15936554947

Committed 27 Jun 2025 09:44PM UTC coverage: 65.927%. First build

Build # 15936554947

Build Type

Pull #541

github

Committed by

facebook-github-bot

Commit Message

Adding Kill Action to TTPForge (#541)

Summary:

# Adding Kill Action to TTPForge
## Summary
This diff introduces a new feature to the TTPForge framework, enabling the simulation of process killing on various operating systems, including Linux, MacOS, and Windows. This feature allows for more realistic and complex attack scenarios. The implementation includes action code, unit tests, utility functions & their tests, and example TTPs for Unix and Windows systems.

## Context
Many malware variants employ process killing as a tactic to create fake processes, facilitate DLL hijacking, and achieve other malicious objectives. Currently, TTPForge developers must manually rewrite the process killing code for each new implementation, which can be time-consuming and inefficient. With this update, we aim to streamline the development process by providing a reusable framework for process killing, thereby empowering developers to focus on creating more complex and realistic TTPs. 

## Impact
The added functionality allows for more realistic attack simulations, ultimately enhancing the security posture of organizations using the framework.

## Fields
You can specify the following YAML fields for the `kill_process:` action:
- `kill_process_id:` (type: `string`) the process ID of the process that you wish to kill
- `kill_process_name:` (type: `string`) the process name of the processes that you wish to kill

## Note
* If both `kill_process_id` and `kill_process_name` are specified, the action will only consider terminate the process with the specified process ID.

## References
* [TTPForge](https://github.com/facebookincubator/TTPForge/)
* [TTPForge Wiki](https://www.internalfb.com/wiki/Offensive_Security_Group/Projects/TTPForge_0/) 
* [TTPForge Developer Guide](https://www.internalfb.com/wiki/Offensive_Security_Group/Projects/TTPForge_0/Developer_Guide/)
* [Guide to Creating New TTPs in TTPForge](https://docs.google.com/document/d/1jJdg1A-SdlyKH_t3MLK5Vjh5LveGUTCujX... (continued)

Pull Request Pull Request #541: Adding Kill Action to TTPForge

Run Details

89 of 105 new or added lines in 3 files covered. (84.76%)

2198 of 3334 relevant lines covered (65.93%)

17.23 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

73.33

/pkg/processutils/processutils.go

facebookincubator / TTPForge / 15936554947

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous