Terminate Linux Process Via Kill

Feb 1, 2024 · attack.defense_evasion attack.t1562 ·

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Sigma rule (View on GitHub)

 1title: Terminate Linux Process Via Kill
 2id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
 3status: test
 4description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
 5references:
 6    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
 7    - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
 8author: Tuan Le (NCSGroup)
 9date: 2023/03/16
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith:
19            - '/kill'
20            - '/pkill'
21            - '/killall'
22    condition: selection
23falsepositives:
24    - Likely
25level: low

References

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Read More
How to force kill process in Linux using kill and killall

Learn how to force kill process on the Linux using the pkill, killall and kill command line options using PID or application name.

Read More

Terminate Linux Process Via Kill

Sigma rule (View on GitHub)

References

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

How to force kill process in Linux using kill and killall

Related rules