Detection rules › Splunk
Windows - Service Stop (PowerShell)
This use case detects any service stop commands on Windows endpoints. Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible. In some cases, adversaries may stop or disable many or all services to render systems unusable. Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.001 Impair Defenses: Disable or Modify Tools |
| Impact | T1489 Service Stop |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '12724.31085'
title: Windows - Service Stop
description: 'This use case detects any service stop commands on Windows endpoints.
Adversaries may stop or disable services on a system to render those services unavailable
to legitimate users. Stopping critical services or processes can inhibit or stop
response to an incident or aid in the adversary''s overall objectives to cause damage
to the environment. Adversaries may accomplish this by disabling individual services
of high importance to an organization, such as MSExchangeIS, which will make Exchange
content inaccessible. In some cases, adversaries may stop or disable many or all
services to render systems unusable. Services or processes may not allow for modification
of their data stores while running. Adversaries may stop services or processes in
order to conduct Data Destruction or Data Encrypted for Impact on the data stores
of services like Exchange and SQL Server. -- Threat Actor Association: APT28 (aka.Fancy
Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, TA422, STRONTIUM), APT29/Nobelium/Cozy
Bear, Cadet Blizzard, FIN6, GoldenJackal, Kimsuky, Lapsus$, Magic Hound (aka APT35,
Charming Kitten, Phosphorus, and Mint Sandstorm) , TA2541, Traveling Spider - Software
Association: AvosLocker, BianLian, BlackByte, Blackcat/ALPHV, Black Basta, Conti,
Cring, Cuba, GhostShell, Hive, Lockbit, Nefilim, Prestige, Prometheus / Spook, Rhysida,
Royal, Ryuk, Snatch, TeamTNT, Trigona, WatchDog, WhisperGate, XingLocker -- Atomics
T1489 Test #1 Atomics T1489 Test #2 Atomics T1489 Test #3'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") ((TERM(sc.exe) OR
TERM(sc) OR TERM(net) OR TERM(net.exe)) AND TERM(stop)) OR ( TERM(taskkill) AND
( TERM(/IM) OR TERM(/PID) OR TERM(/T) ) AND TERM(/F)) OR ((TERM(sc.exe) OR TERM(sc))
AND TERM(CONFIG) AND TERM(START=) AND TERM(DISABLED)) OR ((TERM(Stop-Process) OR
TERM(kill) OR TERM(spps)) (TERM(-name) OR TERM(-ProcessName) OR TERM(-id))) OR (TERM(Win32_Process)
AND ".terminate") | table _time, host, user parent_process*, process, process_*,
signature_id, user_id | bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:impair defenses:disable or modify tools
- impact:service stop
technique_id:
- T1562.001
- T1489
data_category:
- PowerShell logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md#atomic-test-1---windows---stop-service-using-service-controller
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") ((TERM(sc.exe) OR TERM(sc) OR TERM(net) OR TERM(net.exe)) AND TERM(stop)) OR ( TERM(taskkill) AND ( TERM(/IM) OR TERM(/PID) OR TERM(/T) ) AND TERM(/F)) OR ((TERM(sc.exe) OR TERM(sc)) AND TERM(CONFIG) AND TERM(START=) AND TERM(DISABLED)) OR ((TERM(Stop-Process) OR TERM(kill) OR TERM(spps)) (TERM(-name) OR TERM(-ProcessName) OR TERM(-id))) OR (TERM(Win32_Process) AND ".terminate")
Stage 2: table
| table _time, host, user parent_process*, process, process_*, signature_id, user_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | TERM |
| 1 | sc.exe |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | net |
| 1 | TERM |
| 1 | net.exe |
| 1 | TERM |
| 1 | stop |
| 1 | TERM |
| 1 | taskkill |
| 1 | "/IM" |
| 1 | "/PID" |
| 1 | "/T" |
| 1 | "/F" |
| 1 | TERM |
| 1 | sc.exe |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | CONFIG |
| 1 | "START=" |
| 1 | TERM |
| 1 | DISABLED |
| 1 | "Stop-Process" |
| 1 | TERM |
| 1 | kill |
| 1 | TERM |
| 1 | spps |
| 1 | "-name" |
| 1 | "-ProcessName" |
| 1 | "-id" |
| 1 | TERM |
| 1 | Win32_Process |
| 1 | ".terminate" |