Process Termination
ID |
process_termination |
Severity |
high |
Resource |
System |
Tags |
evader |
Description
This detector checks for code that terminates specific processes before performing malicious actions.
Rationale
Adversaries may stop or disable processes on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.
Related Malware campaigns
Pretty common among NPM and Pypi malicious packages campaigns.
Many of the malicious packages in these environments performs sensitive data enumeration. Before performing such sensitive data accesses, they usually kill the targeted processes to avoid being detected.
Configuration
The detector has the following configurable parameters:
-
path_patterns, that indicates path patterns used by the detector to match the sensitive browser data locations. -
sources, that indicates the source kinds to check. Available values are:-
process_name
-
-
sinks, that indicates the sink to check. Available values are:-
process_termination
-
-
neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.