From a035aa038501c78f27a2eb0cdca145207fae8596 Mon Sep 17 00:00:00 2001
From: tuan <tuanhxh1@gmail.com>
Date: Tue, 21 Mar 2023 04:04:26 +0700
Subject: [PATCH] feat: new rule related to process termination using `kill`
 (#4112)

---
 .../proc_creation_lnx_kill_process.yml        | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_kill_process.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_kill_process.yml b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml
new file mode 100644
index 000000000..bd8566d6f
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_kill_process.yml
@@ -0,0 +1,25 @@
+title: Terminate Linux Process Via Kill
+id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
+status: experimental
+description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
+references:
+    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
+    - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
+author: Tuan Le (NCSGroup)
+date: 2023/03/16
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+          - '/kill'
+          - '/pkill'
+          - '/killall'
+    condition: selection
+falsepositives:
+    - Likely
+level: low