Terminate Linux Process Via Kill

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Sigma rule (View on GitHub)

 1title: Terminate Linux Process Via Kill
 2id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
 3status: test
 4description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
 5references:
 6    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
 7    - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
 8author: Tuan Le (NCSGroup)
 9date: 2023-03-16
10tags:
11    - attack.defense-evasion
12    - attack.t1562
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith:
19            - '/kill'
20            - '/pkill'
21            - '/killall'
22    condition: selection
23falsepositives:
24    - Likely
25level: low

References

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Read More
https://www.cyberciti.biz/faq/how-force-kill-process-linux/

Read More

Terminate Linux Process Via Kill

Sigma rule (View on GitHub)

References

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

https://www.cyberciti.biz/faq/how-force-kill-process-linux/

Related rules