Adversary disables or stops critical services (e.g., Exchange, SQL, AV, endpoint monitoring) using native utilities or API calls, often preceding destructive actions (T1485, T1486). Behavioral chain: Elevated execution context + stop-service or sc.exe or ChangeServiceConfigW + terminated or disabled service + possible follow-up file manipulation.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7036 |
| Service Metadata (DC0041) | WinEventLog:sysmon | EventCode=4 |
| Field | Description |
|---|---|
| TimeWindow | Time span between elevated privilege use and critical service stop |
| ServiceName | Service names of interest (e.g., MSExchangeIS, SQLSERVERAGENT) |
| ParentProcess | Upstream process lineage leading to service stop |
Adversary executes systemctl or service stop targeting high-value services (e.g., mysql, sshd), possibly followed by rm or shred against data stores. Behavioral chain: sudo/su usage + stop command + /var/log/messages or syslog entries + file access/delete.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve of systemctl or service stop |
| File Deletion (DC0040) | auditd:SYSCALL | unlink/unlinkat on service binaries or data targets |
| Service Metadata (DC0041) | linux:syslog | service stopped messages |
| Field | Description |
|---|---|
| TimeWindow | Window between service stop and suspicious file deletion |
| ExecUser | Username or UID executing service stop command |
Use of launchctl to stop services or kill critical background processes (e.g., securityd, com.apple.*), typically followed by command-line tools like rm or diskutil. Behavioral chain: Terminal or remote shell + launchctl bootout/disable + process termination + follow-on modification.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | macos:unifiedlog | launchctl disable or bootout calls |
| Process Creation (DC0032) | auditd:SYSCALL | execve of launchctl or pkill |
| Field | Description |
|---|---|
| ServiceLabel | Launch daemon label or name targeted by command |
| LaunchType | Whether the command disables or boots out the service |
Attacker disables VM-related services or stops VMs forcibly to target vmdk or logs. Behavioral chain: esxcli or vim-cmd stop + audit log showing user privilege use + datastore file manipulation.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | esxi:hostd | Stop VM or disable service events via vim-cmd |
| Process Termination (DC0033) | esxi:hostd | Log entries indicating VM powered off or forcibly terminated |
| Field | Description |
|---|---|
| VMName | Targeted virtual machine name |
| InitiatorUser | User who issued stop or disable command |