title: Service Stop (T1489)
id: df00tech-t1489
status: experimental
description: "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries commonly target backup services, security solutions (AV/EDR), database engines (SQL Server, Exchange, MySQL), and VSS to eliminate recovery options before deploying ransomware or wipers. Methods include sc.exe stop/config, net stop, PowerShell Stop-Service/Set-Service, taskkill against service host processes, and on ESXi, esxcli vm process kill."
references:
  - https://attack.mitre.org/techniques/T1489/
  - https://df00tech.com/detections/T1489
author: df00tech
date: 2026/04/13
tags:
  - attack.t1489
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators performing legitimate service maintenance, patch cycles, or decommissioning of services via sc.exe or net stop"
  - "IT automation platforms (Ansible, Chef, Puppet, SCCM) stopping services before updates or configuration changes"
  - Backup software agents that stop VSS or database services as part of a legitimate quiesced backup procedure
  - Monitoring and patch management tools that restart services during scheduled maintenance windows
  - Development and QA environments where engineers frequently stop and restart database or web services during testing
level: high