Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Kaspersky Endpoint Security Stopped Via CommandLine - Linux

Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Milad CheraghiCreated Sat Oct 1836388120-b3f1-4ce9-b50b-280d9a7f4c04linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
            - '/systemctl'
            - '/bash'
            - '/sh'
        CommandLine|contains|all:
            - 'stop'
            - 'kesl'
    condition: selection
False Positives

System administrator manually stopping Kaspersky services

References
1
Resolving title…
support.kaspersky.com
MITRE ATT&CK
Rule Metadata
Rule ID
36388120-b3f1-4ce9-b50b-280d9a7f4c04
Status
experimental
Level
high
Type
Detection
Created
Sat Oct 18
Author
Milad Cheraghi
Path
rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1562.001
View on GitHub