Stopping multiple processes using taskkill

Hunt Hypothesis

Adversaries may use taskkill.exe to stop multiple processes as part of an effort to disrupt system operations or cover their own malicious activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential process termination attacks that could indicate a broader compromise or persistence mechanism.

KQL Query

// Find attempts to stop processes using taskkill.exe
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "taskkill.exe" 
| summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
| where taskKillCount > 10

Analytic Rule Definition

id: f8e4bee5-bc59-45f9-86e5-3b0a1bd1b572
name: Stopping multiple processes using taskkill
description: |
  This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. Run query
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  // Find attempts to stop processes using taskkill.exe
  DeviceProcessEvents
  | where Timestamp > ago(1d)
  | where FileName =~ "taskkill.exe" 
  | summarize taskKillCount = dcount(ProcessCommandLine), TaskKillList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 2m)
  | where taskKillCount > 10

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Stopping multiple processes using taskkill.yaml)

False Positive Guidance

Scenario: Scheduled Job Maintenance
Description: A system maintenance job runs nightly and uses taskkill to gracefully stop multiple services or background processes.
Filter/Exclusion: Check for taskkill commands executed during scheduled maintenance windows (e.g., schtasks.exe job names or specific time ranges).
Scenario: Application Update or Patch Deployment
Description: A patching tool or update manager uses taskkill to stop multiple processes before deploying updates.
Filter/Exclusion: Filter by process names associated with the update tool (e.g., patchmgr.exe, updater.exe) or check for known update scripts.
Scenario: User-Initiated Process Termination
Description: A user or admin manually terminates multiple processes using taskkill during troubleshooting or cleanup.
Filter/Exclusion: Include user context (e.g., username or logon session) and check for known legitimate process names (e.g., svchost.exe, explorer.exe).
Scenario: Batch Script for Environment Reset
Description: A batch script used in CI/CD or environment reset operations stops multiple processes as part of a clean-up step.
Filter/Exclusion: Filter by script paths (e.g., C:\scripts\reset_env.bat) or check for presence of known CI/CD tools (e.g., Azure DevOps, Jenkins).
Scenario: Antivirus or Security Software Cleanup
Description: Antivirus or endpoint protection software may use taskkill to stop processes during a full system scan or quarantine operation.
Filter/Exclusion: Check for process names associated with security software (e.g., mpsvc.exe, avgnt.exe) or filter by known security tool paths.