Excessive Usage of Taskkill

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon /auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

The correlation rule watches for excessive use of taskkill.exe, a legitimate program for ending processes. Abnormally high usage of taskkill might indicate an attempt to evade security by terminating security software or other monitoring processes.

Data source

Windows: Network traffic, process, command, user account

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005 - Defense Evasion, TA0040 - Impact, TA0003 - Persistence

Techniques: T1562 - Impair Defenses, T1489 - Service Stop, T1053 - Scheduled Task/Job

Sub-techniques: T1562.001 - Impair Defenses: Disable or Modify Tools

Criteria:

Process name ends with taskkill.exe: This rule focuses on processes that end with "taskkill.exe". The rule tracks how often the taskkill.exe process is spawned within a certain timeframe.

When to enable this rule:

Enable this rule when the user wants to detect lateral movement or process manipulation attempts. This rule can be helpful in identifying attackers using taskkill.exe to terminate security software or other monitoring processes to avoid detection while moving laterally across a compromised network.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST Cybersecurity Framework (CSF): DE.CM (Security Continuous Monitoring), especially DE.CM-7 for security continuous monitoring.
  • CIS Control:5 (Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers) to ensure secure configurations and prevent unauthorized changes.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.