Elastic Security Detection Rules

Process Termination followed by Deletion

Last updated 6 months ago on 2025-02-03
Created 5 years ago on 2020-11-04

About

Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

Indicator Removal (T1070)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*logs-endpoint.events.file-*
Related Integrations

endpoint(opens in a new tab or window)

Query
sequence by host.id with maxspan=5s
   [process where host.os.type == "windows" and event.type == "end" and
    process.code_signature.trusted != true and
    not process.executable like
             ("C:\\Windows\\SoftwareDistribution\\*.exe",
              "C:\\Windows\\WinSxS\\*.exe",
              "?:\\Windows\\Postillion\\Office\\*.exe") and
    not (
      process.name : "infinst.exe" and process.parent.name: "dxsetup.exe" and
      process.parent.code_signature.subject_name == "NVIDIA Corporation" and
      process.parent.code_signature.status == "trusted"
    )
   ] by process.executable
   [file where host.os.type == "windows" and event.type == "deletion" and file.extension in~ ("exe", "scr", "com") and
    not process.executable like
             ("?:\\Program Files\\*.exe",
              "?:\\Program Files (x86)\\*.exe",
              "?:\\Windows\\System32\\svchost.exe",
              "?:\\Windows\\System32\\drvinst.exe",
              "?:\\Windows\\Postillion\\Office\\*.exe") and
    not file.path like (
          "?:\\Program Files\\*.exe",
          "?:\\Program Files (x86)\\*.exe",
          "?:\\Windows\\Temp\\*\\DismHost.exe",
          "?:\\$WINDOWS.~BT\\Work\\*\\DismHost.exe",
          "?:\\$WinREAgent\\Scratch\\*\\DismHost.exe",
          "?:\\Windows\\tenable_mw_scan_*.exe",
          "?:\\Users\\*\\AppData\\Local\\Temp\\LogiUI\\Pak\\uninstall.exe",
          "?:\\ProgramData\\chocolatey\\*.exe"
    ) and
    not (process.name : "OktaVerifySetup-*.exe" and process.code_signature.subject_name == "Okta, Inc.") and
    not (
      process.executable : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*" and
      process.code_signature.subject_name == "Citrix Systems, Inc." and
      file.path : "?:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\CitrixReceiver\\*\\bootstrapperhelper.exe"
    )
   ] by file.path

Install detection rules in Elastic Security

Detect Process Termination followed by Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).