From 8a3f07430f4922e20acedc2b43bbdcfeac494526 Mon Sep 17 00:00:00 2001 From: MalGamy12 Date: Sun, 6 Oct 2024 23:34:21 +0300 Subject: [PATCH] Merge PR #5033 from @MalGamy12 - Update `Process Terminated Via Taskkill` update: Process Terminated Via Taskkill - Add `/pid` flag and windash support --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_taskkill_execution.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml index 3d743b7be..5fa64441f 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml @@ -6,9 +6,10 @@ description: | Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process -author: frack113 + - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ +author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali date: 2021-12-26 -modified: 2023-11-06 +modified: 2024-10-06 tags: - attack.impact - attack.t1489 @@ -20,10 +21,13 @@ detection: selection_img: - Image|endswith: '\taskkill.exe' - OriginalFileName: 'taskkill.exe' - selection_cli: - CommandLine|contains|all: - - ' /f' + selection_cli_force: + - CommandLine|contains|windash: ' /f ' + - CommandLine|endswith|windash: ' /f' + selection_cli_filter_process: + CommandLine|contains|windash: - ' /im ' + - ' /pid ' filter_main_installers: ParentImage|contains: - '\AppData\Local\Temp\'