From c62672e0c350e2e548cb315a9d8e8160028f67a0 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 12:11:07 -0500
Subject: [PATCH] Added T1489

---
 Tactics/Impact.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Tactics/Impact.md b/Tactics/Impact.md
index 0fb30dc..c71f793 100644
--- a/Tactics/Impact.md
+++ b/Tactics/Impact.md
@@ -27,6 +27,13 @@ Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion of shadowc
 TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" AND SrcProcCmdScript ContainsCIS "Delete()")
 ```
 
-### T1489 Service Stop
+### T1489 Service Disable
 Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md)
 
+Stopping services is too common, so we're instead detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet. 
+
+*Atomic tests don't align with detection query*
+
+```
+(TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled") OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType Disabled")
+```
\ No newline at end of file