Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. [1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. [1]
| ID | Name | Description |
|---|---|---|
| S0605 | EKANS |
Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. [2] [2] EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. [3] |
| S0604 | Industroyer |
Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. [4] |
| S1072 | Industroyer2 |
Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.[5] |
| S0607 | KillDisk |
KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. [6] |
| S0496 | REvil |
REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. [7] |
| ID | Mitigation | Description |
|---|---|---|
| M0930 | Network Segmentation |
Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [8] |
| M0922 | Restrict File and Directory Permissions |
Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0924 | Restrict Registry Permissions |
Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0918 | User Account Management |
Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users. |
| DS0022 | File | File Modification |
Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users. |
| DS0009 | Process | OS API Execution |
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop. |
| Process Creation |
Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users. |
||
| Process Termination |
Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop. |
||
| DS0019 | Service | Service Metadata |
Alterations to the service binary path or the service startup type changed to disabled may be suspicious. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users. |