Excessive Taskkill Usage for Defense Evasion

This brief examines the excessive usage of taskkill.exe, a Windows command-line utility, as an indicator of potential malicious activity. The use of taskkill.exe is a known technique used by attackers to disable security tools or other critical processes to evade detection and maintain persistence on a compromised system. This analytic focuses on detecting instances where taskkill.exe is executed ten or more times within a one-minute span, which is considered an anomalous and suspicious behavior. This detection can identify activity associated with malware families like Azorult, AgentTesla, NjRAT, and XMRig. Successful execution of this technique can allow attackers to bypass security defenses, maintain persistence, and further compromise the system.

Attack Chain

1. The attacker gains initial access to the system through an exploit or compromised credentials.
2. The attacker executes a script or program designed to disable security tools.
3. The script utilizes taskkill.exe to terminate processes associated with antivirus software, endpoint detection and response (EDR) agents, and other security monitoring tools.
4. taskkill.exe is executed repeatedly within a short timeframe (e.g., 10 or more times in one minute) to ensure the targeted processes are terminated.
5. With security tools disabled, the attacker can now execute malicious payloads without immediate detection.
6. The attacker deploys ransomware, steals sensitive data, or establishes a persistent backdoor on the system.
7. The attacker attempts to move laterally to other systems to expand their control within the network.

Impact

Successful exploitation via excessive taskkill usage can lead to significant disruption, data theft, and financial loss. If attackers successfully disable endpoint protection, they can deploy ransomware, steal sensitive data, or pivot to other systems. This impacts the confidentiality, integrity, and availability of the affected systems and data. Organizations in all sectors are at risk.

Recommendation

• Deploy the Sigma rule Excessive Taskkill Usage to your SIEM to detect rapid taskkill executions and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule.
• Ensure that Windows Event Log Security Auditing is enabled (Event ID 4688) to capture process creation events.
• Investigate any alerts generated by the Sigma rules, prioritizing those involving privileged accounts or critical systems.