangetransport|iisadmin|w3svc)/
OR (
  FileName = /^sc\.exe$/i AND CommandLine = /(?i)\b(stop|config.*disabled|delete)\b/
)
OR (
  FileName = /^net1?\.exe$/i AND CommandLine = /(?i)\bstop\b/
)
OR (
  FileName = /^taskkill\.exe$/i AND CommandLine = /(?i)\/f/
)
OR (
  FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)(stop-service|set-service|sc\.exe stop|sc stop)/
)
OR (
  FileName = /^wmic\.exe$/i AND CommandLine = /(?i)(stopservice|changestartmode.*disabled)/
)
| eval StopMethod = case(
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)\bstop\b/, "sc stop",
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)config.*disabled/, "sc disable",
    FileName = /^sc\.exe$/i AND CommandLine = /(?i)\bdelete\b/, "sc delete",
    FileName = /^net1?\.exe$/i AND CommandLine = /(?i)\bstop\b/, "net stop",
    FileName = /^taskkill\.exe$/i, "taskkill",
    FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)stop-service/, "PS Stop-Service",
    FileName = /^(powershell|pwsh)\.exe$/i AND CommandLine = /(?i)set-service/, "PS Set-Service",
    FileName = /^wmic\.exe$/i, "WMIC service",
    "other"
  )
| eval TargetsSecurityService = if(CommandLine = /(?i)(windefend|msmpeng|wdnissvc|sense|securityhealthservice|csfalconservice|crowdstrike|sentinelagent|carbonblack|mcshield|savservice|sepmasterservice|symantec)/, 1, 0)
| eval TargetsBackupService = if(CommandLine = /(?i)(vss|wbengine|sdrsvc|veeambackup|acronis|backupexec|sqlbackupmon)/, 1, 0)
| eval TargetsDatabaseService = if(CommandLine = /(?i)(mssqlserver|mssql\$|sqlwriter|mysql|oracleservice|msexchange)/, 1, 0)
| eval RiskScore = TargetsSecurityService * 3 + TargetsBackupService * 3 + TargetsDatabaseService * 2
| where StopMethod != "other" OR RiskScore > 0
| eval IsHighRisk = if(RiskScore >= 3, "YES", "NO")
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService, RiskScore, IsHighRisk], function=([min(ContextTimeStamp_decimal, as=FirstSeen), max(ContextTimeStamp_decimal, as=LastSeen), count(as=EventCount)]))
| sort(RiskScore, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) query detecting T1489 Service Stop using ProcessRollup2 events. Identifies sc.exe, net stop, taskkill, PowerShell, and WMIC usage targeting backup, security, database, and infrastructure services. Outputs risk-scored results grouped by host and user.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)CrowdStrike Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2

False Positives & Tuning

  • IT operations teams using automation scripts for service lifecycle management
  • Falcon sensor or other EDR self-update processes temporarily stopping services
  • Backup agents such as Veeam stopping VSS writers as part of snapshot orchestration
Download portable Sigma rule (.yml)

Other platforms for T1489

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender Service via sc.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine='sc.exe stop WinDefend' and 'sc.exe config WinDefend start= disabled'. Security Event ID 4688 (if process creation auditing enabled). System Event ID 7040 (if the config change succeeds: start type changed). System Event ID 7036 (if stop succeeds: service entered stopped state).

  2. Test 2Bulk Service Stop via net.exe (Ransomware Simulation)

    Expected signal: Sysmon Event ID 1: Six separate process creation events for net.exe with stop commands. System Event ID 7036 for any services that were actually running and stopped. The rapid sequence of 6 net.exe executions within seconds triggers the bulk stop hunting query.

  3. Test 3Stop and Disable Service via PowerShell Stop-Service

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Stop-Service' and 'wbengine'. PowerShell ScriptBlock Log Event ID 4104 with the full command. System Event ID 7036 (if service stopped) and 7040 (if startup type changed to Disabled).

  4. Test 4WMIC Service Stop via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'service', 'StopService'. System Event ID 7036 (Windows Event Log service entered stopped state). Note: stopping EventLog will briefly interrupt event logging — telemetry for the stop itself is captured by Sysmon before EventLog stops.

  5. Test 5Disable Service by Modifying Registry Start Value

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Services\wbengine\Start, Details=DWORD (0x00000004). Sysmon Event ID 1: Process Create for reg.exe. Note: this test validates the registry-based hunting path and demonstrates that service disablement can occur without sc.exe or net.exe being called.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1489 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1485Data DestructionT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1562.004Disable or Modify System FirewallT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1543.003Windows ServiceT1078Valid Accounts

Same Tactic: Impact

Popular Detections