Skip to content

DET0021 Behavioral Detection for Service Stop across Platforms

Item Value
ID DET0021
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1489 (Service Stop)

Analytics

Windows

AN0061

Adversary disables or stops critical services (e.g., Exchange, SQL, AV, endpoint monitoring) using native utilities or API calls, often preceding destructive actions (T1485, T1486). Behavioral chain: Elevated execution context + stop-service or sc.exe or ChangeServiceConfigW + terminated or disabled service + possible follow-up file manipulation.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Service Creation (DC0060) WinEventLog:System EventCode=7036
Service Metadata (DC0041) WinEventLog:Sysmon EventCode=4
Mutable Elements
Field Description
TimeWindow Time span between elevated privilege use and critical service stop
ServiceName Service names of interest (e.g., MSExchangeIS, SQLSERVERAGENT)
ParentProcess Upstream process lineage leading to service stop

Linux

AN0062

Adversary executes systemctl or service stop targeting high-value services (e.g., mysql, sshd), possibly followed by rm or shred against data stores. Behavioral chain: sudo/su usage + stop command + /var/log/messages or syslog entries + file access/delete.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve of systemctl or service stop
File Deletion (DC0040) auditd:SYSCALL unlink/unlinkat on service binaries or data targets
Service Metadata (DC0041) linux:syslog service stopped messages
Mutable Elements
Field Description
TimeWindow Window between service stop and suspicious file deletion
ExecUser Username or UID executing service stop command

macOS

AN0063

Use of launchctl to stop services or kill critical background processes (e.g., securityd, com.apple.*), typically followed by command-line tools like rm or diskutil. Behavioral chain: Terminal or remote shell + launchctl bootout/disable + process termination + follow-on modification.

Log Sources
Data Component Name Channel
Service Metadata (DC0041) macos:unifiedlog launchctl disable or bootout calls
Process Creation (DC0032) auditd:SYSCALL execve of launchctl or pkill
Mutable Elements
Field Description
ServiceLabel Launch daemon label or name targeted by command
LaunchType Whether the command disables or boots out the service

ESXi

AN0064

Attacker disables VM-related services or stops VMs forcibly to target vmdk or logs. Behavioral chain: esxcli or vim-cmd stop + audit log showing user privilege use + datastore file manipulation.

Log Sources
Data Component Name Channel
Service Metadata (DC0041) esxi:hostd Stop VM or disable service events via vim-cmd
Process Termination (DC0033) esxi:hostd Log entries indicating VM powered off or forcibly terminated
Mutable Elements
Field Description
VMName Targeted virtual machine name
InitiatorUser User who issued stop or disable command