diff --git a/Ransomware/Stopping processes using net stop.md b/Ransomware/Stopping processes using net stop.md
new file mode 100644
index 0000000..fae5d3d
--- /dev/null
+++ b/Ransomware/Stopping processes using net stop.md	
@@ -0,0 +1,38 @@
+# Stopping processes using net stop
+
+This query checks for attempts to stop at least 10 separate processes using the net stop command. Run query
+
+## Query
+```
+// Find attempts to stop processes using net stop
+DeviceProcessEvents
+| where Timestamp > ago(1d)
+| where FileName =~ "net.exe" and ProcessCommandLine has "stop"
+| summarize netStopCount = dcount(ProcessCommandLine), NetStopList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
+| where netStopCount > 10
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |V |  |
+
+
+## Contributor info
+**Contributor:** Microsoft 365 Defender