topic Re: Detect where a process has been killed in Cortex XDR Discussions

Detect where a process has been killed

SARowe_NZ — Tue, 07 Feb 2023 00:11:56 GMT

We have a scenario where users are able to kill a certain process to bypass security.

How can we leverage XDR to detect where the specific process name has been killed and, ideally, prevent it?

I thought maybe an IOC or BIOC but the IOC doesn't seem to have anything, and the BIOC is limited to execution/injection and doesn't cover termination of processes.

Thanks,

Shannon

Re: Detect where a process has been killed

neelrohit — Tue, 07 Feb 2023 15:47:08 GMT

Hi @SARowe_NZ ,

We do not capture event id 4689 specifically, but process termination events are monitored.

However, if your end users are killing processes using cmd or powershell, you can create command line rules to detect and prevent events as such.

In the BIOC you can create a rule for target process cmd parameter as *\taskkill* or *\Stop-Process* (eg.Process [ action type = execution AND target process cmd = *\taskkill*, *\Stop-Process* ] ) and add it to restrictions profile.

You can also monitor the events of process stop using the following XQL query if that works. Choose filter of your own choice and subfilters to create monitoring events. The query below is also a valid BIOC however, this can generate a lot of false positives. As a result recommendation would be to keep this query and rule as granular as possible.

dataset = xdr_data | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and agent_os_type != ENUM.AGENT_OS_LINUX

Please mark the response as "Accept as Solution" if it answers your query. Hope it helps!

Regards

Re: Detect where a process has been killed

SARowe_NZ — Thu, 16 Feb 2023 03:15:02 GMT

Hey @neelrohit ,

Thanks heaps for your detailed response and apologies for not responding sooner - I was on leave.

I've tried putting in the BIOC and adding it a restriction profile but it does not seem to trigger.

The restriction profile is indeed applying to my test endpoint, and I have verified my BIOC is applied in the restriction profile itself. I've done a check in on the agent multiple times but it does not seem to trigger. I'm just testing with Calculator for now.

Excerpt from XDR Logs showing my BIOC has been applied, and a few screenshots with what I've set up in XDR:

biocRuleName" : "
Killed by User",
"friendlyName" : "GlobalProtect Killed by User",
"tactic_id" : [

Once this is working would there also be a way of capturing in this BIOC when it is killed from task manager rather than from CMD?

The XML query you provided is great (thanks), but I'm concerned that this would be inaccurate and capture system generated events such as upgrades or system restarts. In testing, regardless of who kills the process, XDR shows the user as "SYSTEM" because GlobalProtect (the software I'm trying to work with here) runs under the SYSTEM context.

Thanks,
Shannon

Re: Detect where a process has been killed

SARowe_NZ — Thu, 16 Feb 2023 03:34:26 GMT

Slight update/correction: The BIOC does work if CMD is run as the logged in user, however, it does not match if CMD is "Run as Administrator" which is what most users will do. Any ideas?