terminate process by name

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: terminate process by name
    namespace: host-interaction/process/terminate
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset features
    # examples:
      # - unpacked Cl0p ransomware
  features:
    - and:
      - match: terminate process
      - match: enumerate processes
      - or:
        - offset: 0x24 = pe.szExeFile (x32)

last edited: 2023-11-24 10:34:28