Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)

The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.

Data Collection Measures:

Endpoint Detection and Response (EDR) Tools:
- Monitor process termination events.
Windows Event Logs:
- Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process.
- Event ID 7036 (Service Control Manager) – Monitors system service stops.
Sysmon (Windows):
- Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships.
Linux/macOS Monitoring:
- AuditD (execve, exit_group, kill syscalls) – Captures process termination via command-line interactions.
- eBPF/XDP: Monitors low-level system calls related to process termination.
- OSQuery: The processes table can be queried for abnormal exits.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)	mitre-data-component	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)	mitre-data-component	1
Exclusive Control - T1668 (dff263cc-328e-42b4-afbc-1fee8b6a8913)	Attack Pattern	Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)	mitre-data-component	1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)	mitre-data-component	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Process Termination (61f1d40e-f3d0-4cc6-aa2d-937b6204194f)	mitre-data-component	1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2