This artifact enables killing a process by Name, Path or PID.
WARNING: This is dangerous content as there are no guardrails. Scope remediation first then ReallyDoIt to kill process.
name: Windows.Remediation.Process
author: Matt Green - @mgreen27
description: |
This artifact enables killing a process by Name, Path or PID.
WARNING: This is dangerous content as there are no guardrails.
Scope remediation first then ReallyDoIt to kill process.
type: CLIENT
parameters:
- name: ProcessNameRegex
default: ^malware.exe$
type: regex
- name: ProcessPathRegex
default: .
type: regex
- name: ProcessCliRegex
default: .
type: regex
- name: PidRegex
default: .
type: regex
- name: ReallyDoIt
description: When selected will really remove!
type: bool
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- find velociraptor process
LET me = SELECT Pid FROM pslist(pid=getpid())
-- find all processes and add filters
LET targets = SELECT Name as ProcessName, Exe, CommandLine, Pid
FROM pslist()
WHERE TRUE
AND Name =~ ProcessNameRegex
AND Exe =~ ProcessPathRegex
AND CommandLine =~ ProcessCliRegex
AND format(format="%d", args=Pid) =~ PidRegex
AND NOT Pid in me.Pid
AND NOT upcase(string=Exe) in whitelist.Path
SELECT * ,
if( condition = ReallyDoIt,
then = pskill(pid=Pid),
else = False
) as Killed
FROM targets