Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update proc_creation_win_taskkill_execution.yml #5033

Merged
merged 3 commits into from
Oct 6, 2024
Merged

Update proc_creation_win_taskkill_execution.yml #5033

merged 3 commits into from
Oct 6, 2024

Conversation

MalGamy12
Copy link
Contributor

@MalGamy12 MalGamy12 commented Oct 2, 2024
edited by nasbench
Loading

Summary of the Pull Request

Add command line argument flags used with taskkill by the attacker to terminate a process by its PID

Changelog

update: Process Terminated Via Taskkill - Add /pid flag and windash support

Example Log Event

RuleName: -
UtcTime: 2024-10-02 21:02:05.228
ProcessGuid: {6e6be129-b4cd-66fd-cb01-000000001900}
ProcessId: 4568
Image: C:\Windows\System32\taskkill.exe
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Description: Terminates Processes
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: taskkill.exe
CommandLine: taskkill  /pid 380 /f
CurrentDirectory: C:\Users\MalGamy\
User: DESKTOP-0TOC207\MalGamy
LogonGuid: {6e6be129-ae65-66fd-58dc-0d0000000000}
LogonId: 0xDDC58
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=56F8CC2C1790C389394733B84C3FB55E10977E9F0FE0C08110AC11F0FE47F05E
ParentProcessGuid: {6e6be129-b4b0-66fd-c901-000000001900}
ParentProcessId: 1416
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe" 
ParentUser: DESKTOP-0TOC207\MalGamy

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Oct 2, 2024
@nasbench nasbench requested a review from frack113 October 6, 2024 19:42
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Oct 6, 2024
frack113
frack113 approved these changes Oct 6, 2024
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Oct 6, 2024
@nasbench nasbench merged commit 8a3f074 into SigmaHQ:master Oct 6, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@frack113 frack113 frack113 approved these changes

Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MalGamy12 @nasbench @frack113