kqlElastic-2.0from elastic/detection-rules

Kill Command Execution

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1562 T1562.001 T1562.006 T1564 T1564.001 T1059 T1059.004 T1489

Rule sourcerules/linux/defense_evasion_kill_command_executed.toml

event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.name:(kill or pkill or killall) and not (
  process.args:("-HUP" or "-SIGUSR1" or "-USR2" or "-WINCH" or "-USR1") or
  process.parent.command_line:"runc init" or
  process.parent.executable:(
    "/usr/lib/systemd/systemd" or "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent" or "/bin/xargs" or
    "/usr/bin/xargs" or "/usr/bin/sudo" or "/usr/sbin/safe_asterisk" or "/usr/local/manageengine/uems_agent/bin/dcservice" or
    "/lib/systemd/systemd" or "/opt/nessus_agent/sbin/nessuscli" or "/etc/rubrik/start_stop_bootstrap.sh" or
    "/usr/local/manageengine/uems_agent/bin/dcpatchscan")
)