Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. [1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. [1]

ID: T0881
Sub-techniques:  No sub-techniques
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0605 EKANS

Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. [2] [2] EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. [3]

S0604 Industroyer

Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. [4]

S1072 Industroyer2

Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.[5]

S0607 KillDisk

KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. [6]

S0496 REvil

REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. [7]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0930 Network Segmentation

Segment operational network and systems to restrict access to critical system functions to predetermined management systems. [8]

M0922 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.

M0924 Restrict Registry Permissions

Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.

M0918 User Account Management

Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.

DS0022 File File Modification

Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.

DS0009 Process OS API Execution

Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop.

Process Creation

Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

Process Termination

Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop.

DS0019 Service Service Metadata

Alterations to the service binary path or the service startup type changed to disabled may be suspicious.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.

References