From 875dee72f44f3b46e31ed3d325e88c2d8b370325 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com>
Date: Wed, 29 Oct 2025 01:04:26 +0330
Subject: [PATCH] Merge PR #5634 from @CheraghiMilad - Add `Kaspersky Endpoint
 Security Stopped Via CommandLine - Linux`

new: Kaspersky Endpoint Security Stopped Via CommandLine - Linux

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 ..._creation_lnx_av_kaspersky_av_disabled.yml | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml b/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml
new file mode 100644
index 000000000..1d026e9a2
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml
@@ -0,0 +1,31 @@
+title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
+id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
+status: experimental
+description: |
+  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
+  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
+references:
+    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
+author: Milad Cheraghi
+date: 2025-10-18
+tags:
+    - attack.execution
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
+            - '/systemctl'
+            - '/bash'
+            - '/sh'
+        CommandLine|contains|all:
+            - 'stop'
+            - 'kesl'
+    condition: selection
+falsepositives:
+    - System administrator manually stopping Kaspersky services
+level: high