Kill a Process

The Insight Agent can kill a process on any asset that is involved in a suspicious or malicious alert. You do not need to configure any additional settings to be able to kill a process. When a detection rule is triggered and InsightIDR automatically opens an investigation, and you can kill a process directly from the investigation.

When the Insight Agent receives instruction to kill a process, it sends a kill call to the malicious process in question. The kill call immediately terminates the process tree and its branches.

Kill calls work differently, depending on the operating system. On Linux and Mac systems, the Insight Agent sends a “kill 9” command to the malicious process, which forces it to terminate immediately. On Windows systems, the kill call “TerminateProcess” unconditionally causes a process to exit.

Read more about it here: https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-terminateprocess

To kill a process with the Insight Agent:

  1. From your InsightIDR homepage, select Investigations from the left-hand navigation.
  2. Open the desired investigation. You will see a timeline of events involving the asset.
  3. Click the Take Action button. The “Take Action” panel appears.
  4. From the Select an Action or Workflow dropdown, select select Kill a Process
  1. When the process list appears, select the suspicious process you want to kill.
  2. Click the Take Action button.

The Insight Agent will send a kill message to the process. An item will appear on the timeline for this action.

When you close the investigation, you have the option to allow the specific attacker behavior.