T0881 Service Stop
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment. 1 Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. 1
| Item | Value |
|---|---|
| ID | T0881 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | None |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0605 | EKANS | Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 4 4 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. 3 |
| S0604 | Industroyer | Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. 7 |
| S1072 | Industroyer2 | Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.6 |
| S0607 | KillDisk | KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. 8 |
| S0496 | REvil | REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. 5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 2 |
| M0922 | Restrict File and Directory Permissions | Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0924 | Restrict Registry Permissions | Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0918 | User Account Management | Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations. |
References
-
Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ↩↩
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩
-
Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ↩
-
Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ↩↩
-
McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ↩
-
Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023. ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ↩