Kaspersky Endpoint Security Stopped Via CommandLine - Linux

Original Source: [Sigma source]

Title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Status: experimental
Description:Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
References:
-https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
Author: Milad Cheraghi
Date: 2025-10-18
modified:None
Tags:

-'attack.execution'
-'attack.defense-evasion'
-'attack.t1562.001'

Logsource:

product: linux
category: process_creation

Detection:
selection:
Image|endswith:
-'/systemctl'
-'/bash'
-'/sh'

CommandLine|contains|all:
-'stop'
-'kesl'

condition:selection
Falsepositives:
-System administrator manually stopping Kaspersky services
Level: high

Sign Up to Personalize and Manage Your Detection

Kaspersky Endpoint Security Stopped Via CommandLine - Linux