Adversaries may use the net stop command to stop multiple services, potentially disrupting system operations or masking persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or service disruption tactics.
KQL Query
// Find attempts to stop processes using net stop
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10
id: 70c0b10a-3596-4903-baf2-60b5d453bf8c
name: Stopping processes using net stop
description: |
This query checks for attempts to stop at least 10 separate processes using the net stop command. Run query
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
// Find attempts to stop processes using net stop
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where netStopCount > 10
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is performing a routine maintenance task and stops multiple services using net stop as part of a scheduled maintenance job.
Filter/Exclusion: Exclude processes associated with known administrative tasks (e.g., net stop wuauserv, net stop bits, net stop msiserver) or filter by user (e.g., username = "admin") and time window (e.g., timestamp between '2024-04-01' and '2024-04-07').
Scenario: A backup or update process is temporarily stopping services to ensure data consistency or to prepare for an update.
Filter/Exclusion: Exclude processes related to backup tools (e.g., net stop VSS for Volume Shadow Copy) or update services (e.g., net stop wuauserv), and filter by process names or service IDs.
Scenario: A script or automation tool is configured to stop multiple services during a deployment or configuration change.
Filter/Exclusion: Exclude processes initiated by known automation tools (e.g., net stop invoked by PowerShell, batch, or task scheduler scripts) and filter by script paths or execution context (e.g., process.parent_process = "powershell.exe").
Scenario: A legitimate application or service is gracefully shutting down multiple dependent services during a planned shutdown or system reboot.
Filter/Exclusion: Exclude processes associated with system shutdown (e.g., net stop invoked during shutdown /s or shutdown /r) and filter by event logs or system time (e.g., event_id = 6008 for unexpected shutdowns).
Scenario: A developer or DevOps team is testing a service or application that requires stopping multiple services to simulate failure conditions or perform integration tests.