|Tactic||Inhibit Response Function|
|Data Sources||Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification|
|Asset||Human-Machine Interface, Control Server, Data Historian, Engineering Workstation|
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.1
Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.1
- Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 23 EKANS also utilizes
netshcommands to implement firewall rules that blocks any remote communication with the device.4
- Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.5
- KillDisk looks for and terminates two non-standard processes, one of which is an ICS application.6
- REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.7
- Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.8
- Restrict File and Directory Permissions - Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
- Restrict Registry Permissions - Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
- User Account Management - Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.
- Enterprise ATT&CK. (n.d.). Service Stop. Retrieved October 29, 2019.
- Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly. (2020, July 15). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved April 12, 2021.
- Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.
- Ben Hunter and Fred Gutierrez. (2020, July 01). EKANS Ransomware Targeting OT ICS Systems. Retrieved April 12, 2021.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.
- McAfee Labs. (2019, October 02). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved April 12, 2021.
- Department of Homeland Security. (2016, September). Retrieved September 25, 2020.