Skip to content

Hide Navigation Hide TOC

Kaspersky Endpoint Security Stopped Via CommandLine - Linux (36388120-b3f1-4ce9-b50b-280d9a7f4c04)

Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Kaspersky Endpoint Security Stopped Via CommandLine - Linux (36388120-b3f1-4ce9-b50b-280d9a7f4c04) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2