Atomic Red Team doc generator
167 lines
6.7 KiB
YAML
167 lines
6.7 KiB
YAML
attack_technique: T1489
|
|
display_name: Service Stop
|
|
atomic_tests:
|
|
- name: Windows - Stop service using Service Controller
|
|
auto_generated_guid: 21dfb440-830d-4c86-a3e5-2a491d5a8d04
|
|
description: |
|
|
Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
|
|
it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
|
|
started by running the cleanup command.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
service_name:
|
|
description: Name of a service to stop
|
|
type: string
|
|
default: spooler
|
|
executor:
|
|
command: |
|
|
sc.exe stop #{service_name}
|
|
cleanup_command: |
|
|
sc.exe start #{service_name} >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Windows - Stop service using net.exe
|
|
auto_generated_guid: 41274289-ec9c-4213-bea4-e43c4aa57954
|
|
description: |
|
|
Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
|
|
will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
|
|
started by running the cleanup command.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
service_name:
|
|
description: Name of a service to stop
|
|
type: string
|
|
default: spooler
|
|
executor:
|
|
command: |
|
|
net.exe stop #{service_name}
|
|
cleanup_command: |
|
|
net.exe start #{service_name} >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Windows - Stop service by killing process
|
|
auto_generated_guid: f3191b84-c38b-400b-867e-3a217a27795f
|
|
description: |
|
|
Stops a specified service killng the service's process.
|
|
This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
|
|
will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
|
|
started by running the cleanup command.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
process_name:
|
|
description: Name of a process to kill
|
|
type: string
|
|
default: spoolsv.exe
|
|
executor:
|
|
command: |
|
|
taskkill.exe /f /im #{process_name}
|
|
name: command_prompt
|
|
- name: Linux - Stop service using systemctl
|
|
auto_generated_guid: 42e3a5bd-1e45-427f-aa08-2a65fa29a820
|
|
description: |
|
|
Stops a specified service using the systemctl command.
|
|
Upon execution, if the specified service was running, it will change to a state of inactive and it can be restarted by running the cleanup command.
|
|
You can list all available services with following command: "systemctl list-units --type=service"
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
service_name:
|
|
description: Name of a service to stop
|
|
type: string
|
|
default: cron
|
|
executor:
|
|
command: |
|
|
sudo systemctl stop #{service_name}
|
|
cleanup_command: |
|
|
sudo systemctl start #{service_name} 2> /dev/null
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Linux - Stop service by killing process using killall
|
|
auto_generated_guid: e5d95be6-02ee-4ff1-aebe-cf86013b6189
|
|
description: |
|
|
Stops a specified service by sending a SIGTERM signal to the linked process using the killall command.
|
|
Upon execution, if the service's main process was running, it will be terminated.
|
|
If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
|
|
You can list all available services with following command: "systemctl list-units --type=service"
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
process_name:
|
|
description: Name of a process to stop
|
|
type: string
|
|
default: cron
|
|
service_name:
|
|
description: Name of a service to restart
|
|
type: string
|
|
default: cron
|
|
executor:
|
|
command: |
|
|
sudo killall -SIGTERM #{process_name}
|
|
cleanup_command: |
|
|
sudo systemctl start #{service_name} 2> /dev/null
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Linux - Stop service by killing process using kill
|
|
auto_generated_guid: 332f4c76-7e96-41a6-8cc2-7361c49db8be
|
|
description: |
|
|
Stops a specified service by sending a SIGTERM signal to the linked process using the kill command. Upon execution, if the service's main process was running, it will be terminated.
|
|
If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command.
|
|
You can list all available services with following command: "systemctl list-units --type=service"
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
process_name:
|
|
description: Name of a process to kill
|
|
type: string
|
|
default: cron
|
|
service_name:
|
|
description: Name of a service to restart
|
|
type: string
|
|
default: cron
|
|
executor:
|
|
command: |
|
|
sudo kill -SIGTERM $(pgrep #{process_name})
|
|
cleanup_command: |
|
|
sudo systemctl start #{service_name} 2> /dev/null
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Linux - Stop service by killing process using pkill
|
|
auto_generated_guid: 08b4718f-a8bf-4bb5-a552-294fc5178fea
|
|
description: |
|
|
Stops a specified service by sending a SIGTERM signal to the linked process using pkill. This method is effective when multiple instances of the process may be running.
|
|
Upon execution, if any instances of the process were running, they will be terminated. If no instances were running, pkill will not find any processes to kill.
|
|
Stopped service can be restarted by running the cleanup command.
|
|
You can list all available services with following command: "systemctl list-units --type=service"
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
process_pattern:
|
|
description: Pattern to match the name of the process to kill
|
|
type: string
|
|
default: ^cron$
|
|
service_name:
|
|
description: Name of a service to restart
|
|
type: string
|
|
default: cron
|
|
executor:
|
|
command: |
|
|
sudo pkill -SIGTERM #{process_pattern}
|
|
cleanup_command: |
|
|
sudo systemctl start #{service_name} 2> /dev/null
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Abuse of linux magic system request key for Send a SIGTERM to all processes
|
|
auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
|
|
description: |
|
|
Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
echo "e" > /proc/sysrq-trigger
|
|
name: bash
|
|
elevation_required: true
|