Adversaries may manually stop the Kaspersky Endpoint Security service using command-line tools to evade detection or disable protective measures. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering with endpoint security solutions and uncover hidden malicious activity.
Detection Rule
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-evasion
- attack.t1562.001
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
imProcessCreate
| where (TargetProcessName endswith "/systemctl" or TargetProcessName endswith "/bash" or TargetProcessName endswith "/sh") and (TargetProcessCommandLine contains "stop" and TargetProcessCommandLine contains "kesl")Scenario: An administrator manually stops the Kaspersky service using systemctl stop kaspersky during routine maintenance.
Filter/Exclusion: Exclude processes where the command is executed by a known admin user (e.g., root, admin, or sudo) and the command is part of a documented maintenance task.
Scenario: A scheduled job or automation script (e.g., Ansible playbook or Puppet manifest) stops the Kaspersky service as part of a system update or configuration change.
Filter/Exclusion: Exclude events where the command is executed by a system automation tool (e.g., ansible, puppet, or chef) or within a known configuration management framework.
Scenario: A legitimate system update or patching process temporarily stops the Kaspersky service to apply system-level changes.
Filter/Exclusion: Exclude events where the command is executed during a known system update window or in conjunction with a package manager (e.g., apt, yum, or dnf).
Scenario: A user or admin uses the init.d script to stop Kaspersky as part of a security audit or compliance check.
Filter/Exclusion: Exclude events where the command is executed by a user with elevated privileges and is part of a documented security audit or compliance process.
Scenario: A third-party tool or security scanner temporarily stops the Kaspersky service to perform a scan or analysis.
Filter/Exclusion: Exclude events where the command is initiated by a known third-party tool (e.g., ClamAV, OpenVAS, or Nessus) or within a security scanning framework.