EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Process Terminated Via Taskkill

Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.

MITRE ATT&CK

T1489
impact

Detection Query

selection_img:
  - Image|endswith: \taskkill.exe
  - OriginalFileName: taskkill.exe
selection_cli_force:
  - CommandLine|contains|windash: " /f "
  - CommandLine|endswith|windash: " /f"
selection_cli_filter_process:
  CommandLine|contains|windash:
    - " /im "
    - " /pid "
filter_main_installers:
  ParentImage|contains:
    - \AppData\Local\Temp\
    - :\Windows\Temp
  ParentImage|endswith: .tmp
condition: all of selection_* and not 1 of filter_main_*

Author

frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali

Created

2021-12-26

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.impactattack.t1489detection.threat-hunting
Raw Content
title: Process Terminated Via Taskkill
id: 86085955-ea48-42a2-9dd3-85d4c36b167d
status: test
description: |
    Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
    Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
date: 2021-12-26
modified: 2024-10-06
tags:
    - attack.impact
    - attack.t1489
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\taskkill.exe'
        - OriginalFileName: 'taskkill.exe'
    selection_cli_force:
        - CommandLine|contains|windash: ' /f '
        - CommandLine|endswith|windash: ' /f'
    selection_cli_filter_process:
        CommandLine|contains|windash:
            - ' /im '
            - ' /pid '
    filter_main_installers:
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\Temp'
        ParentImage|endswith: '.tmp'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
level: low