this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. therefore, it is recommended not to enable this analytic as a direct notable or ttp. instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.

t1059.001
endpoint
splunk

Techniques

T1059.001

Sample rules

PowerShell Start or Stop Service

source: splunk
technicques:
- T1059.001

Description

The following analytic identifies the use of PowerShell’s Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_start_or_stop_service_filter`