Description
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Threat actors may also disable or stop service in cloud environments. For example, by leveraging the DisableAPIServiceAccess API in AWS, a threat actor may prevent the service from creating service-linked roles on new accounts in the AWS Organization.(Citation: Datadog Security Labs Cloud Persistence 2025)(Citation: AWS DisableAWSServiceAccess)
Platforms
Mitigations (5)
Network SegmentationM1030
Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.
User Account ManagementM1018
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
Out-of-Band Communications ChannelM1060
Develop and enforce security policies that include the use of out-of-band communication channels for critical communications during a security incident.(Citation: TrustedSec OOB Communications)
Restrict Registry PermissionsM1024
Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.
Restrict File and Directory PermissionsM1022
Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has terminated services related to backups, security, databases, communication, filesharing and ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has disabled actively running virtual environments using the `KillMe` function to include VMware, Mic... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.(Citatio... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.(Cit... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.(Citation... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to n... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used [PsExec](https://attack.mitre.org/software/S0029) to stop services prior to the execut... |
Associated Software (47)
| ID | Name | Type | Context |
|---|---|---|---|
| S0611 | Clop | Malware | [Clop](https://attack.mitre.org/software/S0611) can kill several processes and services related to backups and security solutions.(Citation: Unit42 Cl... |
| S0582 | LookBack | Malware | [LookBack](https://attack.mitre.org/software/S0582) can kill processes and delete services.(Citation: Proofpoint LookBack Malware Aug 2019) |
| S1247 | Embargo | Malware | [Embargo](https://attack.mitre.org/software/S1247) has terminated active processes and services based on a hardcoded list using the `CloseServiceHandl... |
| S0688 | Meteor | Malware | [Meteor](https://attack.mitre.org/software/S0688) can disconnect all network adapters on a compromised host using `powershell -Command "Get-WmiObject ... |
| S1211 | Hannotog | Malware | [Hannotog](https://attack.mitre.org/software/S1211) can stop Windows services.(Citation: Symantec Bilbug 2022) |
| S0366 | WannaCry | Malware | [WannaCry](https://attack.mitre.org/software/S0366) attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it po... |
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has disabled the `cgi-server` process on Ivanti Connect Secure appliances.(Citation: Google UNC522... |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) can use `RmShutDown` to kill applications and services using the resources that are targeted for enc... |
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) will terminate services using the Service Control Manager (SCM) API.(Citation: Fortinet Diavol July ... |
| S0640 | Avaddon | Malware | [Avaddon](https://attack.mitre.org/software/S0640) looks for and attempts to stop database processes.(Citation: Arxiv Avaddon Feb 2021) |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) uses the API call <code>ChangeServiceConfigW</code> to disable all services on the affect... |
| S1096 | Cheerscrypt | Malware | [Cheerscrypt](https://attack.mitre.org/software/S1096) has the ability to terminate VM processes on compromised hosts through execution of `esxcli vm ... |
| S1058 | Prestige | Malware | [Prestige](https://attack.mitre.org/software/S1058) has attempted to stop the MSSQL Windows service to ensure successful encryption using `C:\Windows\... |
| S0556 | Pay2Key | Malware | [Pay2Key](https://attack.mitre.org/software/S0556) can stop the MS SQL service at the end of the encryption process to release files locked by the ser... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) has the ability to stop VM services on compromised networks.(Citation: Microsoft BlackCat Jun 2022... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can terminate specific services on compromised hosts.(Citation: Trend Micro Agenda Ransomware AUG 202... |
| S0400 | RobbinHood | Malware | [RobbinHood](https://attack.mitre.org/software/S0400) stops 181 Windows services on the system before beginning the encryption process.(Citation: Carb... |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can automatically terminate processes that may interfere with the encryption or file extraction... |
| S1191 | Megazord | Malware | [Megazord](https://attack.mitre.org/software/S1191) has the ability to terminate a list of services and processes.(Citation: Palo Alto Howling Scorpiu... |
| S0638 | Babuk | Malware | [Babuk](https://attack.mitre.org/software/S0638) can stop specific services related to backups.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation:... |
References
- AWS. (n.d.). DisableAWSServiceAccess. Retrieved May 22, 2025.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- Martin McCloskey. (2025, May 13). Tales from the cloud trenches: The Attacker doth persist too much, methinks. Retrieved May 22, 2025.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Frequently Asked Questions
What is T1489 (Service Stop)?
T1489 is a MITRE ATT&CK technique named 'Service Stop'. It belongs to the Impact tactic(s). Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or ai...
How can T1489 be detected?
Detection of T1489 (Service Stop) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1489?
There are 5 documented mitigations for T1489. Key mitigations include: Network Segmentation, User Account Management, Out-of-Band Communications Channel, Restrict Registry Permissions, Restrict File and Directory Permissions.
Which threat groups use T1489?
Known threat groups using T1489 include: Medusa Group, Kimsuky, Lazarus Group, Sandworm Team, LAPSUS$, Wizard Spider, Indrik Spider.