Threat Huntlowtest
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, MalGamy (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sun Dec 26Updated Sun Oct 0686085955-ea48-42a2-9dd3-85d4c36b167dwindows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\taskkill.exe'
- OriginalFileName: 'taskkill.exe'
selection_cli_force:
- CommandLine|contains|windash: ' /f '
- CommandLine|endswith|windash: ' /f'
selection_cli_filter_process:
CommandLine|contains|windash:
- ' /im '
- ' /pid '
filter_main_installers:
ParentImage|contains:
- '\AppData\Local\Temp\'
- ':\Windows\Temp'
ParentImage|endswith: '.tmp'
condition: all of selection_* and not 1 of filter_main_*False Positives
Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
MITRE ATT&CK
Rule Metadata
Rule ID
86085955-ea48-42a2-9dd3-85d4c36b167d
Status
test
Level
low
Type
Threat Hunt
Created
Sun Dec 26
Modified
Sun Oct 06
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml
Raw Tags
attack.impactattack.t1489detection.threat-hunting