Quick and dirty monitoring artifact to kill a process by Image Name. We monitor the Microsoft-Windows-Kernel-Process ETW provider and leverage taskkill to kill the process.
There are no guardrails on this artifact please be VERY careful adding new entries.
name: Windows.Remediation.KillProcess
author: Matt Green - @mgreen27
description: |
Quick and dirty monitoring artifact to kill a process by Image Name.
We monitor the Microsoft-Windows-Kernel-Process ETW provider and leverage
taskkill to kill the process.
There are no guardrails on this artifact please be VERY careful adding new entries.
type: CLIENT_EVENT
parameters:
- name: ProcessToKill
type: csv
default: |
ImageRegex,Description
\\folder\\folder2\\file\.exe$,Example target image
\\psexesvc\.exe$,Default psexec executable on target machine.
\\calc\.exe$,Test fast running process: start > run calc.exe
\\calculator\.exe$,Test killing calc.exe alias (modern Windows calc.exe)
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET name_regex = join(array=ProcessToKill.ImageRegex,sep='|')
LET watch_processes = SELECT System.TimeStamp AS CreateTime,
EventData.ImageName AS ImageName,
int(int=EventData.ProcessID) AS Pid,
EventData.MandatoryLabel AS MandatoryLabel,
EventData.ProcessTokenElevationType AS ProcessTokenElevationType,
EventData.ProcessTokenIsElevated AS TokenIsElevated
FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}", any=0x10)
WHERE System.ID = 1 AND ImageName =~ name_regex
SELECT * FROM foreach(row=watch_processes,
query={
SELECT CreateTime,ImageName,Pid,MandatoryLabel,ProcessTokenElevationType,TokenIsElevated,
if(condition= ReturnCode=0,
then= Stdout,
else= 'There was a problem on tasklill attempt. ' + Stderr) as TaskKill
FROM execve(argv=["taskkill", "/PID", Pid, "/T", "/F"])
})