Terminate Linux Process Via Kill
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
Sigma rule (View on GitHub)
1title: Terminate Linux Process Via Kill
2id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
3status: test
4description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
5references:
6 - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
7 - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
8author: Tuan Le (NCSGroup)
9date: 2023/03/16
10tags:
11 - attack.defense_evasion
12 - attack.t1562
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith:
19 - '/kill'
20 - '/pkill'
21 - '/killall'
22 condition: selection
23falsepositives:
24 - Likely
25level: low
References
Related rules
- HackTool - EDRSilencer Execution - Filter Added
- Sysmon Application Crashed
- Windows Defender Exclusions Added - PowerShell
- Windows Firewall Disabled via PowerShell
- Write Protect For Storage Disabled