attack_technique: T1489
display_name: Service Stop
atomic_tests:
- name: Windows - Stop service using Service Controller
  auto_generated_guid: 21dfb440-830d-4c86-a3e5-2a491d5a8d04
  description: |
    Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
    it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
    started by running the cleanup command.
  supported_platforms:
  - windows
  input_arguments:
    service_name:
      description: Name of a service to stop
      type: string
      default: spooler
  executor:
    command: |
      sc.exe stop #{service_name}
    cleanup_command: |
      sc.exe start #{service_name} >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows - Stop service using net.exe
  auto_generated_guid: 41274289-ec9c-4213-bea4-e43c4aa57954
  description: |
    Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
    will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
    started by running the cleanup command.
  supported_platforms:
  - windows
  input_arguments:
    service_name:
      description: Name of a service to stop
      type: string
      default: spooler
  executor:
    command: |
      net.exe stop #{service_name}
    cleanup_command: |
      net.exe start #{service_name} >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows - Stop service by killing process
  auto_generated_guid: f3191b84-c38b-400b-867e-3a217a27795f
  description: |
    Stops a specified service killng the service's process.
    This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
    will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
    started by running the cleanup command.
  supported_platforms:
  - windows
  input_arguments:
    process_name:
      description: Name of a process to kill
      type: string
      default: spoolsv.exe
  executor:
    command: |
      taskkill.exe /f /im #{process_name}
    name: command_prompt
- name: Linux - Stop service using systemctl
  auto_generated_guid: 42e3a5bd-1e45-427f-aa08-2a65fa29a820
  description: |
    Stops a specified service using the systemctl command.
    Upon execution, if the specified service was running, it will change to a state of inactive and it can be restarted by running the cleanup command.
    You can list all available services with following command: "systemctl list-units --type=service"
  supported_platforms:
    - linux
  input_arguments:
    service_name:
      description: Name of a service to stop
      type: string
      default: cron
  executor:
    command: |
      sudo systemctl stop #{service_name}
    cleanup_command: |
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
- name: Linux - Stop service by killing process using killall
  auto_generated_guid: e5d95be6-02ee-4ff1-aebe-cf86013b6189
  description: |
    Stops a specified service by sending a SIGTERM signal to the linked process using the killall command.
    Upon execution, if the service's main process was running, it will be terminated.
    If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
    You can list all available services with following command: "systemctl list-units --type=service"
  supported_platforms:
    - linux
  input_arguments:
    process_name:
      description: Name of a process to stop
      type: string
      default: cron
    service_name:
      description: Name of a service to restart
      type: string
      default: cron
  executor:
    command: |
      sudo killall -SIGTERM #{process_name}
    cleanup_command: |
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
- name: Linux - Stop service by killing process using kill
  auto_generated_guid: 332f4c76-7e96-41a6-8cc2-7361c49db8be
  description: |
    Stops a specified service by sending a SIGTERM signal to the linked process using the kill command. Upon execution, if the service's main process was running, it will be terminated.
    If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
    You can list all available services with following command: "systemctl list-units --type=service"
  supported_platforms:
    - linux
  input_arguments:
    process_name:
      description: Name of a process to kill
      type: string
      default: cron
    service_name:
      description: Name of a service to restart
      type: string
      default: cron
  executor:
    command: |
      sudo kill -SIGTERM $(pgrep #{process_name})
    cleanup_command: |
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
- name: Linux - Stop service by killing process using pkill
  auto_generated_guid: 08b4718f-a8bf-4bb5-a552-294fc5178fea
  description: |
    Stops a specified service by sending a SIGTERM signal to the linked process using pkill. This method is effective when multiple instances of the process may be running.
    Upon execution, if any instances of the process were running, they will be terminated. If no instances were running, pkill will not find any processes to kill.
    Stopped service can be restarted by running the cleanup command.
    You can list all available services with following command: "systemctl list-units --type=service"
  supported_platforms:
    - linux
  input_arguments:
    process_pattern:
      description: Pattern to match the name of the process to kill
      type: string
      default: ^cron$
    service_name:
      description: Name of a service to restart
      type: string
      default: cron
  executor:
    command: |
      sudo pkill -SIGTERM #{process_pattern}
    cleanup_command: |
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
- name: Abuse of linux magic system request key for Send a SIGTERM to all processes
  auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
  description: |
    Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
  supported_platforms:
  - linux
  executor:
    command: |
      echo "e" > /proc/sysrq-trigger
    name: bash
    elevation_required: true