Detect where a process has been killed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Detect where a process has been killed

L3 Networker

We have a scenario where users are able to kill a certain process to bypass security.

How can we leverage XDR to detect where the specific process name has been killed and, ideally, prevent it?

I thought maybe an IOC or BIOC but the IOC doesn't seem to have anything, and the BIOC is limited to execution/injection and doesn't cover termination of processes.

Thanks,

Shannon

3 REPLIES 3

L5 Sessionator

Hi @SARowe_NZ  , 

We do not capture event id 4689 specifically, but process termination events are monitored. 

However, if your end users are killing processes using cmd or powershell, you can create command line rules to detect and prevent events as such. 

 

In the BIOC you can create a rule for target process cmd parameter as  *\taskkill* or *\Stop-Process* (eg.Process [ action type = execution AND target process cmd = *\taskkill*, *\Stop-Process* ] )  and add it to restrictions profile. 

 

 

You can also monitor the events of process stop using the following XQL query if that works. Choose filter of your own choice and subfilters to create monitoring events. The query below is also a valid BIOC however, this can generate a lot of false positives. As a result recommendation would be to keep this query and rule as granular as possible.

 

dataset = xdr_data | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and agent_os_type != ENUM.AGENT_OS_LINUX

 

Please mark the response as "Accept as Solution" if it answers your query. Hope it helps!

 

Regards

Hey @neelrohit ,

Thanks heaps for your detailed response and apologies for not responding sooner - I was on leave.

I've tried putting in the BIOC and adding it a restriction profile but it does not seem to trigger.

The restriction profile is indeed applying to my test endpoint, and I have verified my BIOC is applied in the restriction profile itself. I've done a check in on the agent multiple times but it does not seem to trigger. I'm just testing with Calculator for now.

Excerpt from XDR Logs showing my BIOC has been applied, and a few screenshots with what I've set up in XDR:

biocRuleName" : "
Killed by User",
"friendlyName" : "GlobalProtect Killed by User",
"tactic_id" : [

 

Once this is working would there also be a way of capturing in this BIOC when it is killed from task manager rather than from CMD?

 

The XML query you provided is great (thanks), but I'm concerned that this would be inaccurate and capture system generated events such as upgrades or system restarts. In testing, regardless of who kills the process, XDR shows the user as "SYSTEM" because GlobalProtect (the software I'm trying to work with here) runs under the SYSTEM context.

 

Thanks,
Shannon

L3 Networker

Slight update/correction: The BIOC does work if CMD is run as the logged in user, however, it does not match if CMD is "Run as Administrator" which is what most users will do. Any ideas?

  • 2023 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!