Skip to content

T0881 Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment. 1 Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. 1

Item Value
ID T0881
Tactics TA0107
Platforms Control Server, Data Historian, Engineering Workstation, Human-Machine Interface
Version 1.0
Created 21 May 2020
Last Modified 24 October 2022

Procedure Examples

ID Name Description
S0605 EKANS Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 4 4 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. 3
S0604 Industroyer Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. 5
S1072 Industroyer2 Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.6
S0607 KillDisk KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. 8
S0496 REvil REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. 7


ID Mitigation Description
M0930 Network Segmentation Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 2
M0922 Restrict File and Directory Permissions Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
M0924 Restrict Registry Permissions Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
M0918 User Account Management Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process OS API Execution
DS0019 Service Service Metadata
DS0024 Windows Registry Windows Registry Key Modification