TID-222: Critical System Service May Be Disabled
Threat Description
Various devices and associated services are necessary to support communications and connections on a network. If a key service is disabled, terminated, or reconfigured, a threat actor can disrupt or disable communications on a network. This could occur on various network equipment, such as switches, firewalls, or routers, along with other devices which may have dedicated processes to facilitate communication with specific protocols or physical mediums (e.g., serial).
Threat Maturity and Evidence
Observed Adversary Behavior
ATT&CK Technique: Service Stop (T0881)
Procedure Example: Industroyer (S0604)
“Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.”
Procedure Example: Industroyer2 (S1072)
“Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.”
CWE
CWE-306 Missing Authentication for Critical Function
“The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.”
CWE-15: External Control of System or Configuration Setting
“One or more system settings or configuration elements can be externally controlled by a user.”