Windows Taskkill Used for Defense Evasion

This analytic focuses on detecting the use of taskkill.exe to forcibly terminate processes on Windows systems. Attackers commonly use this technique to disable security tools, disrupt legitimate applications, and evade detection. The detection leverages endpoint detection and response (EDR) agents to monitor command-line executions of taskkill.exe with specific parameters, such as /f (force), /t (terminate child processes), /im (image name), and /pid (process ID). Identifying this activity is crucial for defenders because successful termination of security processes can allow attackers to operate undetected, maintain persistence, and escalate their privileges within the compromised environment. This technique has been observed in malware operations, including those associated with remote access trojans (RATs) like NjRAT.

Attack Chain

1. Initial access is gained through an exploit or social engineering.
2. The attacker executes taskkill.exe with the /im parameter followed by the image name of a security tool (e.g., taskkill /im av.exe /f).
3. Alternatively, the attacker uses the /pid parameter to terminate a specific process by its process ID (e.g., taskkill /pid 1234 /f).
4. The /f parameter forces the termination of the targeted process, bypassing normal termination procedures.
5. The /t parameter is used to terminate any child processes associated with the targeted process, ensuring complete removal (e.g., taskkill /im process.exe /t /f).
6. Successful termination of security tools allows the attacker to evade detection.
7. The attacker can then execute malicious payloads or perform lateral movement without interference from security software.
8. The final objective is to exfiltrate data, deploy ransomware, or achieve other malicious goals.

Impact

Successful use of taskkill.exe to disable or disrupt security tools can severely compromise a system’s defenses. This can lead to extended periods of undetected malicious activity, resulting in data theft, system instability, or complete system compromise. Specific impacts may include data breaches, financial loss, and reputational damage. This technique is often a precursor to more serious attacks like ransomware deployment, with potential widespread damage across the targeted organization.

Recommendation

• Enable Sysmon Event ID 1 and Windows Event Log Security 4688 logging to capture process creation events with command-line arguments for taskkill.exe.
• Deploy the Sigma rules provided to your SIEM to detect suspicious use of taskkill.exe, focusing on processes being terminated and the users initiating the termination.
• Investigate any alerts generated by the Sigma rules, focusing on the parent processes of taskkill.exe and the processes being terminated.
• Tune the Sigma rules based on your environment to reduce false positives from legitimate administrative activity, as identified in the ‘known_false_positives’ section.
• Implement network segmentation to limit the potential impact of a successful attack, mitigating lateral movement post-compromise.