Overview
Theterminate action kills processes on local and remote systems using the Win32_Process.Terminate WMI method. It supports termination by process ID or process name.
Syntax
Parameters
| Parameter | Required | Description |
|---|---|---|
action | Yes | Must be terminate |
process | Yes | Process ID (numeric) or process name |
computername | No | Target host(s), comma-separated. Defaults to localhost |
username | No | Username for authentication |
password | No | Password for authentication |
Usage Examples
Terminate by Name
Terminate by PID
Example Output
0= Success2= Access Denied3= Insufficient Privilege8= Unknown Failure9= Path Not Found21= Invalid Parameter
Operational Use Cases
Scenario 1: Kill Security Tools
Scenario 2: Clean Up After Operations
Scenario 3: Kill Monitoring Processes
Scenario 4: Kill Specific PID
Process Name Matching
Theterminate action uses a partial name match with LIKE '%name%':
process=notewill matchnotepad.exeprocess=explorerwill matchexplorer.exeprocess=svchostwill matchsvchost.exe
Remote vs Local Usage
- Local Termination
- Remote Termination
- Post-exploitation cleanup
- Kill local monitoring tools
- Stop processes after execution
- No network traffic
- No authentication required
Limitations
First Match Only
Terminates only the first matching process. For multiple instances, run multiple times.
Protected Processes
Cannot terminate protected processes (PPL - Protected Process Light) without kernel access.
System Processes
Some critical system processes may cause system instability or crash if terminated.
Access Requirements
Requires admin privileges and may fail for processes owned by SYSTEM.
Detection Considerations
Process Termination Detection
Process Termination Detection
- Event ID 4689: Process termination
- Sysmon Event ID 5: Process terminated
- Unusual process terminations
- Security tool crashes
- Monitoring tool shutdowns
WMI Detection
WMI Detection
- WMI Terminate method invocation
- Event ID 5857: WMI activity
- Remote Win32_Process operations
- Sysmon Event ID 19-21: WMI activity
Behavioral Detection
Behavioral Detection
- AV/EDR process termination attempts
- Multiple process kills in succession
- Termination of security monitoring
- Correlation with other malicious activity
Best Practices
Operational Security
- Avoid killing security tools when possible
- Kill only necessary processes
- Be aware of detection risks
- Consider persistence of restarting services
Error Handling
- Check return values
- Verify process was actually terminated
- Handle access denied gracefully
- Account for protected processes
Target Selection
- Identify process PID first with ps action
- Verify ownership before terminating
- Understand process purpose
- Consider impact on system stability
Cleanup Strategy
- Terminate own tools after use
- Kill temporary processes
- Remove monitoring before operations
- Restore services if needed
Common Targets
Processes to Avoid Terminating
csrss.exe- Critical system processsmss.exe- Session Managerwinlogon.exe- Windows Logon Processservices.exe- Service Control Managerlsass.exe- Local Security Authority (system crash)
Common Targets
Monitoring Tools:procmon.exe,procexp.exe- Sysinternalswireshark.exe- Network monitoringfiddler.exe- Web proxy
MsMpEng.exe- Windows Defendercb.exe- Carbon Blackfalcon-sensor.exe- CrowdStrike
Troubleshooting
Process Not Found
Process Not Found
Output:
[x] Process notepad not foundCause: No matching processSolution:- Verify process is running:
SharpWMI.exe action=ps - Check process name spelling
- Process may have already terminated
Access Denied (Return: 2)
Access Denied (Return: 2)
Cause: Insufficient privilegesSolution:
- Verify admin credentials
- Some processes require SYSTEM privileges
- Use
usernameandpasswordparameters - May need to elevate to SYSTEM context
Protected Process
Protected Process
Cause: Process is protected (PPL)Solution:
- Cannot terminate without kernel access
- Consider alternative approaches
- May require driver exploitation
Service Restarts
Service Restarts
Cause: Service automatically restartsSolution:
- Stop the service instead of killing process
- Disable service auto-restart
- Use service control commands:
Return Value Reference
| Return Value | Meaning | Action |
|---|---|---|
| 0 | Successful completion | Process terminated successfully |
| 2 | Access denied | Use elevated credentials |
| 3 | Insufficient privilege | Requires admin/SYSTEM |
| 8 | Unknown failure | Check process state |
| 9 | Path not found | Process doesn’t exist |
| 21 | Invalid parameter | Check process ID/name |
Related Actions
ps
List processes to find targets
exec
Execute processes
query
Query Win32_Process directly
getenv
Get environment variables
Alternative Methods
Terminate All Instances
Terminate All Instances
To kill all instances of a process, use a loop or custom query:
Stop Windows Service
Stop Windows Service