Forum Discussion

ITJesusBB's avatar
ITJesusBB
Copper Contributor
Jan 05, 2022

Is there any way to create a custom detection to detect when a service is stopped?

I have a service that I'd like to create an alert for if it is stopped, but I can't find any related events to the service stopping in MDE, and as far as I can tell, service status isn't recorded in the registry.

3 Replies

Sort By
  • Kyrouz's avatar
    Kyrouz
    Copper Contributor
    Mar 03, 2022
    Excellent question that I have as well. I want to detect when certain services are stopped, no matter the cause (e.g. Powershell, cmd, etc). But none of the MDE tables seem to record service stop events.
    • ITJesusBB's avatar
      ITJesusBB
      Copper Contributor
      Mar 03, 2022

      Kyrouz 


      I ended up talking to MS about this, and the answer is you can't. They said MDE only monitors processes related to Windows.

      • Kyrouz's avatar
        Kyrouz
        Copper Contributor
        Mar 03, 2022
        Thanks for the update! If anyone at MS is reading: I appreciate that you can't have MDE collect absolutely everything, but service stoppage would be immensely useful in terms of identifying when a critical service is stopped no matter how the attacker got it.

Resources