
Summary
This analytic rule identifies potentially malicious use of PowerShell's Start-Service or Stop-Service cmdlets, which can be leveraged by attackers to manipulate system services. By monitoring PowerShell Script Block Logging (Event Code 4104), the detection can recognize when these specific commands are executed on endpoints. Such command executions may indicate attempts to disable critical services and functionalities, potentially leading to system instability, evasion of security mechanisms, and disruption of business operations. The importance of this detection lies in its ability to highlight abnormal service management activities that could signify compromise or malicious intent, thus enabling further investigation and response to possible security incidents.
Categories
- Endpoint
- Windows
Data Sources
- Pod
- Script
- Application Log
ATT&CK Techniques
- T1059.001
Created: 2024-11-13