terminate process

rule:
  meta:
    name: terminate process
    namespace: host-interaction/process/terminate
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Process::Terminate Process [C0018]
    examples:
      - C91887D861D9BD4A5872249B641BC9F9:0x401A77
      - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307
  features:
    - or:
      - api: System.Diagnostics.Process::Kill
      - api: System.Diagnostics.Process::WaitForExit
      - api: System.Diagnostics.Process::WaitForExitAsync
      - api: System.Environment::Exit
      - api: System.Windows.Forms.Application::Exit
      - api: exit
      - api: Exit
      - and:
        - optional:
          - match: open process
        - or:
          - api: kernel32.TerminateProcess
          - api: ntdll.NtTerminateProcess
          - api: kernel32.ExitProcess