Skip to content
Threat Feed
high advisory

Linux Defense Impairment via Process Termination

Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.

This threat brief focuses on the malicious use of the pkill command on Linux systems. Threat actors leverage pkill to terminate processes related to security defenses or other critical system functions. The identification of this behavior is crucial for defenders as it signifies an active attempt to impair security controls and evade detection. The observed activity allows further malicious actions and can result in the complete shutdown or disabling of endpoint detection and response agents. This ultimately leads to increased dwell time and potential data exfiltration or destruction. The analytic identifies executions of pkill via command-line arguments and process names.

Attack Chain

  1. An attacker gains initial access to a Linux system (e.g., via compromised credentials or exploiting a vulnerability).
  2. The attacker executes a reconnaissance command, such as ps, to identify running processes, including security tools.
  3. The attacker uses pkill or pgrep to identify specific process IDs of targeted security applications.
  4. The attacker executes pkill <PID> to terminate the targeted security processes.
  5. The attacker confirms the successful termination of the security process using ps or similar commands.
  6. With security defenses impaired, the attacker executes malicious code (e.g., malware, scripts) without immediate detection.
  7. The attacker moves laterally within the network to compromise additional systems.
  8. The attacker achieves their objective, which may include data exfiltration, data encryption (ransomware), or system destruction.

Impact

Successful execution of pkill against security applications can severely impair an organization’s ability to detect and respond to threats. This can lead to prolonged dwell time for attackers, enabling them to move laterally within the network, exfiltrate sensitive data, deploy ransomware, or cause irreparable damage to systems. The lack of immediate detection increases the potential for significant financial and reputational damage.

Recommendation

  • Enable Sysmon for Linux Event ID 1 to capture process creation events, which are essential for detecting pkill executions.
  • Deploy the provided Sigma rules to your SIEM to detect suspicious pkill command-line executions.
  • Investigate any alerts generated by these rules to determine the legitimacy of the pkill execution and identify potentially compromised systems.
  • Tune the Sigma rules in this brief for your environment by filtering out known benign uses of pkill by administrators.

Detection coverage 2

Linux - Impair Defenses - Process Kill via pkill

high

Detects the execution of pkill command which is used to terminate process. Threat actors often use pkill to disable security defenses or terminate critical processes, facilitating further malicious actions.

sigma tactics: defense_evasion sources: process_creation, linux

Linux - Impair Defenses - Process Kill via pgrep

medium

Detects the execution of pgrep command which is used to find process IDs for termination. Threat actors often use pgrep to disable security defenses or terminate critical processes, facilitating further malicious actions.

sigma tactics: defense_evasion sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →