Merge PR #4397 from @veramine - Update Process Terminated Via Taskkill

- update: Process Terminated Via Taskkill - update metadata and move to TH folder

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_taskkill_execution.yml → rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml

@@ -1,12 +1,14 @@
-title: Suspicious Execution of Taskkill
+title: Process Terminated Via Taskkill
 id: 86085955-ea48-42a2-9dd3-85d4c36b167d
 status: experimental
-description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.
+description: |
+    Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
+    Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
 author: frack113
 date: 2021/12/26
-modified: 2022/05/17
+modified: 2023/08/28
 tags:
     - attack.impact
     - attack.t1489
@@ -21,7 +23,7 @@ detection:
         CommandLine|contains|all:
             - ' /f'
             - ' /im '
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
     - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
 level: low