cancel
Showing results for 
Search instead for 
Did you mean: 

AR Reaction: Kill Process

The most basic reaction is to kill a running process by name.  This would often be used to help eradicate a threat, or remove remaining traces after the fact.  In this note we'll walk through all the steps necessary to create this reaction.  For your convenience, you might also like to simply import the fully configured reaction (download attached document, then import into the Active Response Catalog).

Creating Kill Process Reaction

  1. Open the Active Response Catalog and select the Reactions tab.  Click New Reaction.
    newreaction.png
  2. Next enter a name and a description for this Reaction
    taskkill-summary.png
  3. For Reaction Content, select "Execute OS Command" and enter the following lines:
    taskkill /F /IM {{processname}} /T
    taskkill-content.png

    The switches on this command are interpreted as follows:
        /F:Forceful process shutdown
        /IM: Specified process image name. 
        /T: Specifies kill on entire process tree, including all child processes of the specified process

  4. Finally, we need to configure the argument for this reaction. This reaction will take in a single argument, the full name of the process to be terminated.
    taskkill-args.png
    Note that the name of the argument matches the token {{processname}} in the Reaction Content.  When the Reaction is triggered on the endpoint, the value passed in for the file argument will be substituted into the specified commands before they are executed.
  5. Click the Save button at the top of the screen.

Testing the Kill Process Reaction

Once defined, your reaction will be immediately distributed to your endpoints via the DXL.  Next lets do a simple test of the Reaction.

  1. Log into a system with Active Response installed, and launch calc.exe (Start/Run/calc).  You'll see the Windows calculator open on your desktop.
    taskkill-test1.png
  2. Open  Active Response Search and execute a search for running instances of calc.exe.
    taskkill-test2.png
  3. Highlight the name of the process (calc.exe) and copy it into your paste buffer.
  4. Click the checkbox next to your calc instance, and then select "Execute Reaction" from the Actions menu
    delnot-test3.png
  5. Select your Reaction and provide the paste in the full name and path that you copied earlier.
    taskkill-test3.png
  6. Acknowledge the action you are taking.
    taskkill-test4.png
  7. Monitor your test system.  Within a second or two you should see the calc instance disappear from the desktop.

Going Further

For some additional thoughts on using Reactions within Active Response, see

Tags (1)
Attachments
Version history
Revision #:
1 of 1
Last update:
‎08-05-2015 07:36 AM
Updated by: