Techniques
Sample rules
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- stop
- kesl
Image|endswith:
- /systemctl
- /bash
- /sh