Service Stop T1489

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Events covered

14 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 29 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine18contains 17, ends_with 2, eq 1, match 1, regex_match 1, starts_with 1 stop , /f, delete , \windows\bitlocker, \windows\exploitguard
Image12ends_with 12\sc.exe, \net.exe, \net1.exe, \schtasks.exe, \powershell.exe
OriginalFileName11eq 11net1.exe, sc.exe, net.exe, powershell.exe, schtasks.exe
EventID6eq 64656, 4688, 1, 4103, 4104
process_name6eq 5, in 1sc.exe, net1.exe, pservice_ppd.exe, pservicecontrol.exe
Details2eq 20x00000001, 3, 4
count2ge 24, 5
"Processes.process"1contains 1stop \"samss\"
"Processes.process_name"1eq 1net*.exe
Channel1eq 1, in 1
EventType1eq 1deleted, modified
ParentImage1contains 1, ends_with 1.tmp, :\windows\temp, \appdata\local\temp\
Provider_Name1eq 1MsiInstaller
TargetObject1wildcard 1\registry\machine\system\*controlset*\services\*\start, hklm\system\*controlset*\services\*\start
TaskName1contains 1\windows\bitlocker, \windows\exploitguard, \windows\systemrestore\sr

Top indicator values (331 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\sc.exe
530
Imageends_with
\net.exe
350
Imageends_with
\net1.exe
348
Imageends_with
\schtasks.exe
357
Imageends_with
\powershell.exe
2186
Imageends_with
\pwsh.exe
2172
Imageends_with
\taskkill.exe
24
OriginalFileNameeq
net1.exe
543
OriginalFileNameeq
sc.exe
526
OriginalFileNameeq
net.exe
227
OriginalFileNameeq
powershell.exe
2121
CommandLinecontains
stop
47
CommandLinecontains
config
315
CommandLinecontains
stop-service
34
CommandLinecontains
delete
25
CommandLinecontains
\windows\bitlocker
22
CommandLinecontains
\windows\exploitguard
22
CommandLinecontains
\windows\systemrestore\sr
22
CommandLinecontains
\windows\updateorchestrator\
22
CommandLinecontains
\windows\windows defender\
22
CommandLinecontains
\windows\windowsbackup\
22
CommandLinecontains
\windows\windowsupdate\
22
CommandLinecontains
delete
222
CommandLinecontains
disabled
26
CommandLinecontains
sc
27
CommandLinecontains
stop
23
process_nameeq
sc.exe
427
process_nameeq
net1.exe
334
EventIDeq
4656
219
EventIDeq
4688
2312

Exclusions (8 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ParentImagecontains
:\windows\temp
1
ParentImagecontains
\appdata\local\temp\
1
ParentImageends_with
.tmp
1
TargetObjecteq
hklm\system\controlset001\services\mrxsmb10\start
1
process_nameeq
services.exe
1
usercontains
authori
1
usercontains
autori
1
user.ideq
S-1-5-18
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 14 rules

Elastic 1 rule

Splunk 14 rules