Technique on mitre.org

T1489: Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible . In some cases, adversaries may stop or disable many or all services to render systems unusable. Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

proxmox: PT-CR-2735: ProxMox_VE_Critical_VM_Container_Manipulation: A user performed an action on a critical VM or container in Proxmox. Such actions allow attackers to hide the evidence of their activity, disrupt system availability or functionality, remove security tools, extract or delete important data, embed backdoors, or perform lateral movement within a network. grafana_labs: PT-CR-2328: Grafana_Plugin_Stopped: A plugin was stopped in Grafana. An attacker can disable Grafana by stopping critical modules. mitre_attck_impact: PT-CR-502: Stop_Important_Service_Registry: Detection of attempts to stop an important service. The list of services is in the table list Significant_Services. mitre_attck_impact: PT-CR-2537: Subrule_SMB_Takeover: The LanmanServer startup type is changed to "Disabled" mitre_attck_impact: PT-CR-501: Stop_Important_Service: Attempt to stop an important service mitre_attck_impact: PT-CR-2536: SMB_Takeover: The LanmanServer startup type is changed to "Disabled." This may indicate the use of the SMB Takeover technique that consists of unbinding and rebinding TCP port 445 to control it, for example, during SMB Relay attacks. mssql_database: PT-CR-425: MSSQL_Windows_Service_Control: An attempt to change a Windows service state from a database capabilities_impact: PT-CR-2892: CAP_Stop_Application_Or_System: Stopping a system or application capabilities_impact: PT-CR-2842: CAP_Stop_Service: Stopping a critical service

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes made to windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.

ID	DS0019	Data source and component	Service: Service Metadata	Description	Alterations to the service binary path or the service startup type changed to disabled may be suspicious.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, `ChangeServiceConfigW` may be used by an adversary to prevent services from starting.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

ID	DS0009	Data source and component	Process: Process Termination	Description	Monitor processes and command-line arguments to see if critical processes are terminated or stop running.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.
DS0022	File: File Modification	Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.
DS0019	Service: Service Metadata	Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
DS0009	Process: OS API Execution	Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, `ChangeServiceConfigW` may be used by an adversary to prevent services from starting.
DS0009	Process: Process Creation	Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.
DS0009	Process: Process Termination	Monitor processes and command-line arguments to see if critical processes are terminated or stop running.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.

ID	M1030	Name	Network Segmentation	Description	Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

ID	Name	Description
M1018	User Account Management	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
M1022	Restrict File and Directory Permissions	Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
M1024	Restrict Registry Permissions	Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
M1030	Network Segmentation	Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.