{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-termination/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["lsass","process-termination","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects a suspicious process attempting to terminate the Lsass.exe process. This is based on identifying processes being granted PROCESS_TERMINATE access to Lsass.exe, which is a critical process responsible for enforcing security policies and handling user credentials. Attackers may attempt to terminate the LSASS process to disable security policies or dump credentials. The initial report stems from ESplunk ESCU detections as of 2026-05-05. Successful termination of LSASS can lead to unauthorized access and persistence within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain the necessary permissions to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a malicious process to request the PROCESS_TERMINATE right on the LSASS process.\u003c/li\u003e\n\u003cli\u003eSysmon logs EventCode 10, recording the process requesting PROCESS_TERMINATE access to lsass.exe.\u003c/li\u003e\n\u003cli\u003eThe malicious process successfully terminates the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe operating system may crash or become unstable due to the termination of a critical system process.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to dump credentials or perform other malicious activities with the security policies disabled.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access, stealing sensitive data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful termination of the LSASS process can have severe consequences, including system instability, data loss, and unauthorized access to sensitive information. Attackers can leverage this to perform credential dumping, gain elevated privileges, and evade security policies. While the exact number of victims is not specified, the potential impact spans across organizations that rely on Windows-based systems for their operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventCode 10 logging to detect processes granted PROCESS_TERMINATE access to lsass.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LSASS Process Termination Attempt\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and determine the root cause of the LSASS process termination.\u003c/li\u003e\n\u003cli\u003eReview access controls and permissions to limit the ability of unauthorized processes to interact with LSASS.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process behavior and investigate any suspicious activity promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-terminating-lsass/","summary":"Detection of a process attempting to terminate the Lsass.exe process, indicating a potential attempt to perform credential dumping, privilege escalation, or evasion of security policies.","title":"Suspicious Process Terminating LSASS Process","url":"https://feed.craftedsignal.io/briefs/2024-01-terminating-lsass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-termination","linux"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the malicious use of the \u003ccode\u003epkill\u003c/code\u003e command on Linux systems. Threat actors leverage \u003ccode\u003epkill\u003c/code\u003e to terminate processes related to security defenses or other critical system functions. The identification of this behavior is crucial for defenders as it signifies an active attempt to impair security controls and evade detection. The observed activity allows further malicious actions and can result in the complete shutdown or disabling of endpoint detection and response agents. This ultimately leads to increased dwell time and potential data exfiltration or destruction. The analytic identifies executions of \u003ccode\u003epkill\u003c/code\u003e via command-line arguments and process names.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance command, such as \u003ccode\u003eps\u003c/code\u003e, to identify running processes, including security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003epkill\u003c/code\u003e or \u003ccode\u003epgrep\u003c/code\u003e to identify specific process IDs of targeted security applications.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003epkill \u0026lt;PID\u0026gt;\u003c/code\u003e to terminate the targeted security processes.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the successful termination of the security process using \u003ccode\u003eps\u003c/code\u003e or similar commands.\u003c/li\u003e\n\u003cli\u003eWith security defenses impaired, the attacker executes malicious code (e.g., malware, scripts) without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which may include data exfiltration, data encryption (ransomware), or system destruction.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of \u003ccode\u003epkill\u003c/code\u003e against security applications can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. This can lead to prolonged dwell time for attackers, enabling them to move laterally within the network, exfiltrate sensitive data, deploy ransomware, or cause irreparable damage to systems. The lack of immediate detection increases the potential for significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon for Linux Event ID 1 to capture process creation events, which are essential for detecting \u003ccode\u003epkill\u003c/code\u003e executions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious \u003ccode\u003epkill\u003c/code\u003e command-line executions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the \u003ccode\u003epkill\u003c/code\u003e execution and identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rules in this brief for your environment by filtering out known benign uses of \u003ccode\u003epkill\u003c/code\u003e by administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-linux-impair-defenses-process-kill/","summary":"Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.","title":"Linux Defense Impairment via Process Termination","url":"https://feed.craftedsignal.io/briefs/2024-01-linux-impair-defenses-process-kill/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-termination","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief examines the excessive usage of \u003ccode\u003etaskkill.exe\u003c/code\u003e, a Windows command-line utility, as an indicator of potential malicious activity. The use of \u003ccode\u003etaskkill.exe\u003c/code\u003e is a known technique used by attackers to disable security tools or other critical processes to evade detection and maintain persistence on a compromised system. This analytic focuses on detecting instances where \u003ccode\u003etaskkill.exe\u003c/code\u003e is executed ten or more times within a one-minute span, which is considered an anomalous and suspicious behavior. This detection can identify activity associated with malware families like Azorult, AgentTesla, NjRAT, and XMRig. Successful execution of this technique can allow attackers to bypass security defenses, maintain persistence, and further compromise the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program designed to disable security tools.\u003c/li\u003e\n\u003cli\u003eThe script utilizes \u003ccode\u003etaskkill.exe\u003c/code\u003e to terminate processes associated with antivirus software, endpoint detection and response (EDR) agents, and other security monitoring tools.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003etaskkill.exe\u003c/code\u003e is executed repeatedly within a short timeframe (e.g., 10 or more times in one minute) to ensure the targeted processes are terminated.\u003c/li\u003e\n\u003cli\u003eWith security tools disabled, the attacker can now execute malicious payloads without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware, steals sensitive data, or establishes a persistent backdoor on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems to expand their control within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via excessive taskkill usage can lead to significant disruption, data theft, and financial loss. If attackers successfully disable endpoint protection, they can deploy ransomware, steal sensitive data, or pivot to other systems. This impacts the confidentiality, integrity, and availability of the affected systems and data. Organizations in all sectors are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExcessive Taskkill Usage\u003c/code\u003e to your SIEM to detect rapid taskkill executions and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnsure that Windows Event Log Security Auditing is enabled (Event ID 4688) to capture process creation events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, prioritizing those involving privileged accounts or critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-excessive-taskkill/","summary":"Adversaries use taskkill.exe to disable security tools, and this detection identifies instances where taskkill.exe is executed excessively within a short timeframe, indicative of malicious activity aimed at defense evasion.","title":"Excessive Taskkill Usage for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-excessive-taskkill/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-termination","wmic","cryptocurrency-mining","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying the use of the Windows Management Instrumentation Command-line (WMIC) utility to terminate processes by referencing their file paths. Specifically, it looks for instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used with the \u003ccode\u003edelete\u003c/code\u003e command targeting an executable path. This technique is often employed by attackers to disable security software, terminate competing processes (such as other miners), or halt critical system services, as seen in cases involving cryptocurrency miners. The activity is often associated with the initial stages of setting up malicious operations on an endpoint, giving defenders an opportunity to disrupt attacks early in the kill chain. The source material was released in 2026, but the underlying technique has been used since at least 2020.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through methods not directly covered by this detection (e.g., exploiting a vulnerability or using compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific parameters to target a running process.\u003c/li\u003e\n\u003cli\u003eThe command includes the \u003ccode\u003eprocess\u003c/code\u003e argument to specify the process to be targeted, the \u003ccode\u003eexecutablepath\u003c/code\u003e argument to identify the process by its file path, and the \u003ccode\u003edelete\u003c/code\u003e command to terminate the process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmic.exe\u003c/code\u003e attempts to locate the process based on the provided file path.\u003c/li\u003e\n\u003cli\u003eIf the process is found, \u003ccode\u003ewmic.exe\u003c/code\u003e sends a termination signal to the process.\u003c/li\u003e\n\u003cli\u003eThe targeted process is terminated.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to disable other security tools or competing processes.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their primary objective, such as deploying and executing a cryptocurrency miner or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique can lead to the disabling of security software, allowing malware to operate unimpeded. It can also result in the termination of critical system processes, leading to system instability or data loss. Observed cases include the deployment of XMRig cryptocurrency miners following the termination of security tools. If left unchecked, this activity can significantly increase the attacker\u0026rsquo;s foothold within the compromised environment, facilitating further malicious actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Termination via WMIC File Path\u003c/code\u003e to your SIEM and tune it for your environment to identify malicious process termination attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003ewmic.exe\u003c/code\u003e being used with the \u003ccode\u003edelete\u003c/code\u003e command, especially when targeting executable paths of known security products or critical system processes.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eprocess_kill_base_on_file_path_filter\u003c/code\u003e macro referenced in the search query to reduce noise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-process-kill-file-path/","summary":"This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.","title":"Detection of Process Termination via File Path Using WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-03-process-kill-file-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Process-Termination","version":"https://jsonfeed.org/version/1.1"}