T0881 Service Stop
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment. 1 Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. 1
| Item | Value |
|---|---|
| ID | T0881 |
| Sub-techniques | |
| Tactics | TA0107 |
| Platforms | Control Server, Data Historian, Engineering Workstation, Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 24 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0605 | EKANS | Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 4 4 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. 3 |
| S0604 | Industroyer | Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user. 5 |
| S1072 | Industroyer2 | Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.6 |
| S0607 | KillDisk | KillDisk looks for and terminates two non-standard processes, one of which is an ICS application. 8 |
| S0496 | REvil | REvil searches for all processes listed in the prc field within its configuration file and then terminates each process. 7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0930 | Network Segmentation | Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 2 |
| M0922 | Restrict File and Directory Permissions | Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0924 | Restrict Registry Permissions | Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| M0918 | User Account Management | Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
| DS0009 | Process | OS API Execution |
| DS0019 | Service | Service Metadata |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Department of Homeland Security 2016, September Retrieved. 2020/09/25 ↩
-
Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ↩
-
Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ↩↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩
-
Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023. ↩
-
McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ↩
-
Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ↩