服务停止

对手可能会停止或禁用系统上的服务，以使合法用户无法使用这些服务。停止关键服务可能会抑制或停止对事件的响应，或者有助于对手的总体目标，从而对环境造成破坏。

攻击者可以通过禁用对组织非常重要的单个服务来实现此目的，例如MSExchangeIS，这将使Exchange内容不可访问。在某些情况下，对手可能会停止或禁用许多或所有服务，从而使系统无法使用。服务可能不允许在运行时对其数据存储进行修改。对手可能会停止服务，以便对Exchange和SQL Server等服务的数据存储区进行数据销毁或加密处理，以对数据存储产生影响。

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible . In some cases, adversaries may stop or disable many or all services to render systems unusable. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

标签

ID编号： T1489

策略： 影响

平台： Windows

所需权限： 管理员，SYSTEM，用户

数据源： 进程命令行参数，进程监视，Windows注册表，API监视

影响类型： 可用性

缓解措施

缓解	描述
网络细分(M1030)	在与生产环境不同的网络上操作入侵检测，分析和响应系统，以减少对手看到和干扰关键响应功能的机会。
限制文件和目录权限(M1022)	确保适当的流程和文件许可权已到位，以禁止对手禁用或干扰关键服务。
限制注册表权限(M1024)	确保适当的注册表权限到位，以阻止对手禁用或干扰关键服务。
用户帐号管理(M1018)	限制用户帐户和组的特权，以便只有授权的管理员才能与服务更改和服务配置进行交互。

Mitigation	Description
Network Segmentation(M1030)	Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.
Restrict File and Directory Permissions (M1022)	Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
Restrict Registry Permissions(M1024)	Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
User Account Management(M1018)	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

检测

监视进程和命令行参数以查看关键进程是终止还是停止运行。

监视注册表编辑器，以对与非常重要的服务相对应的服务和启动程序进行修改。查找与已知软件，补丁程序周期等不相关的服务注册表项更改。服务信息存储在注册表中的HKLM\SYSTEM\CurrentControlSet\Services。

服务二进制路径的更改或服务启动类型更改为“禁用”可能是可疑的。

具有内置功能的远程访问工具可以直接与Windows API交互，以在典型的系统实用程序之外执行这些功能。例如，ChangeServiceConfigW可能被对手用来阻止服务启动。

Monitor processes and command-line arguments to see if critical processes are terminated or stop running.

Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services.

Alterations to the service binary path or the service startup type changed to disabled may be suspicious.

Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.