LoFP / there are many legitimate reasons to stop a service. this rule isn't looking for any suspicious behaviour in particular. filter legitimate activity accordingly

t1489

Sample rules

Stop Windows Service Via Net.EXE

source: sigma
technicques:
- t1489

Description

Detects the stopping of a Windows service via the “net” utility.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: ' stop '
selection_img:
- OriginalFileName:
  - net.exe
  - net1.exe
- Image|endswith:
  - \net.exe
  - \net1.exe

Stop Windows Service Via PowerShell Stop-Service

source: sigma
technicques:
- t1489

Description

Detects the stopping of a Windows service via the PowerShell Cmdlet “Stop-Service”

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: 'Stop-Service '
selection_sc_net_img:
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe

Stop Windows Service Via Sc.EXE

source: sigma
technicques:
- t1489

Description

Detects the stopping of a Windows service via the “sc.exe” utility

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: ' stop '
selection_img:
- OriginalFileName: sc.exe
- Image|endswith: \sc.exe