Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Sigma rule (View on GitHub)
1title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
2id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
3status: experimental
4description: |
5 Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
6 This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
7references:
8 - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
9author: Milad Cheraghi
10date: 2025-10-18
11tags:
12 - attack.execution
13 - attack.defense-evasion
14 - attack.t1562.001
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith:
21 # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
22 - '/systemctl'
23 - '/bash'
24 - '/sh'
25 CommandLine|contains|all:
26 - 'stop'
27 - 'kesl'
28 condition: selection
29falsepositives:
30 - System administrator manually stopping Kaspersky services
31level: high
References
-
Starting and stopping the application By default, Kaspersky Endpoint Security starts automatically when the operating system is booted (at the default level of execution for each operating system)....
Read More
Related rules
- ESXi Syslog Configuration Change Via ESXCLI
- Obfuscated PowerShell OneLiner Execution
- HackTool - Stracciatella Execution
- AMSI Bypass Pattern Assembly GetType
- HackTool - CobaltStrike BOF Injection Pattern