Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Threat actors may also disable or stop service in cloud environments. For example, by leveraging the `DisableAPIServiceAccess` API in AWS, a threat actor may prevent the service from creating service-linked roles on new accounts in the AWS Organization.(Citation: Datadog Security Labs Cloud Persistence 2025)(Citation: AWS DisableAWSServiceAccess)
- [Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes](#atomic-test-8---abuse-of-linux-magic-system-request-key-for-send-a-sigterm-to-all-processes)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
net.exe stop #{service_name}
```
#### Cleanup Commands:
```cmd
net.exe start #{service_name} >nul 2>&1
```
<br/>
<br/>
## Atomic Test #3 - Windows - Stop service by killing process
Stops a specified service killng the service's process.
This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
| process_name | Name of a process to stop | string | cron|
| service_name | Name of a service to restart | string | cron|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo killall -SIGTERM #{process_name}
```
#### Cleanup Commands:
```sh
sudo systemctl start #{service_name} 2> /dev/null
```
<br/>
<br/>
## Atomic Test #6 - Linux - Stop service by killing process using kill
Stops a specified service by sending a SIGTERM signal to the linked process using the kill command. Upon execution, if the service's main process was running, it will be terminated.
If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
| process_name | Name of a process to kill | string | cron|
| service_name | Name of a service to restart | string | cron|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo kill -SIGTERM $(pgrep #{process_name})
```
#### Cleanup Commands:
```sh
sudo systemctl start #{service_name} 2> /dev/null
```
<br/>
<br/>
## Atomic Test #7 - Linux - Stop service by killing process using pkill
Stops a specified service by sending a SIGTERM signal to the linked process using pkill. This method is effective when multiple instances of the process may be running.
Upon execution, if any instances of the process were running, they will be terminated. If no instances were running, pkill will not find any processes to kill.
Stopped service can be restarted by running the cleanup command.
You can list all available services with following command: "systemctl list-units --type=service"
## Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes
Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
