Process-Termination

Detection of a process attempting to terminate the Lsass.exe process, indicating a potential attempt to perform credential dumping, privilege escalation, or evasion of security policies.

Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.

Adversaries use taskkill.exe to disable security tools, and this detection identifies instances where taskkill.exe is executed excessively within a short timeframe, indicative of malicious activity aimed at defense evasion.

This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.