T1489 Microsoft Sentinel · KQL

Detect Service Stop in Microsoft Sentinel

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill.

MITRE ATT&CK

Tactic
Impact
Technique
T1489 Service Stop
Canonical reference
https://attack.mitre.org/techniques/T1489/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let TargetedServices = dynamic([
  // Backup and recovery
  "vss", "VSS", "wbengine", "SDRSVC", "VeeamBackupSvc", "VeeamTransportSvc",
  "AcronisAgent", "BackupExecAgentAccelerator", "BackupExecAgentBrowser",
  "BackupExecDeviceMediaService", "BackupExecJobEngine", "BackupExecManagementService",
  "BackupExecRPCService", "SQLBackupMon",
  // Security / AV / EDR
  "WinDefend", "MsMpSvc", "SecurityHealthService", "Sense", "WdNisSvc",
  "CrowdStrike", "CSAgent", "CSFalconService", "McShield", "McTaskManager",
  "MfeEERM", "mfemms", "mfevtp", "SAVService", "SepMasterService",
  "Symantec", "SNAC", "TmCCSF", "SentinelAgent", "CarbonBlack",
  // Database and email
  "MSSQLSERVER", "MSSQL$", "SQLWriter", "SQLSERVERAGENT", "MsDtsServer",
  "ReportServer", "MSSQLFDLauncher", "MySQL", "OracleService",
  "MSExchangeIS", "MSExchangeTransport", "MSExchangeEdgeSync",
  "MSExchangeFDS", "MSExchangeMailboxAssistants", "MSExchangeRPC",
  "MSExchangeSA", "MSExchangeThrottling",
  // IT infrastructure
  "IISADMIN", "W3SVC", "WAS"
]);
let StopCommands = dynamic([
  "stop ", "config ", "delete ", "/stop", "/im"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("sc.exe", "net.exe", "net1.exe", "taskkill.exe", "powershell.exe", "pwsh.exe", "wmic.exe")
| where ProcessCommandLine has_any (TargetedServices)
    or (
        (FileName in~ ("sc.exe") and ProcessCommandLine has_any ("stop", "config", "delete"))
        or (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "stop")
        or (FileName in~ ("taskkill.exe") and ProcessCommandLine has "/f")
        or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Stop-Service", "Set-Service", "sc.exe stop", "sc stop"))
        or (FileName in~ ("wmic.exe") and ProcessCommandLine has_any ("service", "call", "stopservice", "ChangeStartMode"))
    )
| extend StopMethod = case(
    FileName in~ ("sc.exe") and ProcessCommandLine has "stop", "sc stop",
    FileName in~ ("sc.exe") and ProcessCommandLine has "config" and ProcessCommandLine has "disabled", "sc disable",
    FileName in~ ("sc.exe") and ProcessCommandLine has "delete", "sc delete",
    FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "stop", "net stop",
    FileName in~ ("taskkill.exe"), "taskkill",
    FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "Stop-Service", "PowerShell Stop-Service",
    FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "Set-Service", "PowerShell Set-Service",
    FileName in~ ("wmic.exe"), "WMIC service call",
    "other"
  )
| extend TargetsSecurityService = ProcessCommandLine has_any ("WinDefend", "MsMpSvc", "Sense", "CrowdStrike", "CSFalconService", "SentinelAgent", "CarbonBlack", "McShield", "SAVService", "SepMasterService", "WdNisSvc", "SecurityHealthService")
| extend TargetsBackupService = ProcessCommandLine has_any ("vss", "VSS", "wbengine", "VeeamBackupSvc", "SDRSVC", "BackupExec", "AcronisAgent", "SQLBackupMon")
| extend TargetsDatabaseService = ProcessCommandLine has_any ("MSSQLSERVER", "MySQL", "OracleService", "MSExchangeIS", "MSExchangeTransport", "SQLWriter")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService
| sort by Timestamp desc
high severity high confidence

Detects service stop and disable activity targeting backup, security, database, and email services commonly killed by ransomware and wipers prior to encryption or destruction. Uses DeviceProcessEvents to monitor sc.exe, net.exe, net1.exe, taskkill.exe, powershell.exe, and wmic.exe for stop/disable/delete commands against a list of high-value service names. Enriches each event with flags indicating whether the targeted service is a security solution, backup service, or database engine to aid analyst triage.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators performing legitimate service maintenance, patch cycles, or decommissioning of services via sc.exe or net stop
  • IT automation platforms (Ansible, Chef, Puppet, SCCM) stopping services before updates or configuration changes
  • Backup software agents that stop VSS or database services as part of a legitimate quiesced backup procedure
  • Monitoring and patch management tools that restart services during scheduled maintenance windows
  • Development and QA environments where engineers frequently stop and restart database or web services during testing
Download portable Sigma rule (.yml)

Other platforms for T1489

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender Service via sc.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine='sc.exe stop WinDefend' and 'sc.exe config WinDefend start= disabled'. Security Event ID 4688 (if process creation auditing enabled). System Event ID 7040 (if the config change succeeds: start type changed). System Event ID 7036 (if stop succeeds: service entered stopped state).

  2. Test 2Bulk Service Stop via net.exe (Ransomware Simulation)

    Expected signal: Sysmon Event ID 1: Six separate process creation events for net.exe with stop commands. System Event ID 7036 for any services that were actually running and stopped. The rapid sequence of 6 net.exe executions within seconds triggers the bulk stop hunting query.

  3. Test 3Stop and Disable Service via PowerShell Stop-Service

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Stop-Service' and 'wbengine'. PowerShell ScriptBlock Log Event ID 4104 with the full command. System Event ID 7036 (if service stopped) and 7040 (if startup type changed to Disabled).

  4. Test 4WMIC Service Stop via WMI

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'service', 'StopService'. System Event ID 7036 (Windows Event Log service entered stopped state). Note: stopping EventLog will briefly interrupt event logging — telemetry for the stop itself is captured by Sysmon before EventLog stops.

  5. Test 5Disable Service by Modifying Registry Start Value

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Services\wbengine\Start, Details=DWORD (0x00000004). Sysmon Event ID 1: Process Create for reg.exe. Note: this test validates the registry-based hunting path and demonstrates that service disablement can occur without sc.exe or net.exe being called.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1489 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1485Data DestructionT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1562.001Disable or Modify ToolsT1562.004Disable or Modify System FirewallT1059.001PowerShellT1059.003Windows Command ShellT1047Windows Management InstrumentationT1543.003Windows ServiceT1078Valid Accounts

Same Tactic: Impact

Popular Detections