diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md
new file mode 100644
index 00000000..3238fd91
--- /dev/null
+++ b/atomics/T1489/T1489.md
@@ -0,0 +1,70 @@
+# T1489 - Service Stop
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1489)
+Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
+
+Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)
+
+## Atomic Tests
+
+- [Atomic Test #1 - Windows - Stop service using Service Controller](#atomic-test-1---windows---stop-service-using-service-controller)
+
+- [Atomic Test #2 - Windows - Stop service using net.exe](#atomic-test-2---windows---stop-service-using-netexe)
+
+- [Atomic Test #3 - Windows - Stop service by killing process](#atomic-test-3---windows---stop-service-by-killing-process)
+
+
+
+
+## Atomic Test #1 - Windows - Stop service using Service Controller
+Stops a specified service using the sc.exe command.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of a service to stop | String | spooler|
+
+#### Run it with `command_prompt`!
+```
+sc.exe stop #{service_name}
+```
+
+
+
+## Atomic Test #2 - Windows - Stop service using net.exe
+Stops a specified service using the net.exe command.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of a service to stop | String | spooler|
+
+#### Run it with `command_prompt`!
+```
+net.exe stop #{service_name}
+```
+
+
+
+## Atomic Test #3 - Windows - Stop service by killing process
+Stops a specified service killng the service's process.
+This technique was used by WannaCry.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process_name | Name of a process to kill | String | sqlwriter.exe|
+
+#### Run it with `command_prompt`!
+```
+taskkill.exe /f /im #{process_name}
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index 63d81599..5d204a81 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -779,7 +779,10 @@
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1489 Service Stop](./T1489/T1489.md)
+ - Atomic Test #1: Windows - Stop service using Service Controller [windows]
+ - Atomic Test #2: Windows - Stop service using net.exe [windows]
+ - Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 3c9760ef..d1b96cc0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -20839,6 +20839,121 @@ impact:
- root
- SYSTEM
atomic_tests: []
+ T1489:
+ technique:
+ external_references:
+ - external_id: T1489
+ source_name: mitre-attack
+ url: https://attack.mitre.org/techniques/T1489
+ - url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+ source_name: Talos Olympic Destroyer 2018
+ description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer
+ Takes Aim At Winter Olympics. Retrieved March 14, 2019.
+ - url: https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
+ source_name: Novetta Blockbuster
+ description: 'Novetta Threat Research Group. (2016, February 24). Operation
+ Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February
+ 25, 2016.'
+ - url: https://www.secureworks.com/research/wcry-ransomware-analysis
+ source_name: SecureWorks WannaCry Analysis
+ description: Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware
+ Analysis. Retrieved March 26, 2019.
+ object_marking_refs:
+ - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+ x_mitre_data_sources:
+ - Process command-line parameters
+ - Process monitoring
+ - Windows Registry
+ - API monitoring
+ modified: '2019-04-29T13:55:03.017Z'
+ x_mitre_detection: |-
+ Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
+
+ Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services.
+
+ Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
+
+ Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)
+ created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+ x_mitre_platforms:
+ - Windows
+ kill_chain_phases:
+ - phase_name: impact
+ kill_chain_name: mitre-attack
+ x_mitre_impact_type:
+ - Availability
+ id: attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b
+ name: Service Stop
+ created: '2019-03-29T19:00:55.901Z'
+ x_mitre_version: '1.0'
+ type: attack-pattern
+ description: "Adversaries may stop or disable services on a system to render
+ those services unavailable to legitimate users. Stopping critical services
+ can inhibit or stop response to an incident or aid in the adversary's overall
+ objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer
+ 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by
+ disabling individual services of high importance to an organization, such
+ as MSExchangeIS, which will make Exchange content inaccessible
+ (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable
+ many or all services to render systems unusable.(Citation: Talos Olympic Destroyer
+ 2018) Services may not allow for modification of their data stores while running.
+ Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485)
+ or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)
+ on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks
+ WannaCry Analysis)"
+ x_mitre_permissions_required:
+ - Administrator
+ - SYSTEM
+ - User
+ identifier: T1489
+ atomic_tests:
+ - name: Windows - Stop service using Service Controller
+ description: 'Stops a specified service using the sc.exe command.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ service_name:
+ description: Name of a service to stop
+ type: String
+ default: spooler
+ executor:
+ name: command_prompt
+ command: 'sc.exe stop #{service_name}
+
+'
+ - name: Windows - Stop service using net.exe
+ description: 'Stops a specified service using the net.exe command.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ service_name:
+ description: Name of a service to stop
+ type: String
+ default: spooler
+ executor:
+ name: command_prompt
+ command: 'net.exe stop #{service_name}
+
+'
+ - name: Windows - Stop service by killing process
+ description: "Stops a specified service killng the service's process. \nThis
+ technique was used by WannaCry.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ process_name:
+ description: Name of a process to kill
+ type: String
+ default: sqlwriter.exe
+ executor:
+ name: command_prompt
+ command: 'taskkill.exe /f /im #{process_name}
+
+'
initial-access:
'':
technique:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 3cf550a2..b7ecd1d8 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -553,7 +553,10 @@
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1489 Service Stop](./T1489/T1489.md)
+ - Atomic Test #1: Windows - Stop service using Service Controller [windows]
+ - Atomic Test #2: Windows - Stop service using net.exe [windows]
+ - Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)