pkill

pkill is a Unix utility available on macOS that sends signals to processes matching a given name or pattern. While intended for legitimate process management, threat actors can abuse pkill to terminate security tools, monitoring daemons, or user applications for defense evasion. It's particularly valuable to attackers as a Living Off the Land technique that avoids bringing custom binaries onto the system.

Author: Jason Phang Vern - Onn Created: 2025-09-08

Defense Evasion Impact processes evasion sigkill users logging monitoring

Paths

/usr/bin/pkill

Example Use Cases

Kill security tools

Terminate defensive processes like firewalls, AV, or monitoring tools.

pkill -f "Little Snitch|ESET|osqueryd|Falcon"

Defense Evasion processes evasion

Force kill processes with SIGKILL

Use the -9 signal to forcefully terminate processes that may not respond to normal termination signals. Useful for killing hung security tools.

pkill -9 osqueryd

Defense Evasion processes sigkill

Kill all processes for a user

Terminate all processes belonging to a specific user, potentially ending user sessions or disrupting monitoring.

pkill -u username

Defense Evasion Impact processes users

Kill logging and monitoring daemons

Terminate system logging and monitoring processes to evade detection.

pkill -f "syslog|auditd|osqueryd|esensor|nessusd"

Defense Evasion logging monitoring

Kill process by exact name match

Use exact matching with -x flag to kill specific process by exact name rather than pattern.

pkill -x com.apple.Safari

Defense Evasion Impact processes

Detections

Process execution monitoring for pkill
Endpoint Detection - pkill targeting security tools