Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0881: Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. [1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. [1]

ICST0881TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Service Stop matters because disabling services in an ICS environment can remove the very functions operators and responders rely on: HMI visibility, historian collection, control-server functions, remote access paths, gateways, firewalls, or supporting workstation services. ATT&CK also notes that stopping services can support data destruction by making data stores modifiable. For business leaders, this is not just an endpoint event; in operational technology it can affect incident response, process visibility, remote operations, and safety-adjacent functions depending on which asset is involved.

Executive priority

Prioritize this behavior where service availability underpins operational continuity: HMIs, control servers, data historians, engineering/operator workstations, jump hosts, VPN servers, data gateways, firewalls, switches, RTUs, IEDs, and safety controllers are all listed as targeted ICS assets. Leaders should ask whether critical ICS services are inventoried, whether only authorized accounts can stop or disable them, whether service-stop events are visible to the SOC, and whether operations has recovery procedures that distinguish authorized maintenance from malicious disruption. This technique is especially relevant to resilience planning, privileged access review, segmentation validation, and audit evidence around change control in OT environments.

Technical view

SOC and IR teams should validate monitoring for service stop or service disable activity on the ICS asset classes identified by ATT&CK, with extra attention to Windows and Linux workstations, HMIs, control servers, historians, application servers, VPN servers, jump hosts, and network/security infrastructure where supported by the asset relationship context. ATT&CK provides no native detection text for T0881, but the relationship to DET0765, Detection of Service Stop, indicates a detection strategy exists. Engineering should focus on whether service-control actions are logged, attributable to a user/process/session, correlated with maintenance windows, and mapped to critical ICS applications. Relationship context also shows use by REvil, Industroyer, EKANS, KillDisk, and Industroyer2, so detections should be treated as impact/disruption-relevant behavior rather than only routine administration.

Likely telemetry

  • Service control and service state-change logs from Windows and Linux systems where available
  • Process execution records showing service management utilities or service-controller activity
  • Account authentication and authorization logs for users able to stop or disable services
  • Configuration/change-management records for planned maintenance involving ICS services
  • Endpoint telemetry from operator workstations, engineering workstations, HMIs, servers, jump hosts, and VPN servers

Detection direction

  • Use DET0765 as the ATT&CK-linked detection reference, then validate it against local ICS service inventories and maintenance workflows.
  • Alert on stopping or disabling services tied to control, visibility, alarm handling, remote access, logging, security enforcement, or data storage functions.
  • Tune for expected maintenance windows and authorized engineering activity to reduce false positives, but require strong attribution and change records for high-impact services.
  • Correlate service stops with privileged logons, remote sessions, process execution, configuration changes, and any loss of telemetry from HMIs, historians, gateways, or control servers.
  • Identify blind spots on embedded, network, and specialized ICS assets where traditional endpoint logs may not exist or may not be centrally collected.

Mitigation priorities

  • Start with User Account Management (M0918): restrict who can create, modify, use, or grant permissions to accounts capable of stopping critical services.
  • Restrict file and directory permissions (M0922) for service binaries, configuration, and data stores so service stoppage cannot be easily paired with unauthorized modification or destruction.
  • Restrict registry permissions (M0924) where Windows service configuration is relevant, especially for critical ICS applications and supporting security tools.
  • Apply Network Segmentation (M0930) to limit access paths from enterprise, remote access, and nonessential networks into critical process-control systems and service-management interfaces.
  • Maintain an approved inventory of critical services by asset type and define operational recovery procedures for restoring them safely.
Analyst notes and limits

ATT&CK T0881 is an ICS technique derived from the broader Enterprise ATT&CK Service Stop reference. The supplied relationship set makes this technique material across many ICS asset types, including workstations, HMIs, RTUs, IEDs, historians, control servers, application servers, data gateways, safety controllers, VPN servers, jump hosts, switches, and firewalls. The software relationships show this behavior is represented in multiple malware families/frameworks in ATT&CK, including ransomware, wipers, and ICS-focused malware; this should drive defensive validation without implying current activity in any specific environment.

The ATT&CK object does not specify tactics, platforms at the technique level, or official detection text. Platform references are available through related assets and software, not as a direct T0881 platform field. Local asset inventory, service criticality, logging architecture, and maintenance practices are required to determine actual risk and detection coverage.

Official MITRE ATT&CK definition

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. [1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0605: EKANS

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]

Windows
Malware ICS

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows
Malware ICS

S1072: Industroyer2

Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[1]

Field Controller/RTU/PLC/IEDEngineering Workstation
Malware ICS

S0604: Industroyer

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]

Windows
Malware ICS

S0607: KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]

LinuxWindows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0918: User Account Management ICS mitigates · Mitigation M0924: Restrict Registry Permissions ICS uses · Malware S0605: EKANS ICS targets · ICS Asset A0008: Application Server ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS uses · Malware S0496: REvil ICS targets · ICS Asset A0015: Switch ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS uses · Malware S1072: Industroyer2 ICS targets · ICS Asset A0006: Data Historian ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS targets · ICS Asset A0001: Workstation ICS uses · Malware S0604: Industroyer ICS mitigates · Mitigation M0922: Restrict File and Directory Permissions ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0012: Jump Host ICS mitigates · Mitigation M0930: Network Segmentation ICS detects · Detection Strategy DET0765: Detection of Service Stop ICS uses · Malware S0607: KillDisk ICS targets · ICS Asset A0010: Safety Controller ICS targets · ICS Asset A0009: Data Gateway ICS
Mitigations

Mitigation direction

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
449c7f0932c6cc05...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 449c7f0932c6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Enterprise ATT&CK

    Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29

    Open source URL
  2. [2]
    mitre-attack T0881
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use