The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.
| Name | Channel |
|---|---|
| auditd:SYSCALL | exit_group |
| auditd:SYSCALL | Process segfault or abnormal termination after invoking vulnerable syscall sequence |
| auditd:SYSCALL | kill syscalls targeting logging/security processes |
| docker:runtime | Termination of monitoring sidecar or security container |
| esxi:hostd | Log entries indicating VM powered off or forcibly terminated |
| linux:osquery | unexpected termination of syslog or rsyslog processes |
| linux:syslog | Unexpected termination of daemons or critical services not aligned with admin change tickets |
| macos:osquery | process_termination: Unexpected termination of processes tied to vulnerable or high-value services |
| macos:unifiedlog | Terminal process killed (killall Terminal) immediately after sudoers modification |
| macos:unifiedlog | process.*exit.*code |
| macos:unifiedlog | Termination of syspolicyd or XProtect processes |
| Process | None |
| WinEventLog:Sysmon | EventCode=5 |