DET0765: Detection of Service Stop
This detection strategy matters because stopping services in an ICS environment can remove capabilities that operators, responders, or systems depend on du...
Analyst context for executives and security teams
This detection strategy matters because stopping services in an ICS environment can remove capabilities that operators, responders, or systems depend on during normal operations or an incident. Even though MITRE does not provide detailed detection logic for DET0765, its relationship to Service Stop (T0881) makes it a useful prompt for leaders to ask whether critical services are monitored for unexpected stoppage, disablement, or availability loss.
Executive priority
Treat this as an operational resilience and incident readiness question: if a critical service is stopped, who knows, how quickly, and what decision is triggered? For ICS environments, service unavailability can affect response coordination, system availability, and potentially recovery from destructive activity. Priority should be based on which services support safety, operations, monitoring, remote access, backups, logging, and incident response.
Technical view
SOC, IR, and detection engineering teams should validate visibility for service stop or disable events associated with systems and services that are operationally important. Because the ATT&CK object does not specify platforms, tactics, or detection logic, teams should map this strategy to their local ICS asset inventory and operating environments rather than assuming a single log source or analytic. The relationship to T0881 indicates the focus should be on identifying unexpected service termination or disablement, especially where it could inhibit incident response or precede data destruction.
Likely telemetry
- Service control or service manager logs showing stop, disable, or failure events
- Endpoint or host logs from ICS support systems where available
- Operational technology monitoring or asset health telemetry indicating loss of service availability
- Change management, maintenance, and operator activity records to distinguish authorized service stoppage from suspicious activity
- Alerting from monitoring platforms that track critical application, security, backup, logging, or response services
Detection direction
- Define the list of critical services by asset and operational function before writing alerts.
- Tune detection around unexpected service stop, disablement, or repeated failure events outside approved maintenance windows.
- Correlate service stoppage with operator actions, administrative authentication, remote access, change tickets, and incident timelines when available.
- Prioritize services whose loss would reduce monitoring, logging, backups, response capability, or operational availability.
- Account for false positives from patching, maintenance, system restarts, and vendor-supported service cycles.
Mitigation priorities
- Maintain an inventory of critical services and owners for ICS and supporting systems.
- Establish approved maintenance windows and change records so detection can distinguish expected from unexpected stoppage.
- Restrict and review administrative capability to stop or disable critical services.
- Ensure monitoring covers service availability for security, logging, backup, remote access, and operational support functions.
- Document incident response actions for unexpected service stoppage, including escalation paths to operations and engineering teams.
Analyst notes and limits
DET0765 is a MITRE detection strategy object for Detection of Service Stop and detects the ICS ATT&CK technique Service Stop (T0881). The source object does not provide an official description, detection text, platforms, or tactics, so this take is framed around the relationship context and practical defensive validation rather than a specific analytic implementation.
MITRE provides only sparse fields for this detection strategy. No platform-specific event IDs, data components, analytic logic, or coverage claims are supplied. Local asset inventory, logging architecture, operational context, and change-management evidence are required to determine actual detection feasibility and priority.
Detection of Service Stop
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0881 | Service Stop | This object detects Service Stop. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 959b002651fe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0765Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.