Detect Service Stop in Splunk
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1489 Service Stop
- Canonical reference
- https://attack.mitre.org/techniques/T1489/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\sc.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\taskkill.exe"
OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wmic.exe")
| eval cl=lower(CommandLine)
| eval StopMethod=case(
match(Image, "sc\\.exe") AND match(cl, "\\bstop\\b"), "sc stop",
match(Image, "sc\\.exe") AND match(cl, "config") AND match(cl, "disabled"), "sc disable",
match(Image, "sc\\.exe") AND match(cl, "\\bdelete\\b"), "sc delete",
match(Image, "net1?\\.exe") AND match(cl, "\\bstop\\b"), "net stop",
match(Image, "taskkill\\.exe"), "taskkill",
match(Image, "powers?hell\\.exe") AND match(cl, "stop-service"), "PS Stop-Service",
match(Image, "powers?hell\\.exe") AND match(cl, "set-service"), "PS Set-Service",
match(Image, "wmic\\.exe") AND match(cl, "service"), "WMIC service",
1=1, "other"
)
| eval TargetsSecurityService=if(match(cl, "(windefend|msmpeng|wdnissvc|sense|securityhealthservice|crowdstrike|csfalconservice|csfcsc|sentinelagent|carbonblack|mcshield|mcafee|savservice|sepmasterservice|symantec|trendmicro)")
, 1, 0)
| eval TargetsBackupService=if(match(cl, "(vss|wbengine|sdrsvc|veea?mbackup|veea?mtransport|acronis|backupexec|sqlbackupmon|bedbg)"), 1, 0)
| eval TargetsDatabaseService=if(match(cl, "(mssqlserver|mssql\$|sqlwriter|sqlserveragent|mysql|oracleservice|msexchange)"), 1, 0)
| eval RiskScore=TargetsSecurityService*3 + TargetsBackupService*3 + TargetsDatabaseService*2
| where StopMethod != "other" OR RiskScore > 0
| eval IsHighRisk=if(RiskScore >= 3, "YES", "NO")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
StopMethod, TargetsSecurityService, TargetsBackupService, TargetsDatabaseService,
RiskScore, IsHighRisk
| sort - RiskScore, - _timeDetects service stop activity using Sysmon Event ID 1 (Process Creation) targeting backup, security, and database services. Evaluates command lines from sc.exe, net.exe, net1.exe, taskkill.exe, powershell.exe, and wmic.exe. Assigns a RiskScore (max 8) based on which service category is targeted — security and backup services score highest as these are priority targets for ransomware operators seeking to disable defenses and eliminate recovery options. Events are sorted by RiskScore descending so analysts see the highest-priority alerts first.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators performing legitimate service maintenance, patch cycles, or decommissioning of services via sc.exe or net stop
- IT automation platforms (Ansible, Chef, Puppet, SCCM) stopping services before updates or configuration changes
- Backup software agents that stop VSS or database services as part of a legitimate quiesced backup procedure
- Monitoring and patch management tools that restart services during scheduled maintenance windows
- Development and QA environments where engineers frequently stop and restart database or web services during testing
Other platforms for T1489
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop Windows Defender Service via sc.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=sc.exe, CommandLine='sc.exe stop WinDefend' and 'sc.exe config WinDefend start= disabled'. Security Event ID 4688 (if process creation auditing enabled). System Event ID 7040 (if the config change succeeds: start type changed). System Event ID 7036 (if stop succeeds: service entered stopped state).
- Test 2Bulk Service Stop via net.exe (Ransomware Simulation)
Expected signal: Sysmon Event ID 1: Six separate process creation events for net.exe with stop commands. System Event ID 7036 for any services that were actually running and stopped. The rapid sequence of 6 net.exe executions within seconds triggers the bulk stop hunting query.
- Test 3Stop and Disable Service via PowerShell Stop-Service
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Stop-Service' and 'wbengine'. PowerShell ScriptBlock Log Event ID 4104 with the full command. System Event ID 7036 (if service stopped) and 7040 (if startup type changed to Disabled).
- Test 4WMIC Service Stop via WMI
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'service', 'StopService'. System Event ID 7036 (Windows Event Log service entered stopped state). Note: stopping EventLog will briefly interrupt event logging — telemetry for the stop itself is captured by Sysmon before EventLog stops.
- Test 5Disable Service by Modifying Registry Start Value
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Services\wbengine\Start, Details=DWORD (0x00000004). Sysmon Event ID 1: Process Create for reg.exe. Note: this test validates the registry-based hunting path and demonstrates that service disablement can occur without sc.exe or net.exe being called.
References (10)
- https://attack.mitre.org/techniques/T1489/
- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
- https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
- https://www.secureworks.com/research/wcry-ransomware-analysis
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://unit42.paloaltonetworks.com/clop-ransomware/
- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
- https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md
Unlock Pro Content
Get the full detection package for T1489 including response playbook, investigation guide, and atomic red team tests.