Stopping Services with net.exe

Detects when running services are stopped with the net.exe command.

id:0b2ea078-b2ef-4cf7-aef1-564a63662e3b
categories:enrich
confidence:low
os:windows
created:7/26/2019
updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Impact
techniques:T1489 Service Stop

Query

process where subtype.create and
  process_name == "net.exe" and
  command_line == "* stop *"

Contributors