// Find attempts to stop processes using taskkill.exe
DeviceProcessEvents
| where FileName =~ "taskkill.exe"
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine, 10000) by DeviceId, DeviceName, bin(TimeGenerated, 2m)
| where taskKillCount > 10
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Stopping multiple processes using taskkill
kind: Scheduled
tactics:
- DefenseEvasion
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
status: Available
queryFrequency: 1h
id: 4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
relevantTechniques:
- T1562
description: |
This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. This is a common technique used by ransomware to stop security products and other processes.
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/MultiProcessKillWithTaskKill.yaml
queryPeriod: 1h
severity: Medium
query: |
// Find attempts to stop processes using taskkill.exe
DeviceProcessEvents
| where FileName =~ "taskkill.exe"
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine, 10000) by DeviceId, DeviceName, bin(TimeGenerated, 2m)
| where taskKillCount > 10
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
