This artifact enables killing a process by Name, Path or PID.
WARNING: This is dangerous content as there are no guardrails. Scope remediation first then ReallyDoIt to kill process.
name: Windows.Remediation.Process
author: Matt Green - @mgreen27
description: |
This artifact enables killing a process by Name, Path or PID.
WARNING: This is dangerous content as there are no guardrails.
Scope remediation first then ReallyDoIt to kill process.
type: CLIENT
parameters:
- name: ProcessNameRegex
default: ^malware.exe$
type: regex
- name: ProcessPathRegex
default: .
type: regex
- name: ProcessCliRegex
default: .
type: regex
- name: PidRegex
default: .
type: regex
- name: ReallyDoIt
description: When selected will really remove!
type: bool
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- find velociraptor process
LET me = SELECT Pid FROM pslist(pid=getpid())
-- find all processes and add filters
LET targets = SELECT Name as ProcessName, Exe, CommandLine, Pid
FROM pslist()
WHERE TRUE
AND Name =~ ProcessNameRegex
AND Exe =~ ProcessPathRegex
AND CommandLine =~ ProcessCliRegex
AND format(format="%d", args=Pid) =~ PidRegex
AND NOT Pid in me.Pid
AND NOT upcase(string=Exe) in whitelist.Path
LET kill_targets = SELECT * FROM foreach(
row= targets,
query={
SELECT ProcessName,Exe,CommandLine,Pid,
dict(ReturnCode=ReturnCode,Complete=Complete,Stdout=Stdout,Stderr=Stderr) as Execve,
if(condition= Stdout=~'^SUCCESS',
then= TRUE,
else= FALSE) as Killed
FROM execve(
argv=["taskkill", "/PID", Pid, "/T", "/F"])
})
SELECT *
FROM if(condition=ReallyDoIt,
then= kill_targets,
else= { SELECT *, FALSE as Killed FROM targets } )