Process Terminated Via Taskkill

    Tuesday, September 3, 2024 In: Threat Research Print

    Date: 09/03/2024

    Severity: Medium

    Summary

    "Process Terminated Via Taskkill" refers to the action of ending a running process or application on a computer using the Taskkill command. This command, typically executed through the Command Prompt or a script, forcefully stops a specified process by its process ID (PID) or name. It's commonly used to terminate unresponsive or problematic programs when they cannot be closed through normal means.

    Indicators of Compromise (IOC) List

    Image

    '\taskkill.exe'

    OriginalFileName<

    'taskkill.exe'

    CommandLine

    '/f'

    '/im'

    ParentImage

    '\AppData\Local\Temp\'

    ':\Windows\Temp'

    '.tmp'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((((Resourcename in ("Sysmon") AND eventtype = "1") AND image = "\taskkill.exe") AND originalfilename = "taskkill.exe") AND commandline in ("/f","/im")) AND parentimage in ("\AppData\Local\Temp",":\Windows\Temp",".tmp")

    Detection Query 2

    ((((Technologygroup = "EDR" ) AND image = "\taskkill.exe") AND originalfilename = "taskkill.exe") AND commandline in ("/f","/im")) AND parentimage in ("\AppData\Local\Temp",":\Windows\Temp",".tmp")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml


    Tags

    SigmaPowerShell AttackExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.