Merge PR SigmaHQ#5033 from @MalGamy12 - Update `Process Terminated Vi…

…a Taskkill` update: Process Terminated Via Taskkill - Add `/pid` flag and windash support --------- Co-authored-by: nasbench <[email protected]>
SavinSpring · Oct 6, 2024 · 8a3f074 · 8a3f074
1 parent 1f1f31e
commit 8a3f074
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml
@@ -6,9 +6,10 @@ description: |
     Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
-author: frack113
+    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
 date: 2021-12-26
-modified: 2023-11-06
+modified: 2024-10-06
 tags:
     - attack.impact
     - attack.t1489
@@ -20,10 +21,13 @@ detection:
     selection_img:
         - Image|endswith: '\taskkill.exe'
         - OriginalFileName: 'taskkill.exe'
-    selection_cli:
-        CommandLine|contains|all:
-            - ' /f'
+    selection_cli_force:
+        - CommandLine|contains|windash: ' /f '
+        - CommandLine|endswith|windash: ' /f'
+    selection_cli_filter_process:
+        CommandLine|contains|windash:
             - ' /im '
+            - ' /pid '
     filter_main_installers:
         ParentImage|contains:
             - '\AppData\Local\Temp\'