security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dcf236fedee2d5809fba86bddd7d54b4edaa2b3c
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml
T
Nasreddine Bencherchali dcf236fede Quick Updates and Fixes 
- Added "Invoke-EventViewer.ps1" script to the rule "file_event_win_powershell_exploit_scripts"
- Added "OriginalFileName" to "proc_creation_win_susp_taskkill"
- Created rule for "winword" being used as a LOLBIN to download and load arbitrary DLLs
2022-05-18 12:50:59 +01:00

28 lines
881 B
YAML
Raw Blame History

title: Suspicious Execution of Taskkill
id: 86085955-ea48-42a2-9dd3-85d4c36b167d
status: experimental
description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
date: 2021/12/26
modified: 2022/05/17
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: \taskkill.exe
- OriginalFileName: 'taskkill.exe'
selection_cli:
CommandLine|contains|all:
- /f
- /im
condition: all of selection*
falsepositives:
- Unknown
level: low
tags:
- attack.impact
- attack.t1489
Reference in New Issue View Git Blame Copy Permalink