[rule] description = "Detects when Python executes the Killall binary in order to kill a process." id = "3e176b0d-3dfd-44ae-8b75-9569463edde5" license = "Elastic License v2" name = "Killall Execution via Python" os_list = ["macos"] version = "1.0.2" query = ''' process where event.type == "start" and event.action == "exec" and process.parent.name like~ "python*" and process.name == "killall" ''' min_endpoint_version = "8.10.2" optional_actions = [] [[actions]] action = "kill_process" field = "process.parent.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "8.10.2"