EXPLORE
Sign In
← Back to Explore
T1489

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will m...

ESXiIaaSLinuxmacOSWindows
54
Detections
3
Sources
6
Threat Actors

BY SOURCE

19elastic18sigma17splunk_escu

PROCEDURES (27)

Persist7 detections

Auto-extracted: 7 detections for persist

General Monitoring6 detections

Auto-extracted: 6 detections for general monitoring

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

Service3 detections

Auto-extracted: 3 detections for service

Service3 detections

Auto-extracted: 3 detections for service

Kubernetes3 detections

Auto-extracted: 3 detections for kubernetes

Azure2 detections

Auto-extracted: 2 detections for azure

Bypass2 detections

Auto-extracted: 2 detections for bypass

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Service2 detections

Auto-extracted: 2 detections for service

Powershell2 detections

Auto-extracted: 2 detections for powershell

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Registry2 detections

Auto-extracted: 2 detections for registry

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Bypass1 detections

Auto-extracted: 1 detections for bypass

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (6)

Indrik SpiderLAPSUS$Lazarus GroupMedusa GroupSandworm TeamWizard Spider

DETECTIONS (54)

Application Uninstalled
sigmalow
Attempt to Deactivate an Okta Application
elasticlow
Attempt to Delete an Okta Application
elasticlow
Attempt to Disable Auditd Service
elasticmedium
Attempt to Disable IPTables or Firewall
elasticmedium
Attempt to Disable Syslog Service
elasticmedium
AWS EventBridge Rule Disabled or Deleted
elasticlow
Azure Application Deleted
sigmamedium
Azure Container Registry Created or Deleted
sigmalow
Azure Kubernetes Cluster Created or Deleted
sigmalow
Azure Kubernetes Network Policy Change
sigmamedium
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
sigmamedium
Azure Kubernetes Secret or Config Object Access
sigmamedium
Azure Kubernetes Sensitive Role Access
sigmamedium
Azure Kubernetes Service Account Modified or Deleted
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Pods Deleted
elasticmedium
Azure Resource Group Deleted
elasticmedium
Azure Storage Account Deletion by Unusual User
elasticmedium
Azure Storage Account Deletions by User
elastichigh
Decline in host-based traffic
elasticlow
Delete All Scheduled Tasks
sigmahigh
Delete Important Scheduled Task
sigmahigh
Disable Important Scheduled Task
sigmahigh
Elastic Agent Service Terminated
elasticmedium
Excessive Attempt To Disable Services
splunk_escu
GCP Pub/Sub Subscription Deletion
elasticlow
GCP Pub/Sub Topic Deletion
elasticlow
High Number of Process and/or Service Terminations
elasticmedium
High Number of Process Terminations
elasticmedium
Important Scheduled Task Deleted
sigmahigh
Kill Command Execution
elasticlow
Linux Auditd Auditd Service Stop
splunk_escu
Linux Auditd Osquery Service Stop
splunk_escu
Linux Auditd Stop Services
splunk_escu
Linux Auditd Sysmon Service Stop
splunk_escu
Linux Disable Services
splunk_escu
Linux Magic SysRq Key Abuse
splunk_escu
Linux Stop Services
splunk_escu
Ollama Abnormal Service Crash Availability Attack
splunk_escu
Potential Abuse of Linux Magic System Request Key
sigmamedium
Process Killing Detected via Defend for Containers
elasticlow
Stop Windows Service Via Net.EXE
sigmalow
Stop Windows Service Via PowerShell Stop-Service
sigmalow
Stop Windows Service Via Sc.EXE
sigmalow
Suspicious Termination of ESXI Process
elastichigh
Suspicious Windows Service Tampering
sigmahigh
Windows Excessive Service Stop Attempt
splunk_escu
Windows Processes Killed By Industroyer2 Malware
splunk_escu
Windows Security Account Manager Stopped
splunk_escu
Windows Service Deletion In Registry
splunk_escu
Windows Service Stop Attempt
splunk_escu
Windows Service Stop By Deletion
splunk_escu
Windows Service Stop Win Updates
splunk_escu
Windows Set Account Password Policy To Unlimited Via Net
splunk_escu