detection.wiki

ATT&CK coverage › Technique

Service Stop T1489

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Events covered

8 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon5Process terminated
Sysmon13RegistryEvent (Value Set)
Security-Auditing4688A new process has been created.
TaskScheduler141User "TaskName" deleted Task Scheduler task "Name".
MsiInstaller1034Product: Data_0.
MsiInstaller11724
Service-Control-Manager7040The start type of the msdsm service was changed from boot start to demand start.

Authoring guide

Patterns shared across the 12 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image7ends_with 7\schtasks.exe, \net.exe, \net1.exe, \powershell.exe, \pwsh.exe
CommandLine7match 7\Windows\WindowsBackup\, \Windows\UpdateOrchestrator\, stop , /f, /tn \*
OriginalFileName4eq 4net1.exe, PowerShell.EXE, sc.exe, net.exe, pwsh.dll
EventID2eq 25, 7040
Provider_Name1eq 1MsiInstaller
TaskName1match 1\Windows\WindowsBackup\, \Windows\UpdateOrchestrator\, \Windows\Windows Defender\
UserName1match 1AUTORI, AUTHORI
process_name1in 1"PServiceControl.exe", "PService_PPD.exe"
EventType1eq 1modified, deleted
Details1eq 10x00000001
registry_value_name1eq 1DeleteFlag
registry_path1eq 1"*\\SYSTEM\\CurrentControlSet\\Services*"
param11in 1"UsoSvc", "WaaSMedicSvc", "wuauserv"
param31eq 1disabled
start_mode1eq 1disabled

Top indicator values (296 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\schtasks.exe345
CommandLinematch stop 33
CommandLinematch\Windows\UpdateOrchestrator\22
CommandLinematch\Windows\WindowsUpdate\22
CommandLinematch\Windows\ExploitGuard22
CommandLinematch\Windows\WindowsBackup\22
CommandLinematch\Windows\Windows Defender\22
CommandLinematch\Windows\BitLocker22
CommandLinematch\Windows\SystemRestore\SR22
OriginalFileNameeqnet1.exe216
Imageends_with\net.exe227
OriginalFileNameeqnet.exe216
Imageends_with\net1.exe225
CommandLinematchStop-Service 22
Imageends_with\powershell.exe2143
OriginalFileNameeqPowerShell.EXE264
Imageends_with\pwsh.exe2140
OriginalFileNameeqpwsh.dll272
OriginalFileNameeqsc.exe210
Imageends_with\sc.exe217

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 9 rules

Splunk 3 rules