Product · 4 MIN READ · JAKE GODGART AND CLAIRE HOGAN · MAY 15, 2025 · TAGS: AI & automation
TL;DR
- This auto remediation series focuses on understanding the functionality of all of Expel’s auto remediations
- The “kill process” response action enables the Expel SOC to leverage MDE to immediately terminate malicious processes (like ransomware encryption) across endpoints
- You can find blogs on these auto remediations as well (post-publication): Contain/isolate host, block bad hash, delete malicious file, delete registry key, disable user account, reset credentials, terminate session, disable access key, and remove malicious email
In security operations, our ability to respond effectively is frequently constrained by time and the sheer volume of alerts. A core challenge is minimizing the window of opportunity for an adversary in your environment. A lot of the time, this means protecting the endpoint.
One of the most critical actions in incident response is the ability to quickly terminate a malicious process running on an endpoint. Delays in this critical action can allow minor security events to escalate into significant breaches, impacting the organization far more broadly.
Shutting down any malicious processes—or to preemptively address processes exhibiting behavior indicative of compromise—can help Expel’s analysts prevent potential data breaches, unauthorized system access, or system compromise.
With this auto remediation, our analysts can kick off a kill process response workflow using established endpoint detection and response (EDR) platforms such as Microsoft Defender for Endpoint and CrowdStrike Falcon.
How it works
To understand how this functions within a managed detection and response (MDR) context, consider a common threat scenario: the Expel Security Operations Center (SOC) discovers a malicious process actively encrypting files on an endpoint, consistent with indicators of a ransomware attack.
With your pre-approval, Expel’s SOC team will automatically terminate the process the instant it’s validated, neutralizing the threat and preventing further file encryption, which ultimately minimizes the impact of the attack. This automation is the kill process auto remediation in action.
Think of it like pulling the emergency brake in your car—the main benefit is to immediately halt damaging actions, like ransomware encryptions, data theft attempts, or lateral movement efforts from attackers.
This capability is typically executed through EDR platforms integrated into Expel Workbench™. Our SOC will trigger the automated workflow through your EDR tooling kit to kill the malicious process in action upon threat validation, by combining advanced detection technology with decisive, human-driven automated response workflows.
Triggering the kill process auto remediation
This action is typically triggered by high-confidence indicators, such as:
- High-confidence EDR alerts: Alerts from your EDR tooling indicating known malware execution (based on file signatures, hashes, or specific, high-fidelity indicators of attack).
- Suspicious process behavior: Real-time detection of anomalous process activities identified by EDR behavioral analytics or AI. This can include unusual process creation patterns, attempts to inject code into memory, or suspicious interactions with the operating system’s native APIs (like those associated with MITRE ATT&CK techniques).
- Threat hunting discoveries: Instances when our analysts proactively identify a live, malicious process during threat hunting activities within your environment.
- Correlated threat signals: Scenarios where multiple low-confidence alerts can be correlated with other data points (like network traffic or user activity logs) collectively indicate a high probability of a malicious process requiring termination.
When to expect Expel to use the kill process action
There are several instances where our threat analysts may respond by killing the process, including detection of:
- Active malware: When malware (like trojans, worms, sympware, and infostealers) is actively executing on your endpoints.
- Exploit kits: When exploit kits attempt to compromise vulnerable systems via killing processes spawned to leverage software vulnerabilities to deliver malware.
- Lateral movement: When attackers try to move across your network to eventually achieve access to what they’re looking for to initiate malware or steal information, often using PsExec or WMI activity.
- Ransomware encryption: When files are being encrypted at high speeds, repeatedly, with locked extensions to steal data and disrupt operations.
- Malicious script execution: When harmful scripts (often PowerShell or VBScript) are attempting to perform reconnaissance, download payloads, or move laterally.
- Unauthorized remote access tools (RATs): When attackers use unauthorized RATs to gain command and control (C2), or to exfiltrate your data.
The path to termination: the kill process auto remediation workflow
There are five steps in the kill process auto remediation that are required to stop malicious actions, alongside an example of how this would work for ransomware encryption.
1. Detection
An alert triggers within your security tools (like an EDR or SIEM) and is ingested into Expel Workbench™.
Example: Your EDR detects a process on a user’s workstation suddenly encrypting files at a high speed, renaming them with a locked extension, and generates an alert.
2. Validation & context
A SOC analyst sees the alert, and verifies its legitimacy, correlates it with other activities, checks against threat intelligence feeds, and considers your environment to confirm malicious intent. Auto remediations aren’t triggered without this expert human review first.
Example: Our analyst confirms the activity by comparing it to known ransomware tactics, techniques, and procedures (TTPs) and isn’t a legitimate backup or encryption tool.
3. Customer approval check
Our system automatically checks to see if your org has pre-approved the kill process auto remediation action for the specific endpoint, user group, or threat type. That way you remain in control and can explicitly define the scope of automation being done on your behalf.
Example: Your org has pre-approved the kill process action for confirmed ransomware incidents.
4. Execution
Once the threat is validated and permission is confirmed, our SOC analyst will initiate the kill process command via Workbench by leveraging your EDR’s capabilities. In highly confident scenarios (like confirmed ransomware), this can happen in seconds.
Example: Our analyst triggers the kill process command via your EDR through Workbench.
5. Confirmation
Our analyst will continue to monitor the threat and the action’s success, and then log the outcome within Workbench (and usually within your EDR as well) for full transparency.
Example: The ransomware process is terminated on the endpoint within seconds. Any further file encryption immediately stops, and attack damage is significantly limited. From there, the analyst will dive into investigating the entry point, removing remaining malware, recovering any affected files, and logging all actions in Workbench.
How to set it up
Expel customers can learn more about the kill process auto remediation and how to set it up for your environment within the Workbench™ Platform.
Not an Expel customer yet, but curious about our auto remediations? Send us a note.
Killing a malicious process is a rapid and decisive containment action that stops immediate harm, prevents further compromise, and gives your team (and ours) breathing room to conduct a thorough investigation.
Stay tuned as we continue to dive in to other auto remediations Expel has to offer!
