Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1489 | Service Stop |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Service Stop attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Service Stop attacks involve adversaries stopping or disabling critical system services, often to hinder security monitoring tools or other protective mechanisms. By terminating essential services, attackers can reduce the effectiveness of security defenses, disrupt system operations, or create an environment for further exploitation. Service stopping techniques are often used in the post-exploitation phase to maintain persistence or cover tracks by neutralizing security controls.
Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow. This data helps security teams detect abnormal behaviors, such as suspicious service stoppages, unauthorized service manipulations, or attempts to disable critical system processes. These indicators of compromise signal potential abuse of service control functions to undermine security or facilitate malicious activities.
References
|