title: Kill Eventlog Service Threads
description: Detection is specific to Invoke-Phant0m strings as the test uses it,
  and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread
  call.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
operating_system: windows
query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
false_positives: null
tags: null