MalGamy12
8a3f07430f
update: Process Terminated Via Taskkill - Add `/pid` flag and windash support --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
40 lines
1.7 KiB
YAML
40 lines
1.7 KiB
YAML
title: Process Terminated Via Taskkill
|
|
id: 86085955-ea48-42a2-9dd3-85d4c36b167d
|
|
status: test
|
|
description: |
|
|
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
|
|
Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
|
|
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
|
|
author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
|
|
date: 2021-12-26
|
|
modified: 2024-10-06
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1489
|
|
- detection.threat-hunting
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\taskkill.exe'
|
|
- OriginalFileName: 'taskkill.exe'
|
|
selection_cli_force:
|
|
- CommandLine|contains|windash: ' /f '
|
|
- CommandLine|endswith|windash: ' /f'
|
|
selection_cli_filter_process:
|
|
CommandLine|contains|windash:
|
|
- ' /im '
|
|
- ' /pid '
|
|
filter_main_installers:
|
|
ParentImage|contains:
|
|
- '\AppData\Local\Temp\'
|
|
- ':\Windows\Temp'
|
|
ParentImage|endswith: '.tmp'
|
|
condition: all of selection_* and not 1 of filter_main_*
|
|
falsepositives:
|
|
- Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
|
|
level: low
|