Difference between revisions of "Technique/T0881"

From attackics
Jump to navigation Jump to search
m (Text replacement - "Mitigation=Mitigation/M10" to "Mitigation=Mitigation/M09")
 
Line 8: Line 8:
 
|Assets=Human-Machine Interface,Control Server,Data Historian,Engineering Workstation
 
|Assets=Human-Machine Interface,Control Server,Data Historian,Engineering Workstation
 
|MitigationObjects={{Mitigation Object
 
|MitigationObjects={{Mitigation Object
|Mitigation=Mitigation/M1030
+
|Mitigation=Mitigation/M0930
 
|Description=Segment operational network and systems to restrict access to critical system functions to predetermined management systems.[[CiteRef::Guidance - DHS Defense in Depth - 201609]]
 
|Description=Segment operational network and systems to restrict access to critical system functions to predetermined management systems.[[CiteRef::Guidance - DHS Defense in Depth - 201609]]
 
}}{{Mitigation Object
 
}}{{Mitigation Object
|Mitigation=Mitigation/M1022
+
|Mitigation=Mitigation/M0922
 
|Description=Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
 
|Description=Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
 
}}{{Mitigation Object
 
}}{{Mitigation Object
|Mitigation=Mitigation/M1024
+
|Mitigation=Mitigation/M0924
 
|Description=Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
 
|Description=Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
 
}}{{Mitigation Object
 
}}{{Mitigation Object
|Mitigation=Mitigation/M1018
+
|Mitigation=Mitigation/M0918
 
|Description=Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.
 
|Description=Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.
 
}}
 
}}
 
}}
 
}}

Latest revision as of 16:23, 12 April 2021

Service Stop
Technique
ID T0881
Tactic Inhibit Response Function
Data Sources Process command-line parameters, Process monitoring, Windows Registry, API monitoring
Asset Human-Machine Interface, Control Server, Data Historian, Engineering Workstation

Description

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.1

Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.1


Procedure Examples

  • Before encrypting the process, EKANS first kills the process if its name matches one of the processes defined on the kill-list. 23 EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device.4
  • Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.5
  • KillDisk looks for and terminates two non-standard processes, one of which is an ICS application.6
  • REvil searches for all processes listed in the “prc” field within its configuration file and then terminates each process.7

Mitigations

  • Network Segmentation - Segment operational network and systems to restrict access to critical system functions to predetermined management systems.8
  • Restrict Registry Permissions - Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
  • User Account Management - Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.