Merge PR #5634 from @CheraghiMilad - Add Kaspersky Endpoint Security Stopped Via CommandLine - Linux

new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-29 01:04:26 +03:30
parent 6f9ccb34f8
commit 875dee72f4
1 changed files with 31 additions and 0 deletions
@@ -0,0 +1,31 @@
+title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
+id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
+status: experimental
+description: |
+  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
+  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
+references:
+    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
+author: Milad Cheraghi
+date: 2025-10-18
+tags:
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
+            - '/systemctl'
+            - '/bash'
+            - '/sh'
+        CommandLine|contains|all:
+            - 'stop'
+            - 'kesl'
+    condition: selection
+falsepositives:
+    - System administrator manually stopping Kaspersky services
+level: high