title: Kill Eventlog Service Threads
description: Invoke-Phant0m specific detection (currently), catches renamed and obfuscated 
  versions by querying for the TerminateThread call.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 002
operating_system: windows
query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
false_positives: 
tags: