detection.wiki

Microsoft-Windows-Sysmon › Event 5

Event ID 5 — Process terminated

Provider
Microsoft-Windows-Sysmon
Channel
Operational
Level
Informational
Collection Priority
Recommended (Palantir, others)
Task
Process terminated (rule: ProcessTerminate)
Opcode
Info

Description

The process terminate event reports when a process terminates.

Message #

Process terminated:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
User: %6

Fields #

NameDescription
RuleName UnicodeString → stringCustom tag mapped to event, i.e. ATT&CK technique ID
UtcTime UnicodeString → stringTime in UTC when event was created
ProcessGuid GUID → GUIDProcess GUID of the process that terminated
ProcessId UInt32 → PIDProcess ID used by the OS to identify the process that terminated
Image UnicodeString → stringFile path of the process that terminated
User UnicodeString → stringName of the account that terminated the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 5,
    "version": 3,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T02:04:26.566815+00:00",
    "event_record_id": 1441121,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 02:04:26.536",
    "ProcessGuid": "E56ADA26-37A6-6548-5107-000000000D00",
    "ProcessId": 16164,
    "Image": "C:\\Windows\\System32\\svchost.exe",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": ""
}

Detection Patterns #

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • High Process Termination Frequency source: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
  • Windows Processes Killed By Industroyer2 Malware source: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.

References #