From 1585dccdfae7dcd4402024b7b7d59e79db41bff0 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Mon, 6 May 2019 06:23:02 -1000
Subject: [PATCH] T1489 Service Stop (#494)

* Update ATT&CK json for technique creation

* T1489 - Service Stop
---
 atomics/T1489/T1489.yaml | 59 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 atomics/T1489/T1489.yaml

diff --git a/atomics/T1489/T1489.yaml b/atomics/T1489/T1489.yaml
new file mode 100644
index 00000000..fcf2b767
--- /dev/null
+++ b/atomics/T1489/T1489.yaml
@@ -0,0 +1,59 @@
+---
+attack_technique: T1489
+display_name: Service Stop
+
+atomic_tests:
+- name: Windows - Stop service using Service Controller
+  description: |
+    Stops a specified service using the sc.exe command.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    service_name:
+      description: Name of a service to stop
+      type: String
+      default: spooler
+
+  executor:
+    name: command_prompt
+    command: |
+      sc.exe stop #{service_name}
+
+- name: Windows - Stop service using net.exe
+  description: |
+    Stops a specified service using the net.exe command.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    service_name:
+      description: Name of a service to stop
+      type: String
+      default: spooler
+
+  executor:
+    name: command_prompt
+    command: |
+      net.exe stop #{service_name}
+
+- name: Windows - Stop service by killing process
+  description: |
+    Stops a specified service killng the service's process. 
+    This technique was used by WannaCry.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    process_name:
+      description: Name of a process to kill
+      type: String
+      default: sqlwriter.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      taskkill.exe /f /im #{process_name}