Process Termination

The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

Data Collection Measures:

Endpoint Detection and Response (EDR) Tools:
- Monitor process termination events.
Windows Event Logs:
- Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process.
- Event ID 7036 (Service Control Manager) – Monitors system service stops.
Sysmon (Windows):
- Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships.
Linux/macOS Monitoring:
- AuditD (execve, exit_group, kill syscalls) – Captures process termination via command-line interactions.
- eBPF/XDP: Monitors low-level system calls related to process termination.
- OSQuery: The processes table can be queried for abnormal exits.

ID: DC0033

Domains: ICS, Mobile, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:SYSCALL	exit_group
auditd:SYSCALL	Process segfault or abnormal termination after invoking vulnerable syscall sequence
auditd:SYSCALL	kill syscalls targeting logging/security processes
docker:runtime	Termination of monitoring sidecar or security container
esxi:hostd	Log entries indicating VM powered off or forcibly terminated
linux:osquery	unexpected termination of syslog or rsyslog processes
linux:syslog	Unexpected termination of daemons or critical services not aligned with admin change tickets
macos:osquery	process_termination: Unexpected termination of processes tied to vulnerable or high-value services
macos:unifiedlog	Terminal process killed (killall Terminal) immediately after sudoers modification
macos:unifiedlog	process.exit.code
macos:unifiedlog	Termination of syspolicyd or XProtect processes
Process	None
WinEventLog:Sysmon	EventCode=5

Detection Strategy

ID	Name	Technique Detected
DET0021	Behavioral Detection for Service Stop across Platforms	T1489
DET0052	Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching	T1548.003
DET0784	Detection of Block Command Message	T0803
DET0789	Detection of Block Reporting Message	T0804
DET0797	Detection of Block Serial COM	T0805
DET0146	Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns	T1485
DET0687	Detection of Impair Defenses	T1629
DET0497	Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms.	T1562.001
DET0132	Detection of Mutex-Based Execution Guardrails Across Platforms	T1480.002
DET0765	Detection of Service Stop	T0881
DET0304	Detection Strategy for Endpoint DoS via Application or System Exploitation	T1499.004
DET0015	Detection Strategy for Exclusive Control	T1668
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562
DET0239	Detection Strategy for Impair Defenses Indicator Blocking	T1562.006