Elastic Agent Service Terminatededit
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.
Rule type: eql
Rule indices:
- logs-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Linux
- Windows
- macOS
- Threat Detection
- Defense Evasion
Version: 100
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Rule queryedit
process where
/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
(event.type == "start" and
process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
or
/* service or systemctl used to stop Elastic Agent on Linux */
(event.type == "end" and
(process.name : ("systemctl", "service") and
process.args : "elastic-agent" and
process.args : "stop")
or
/* Unload Elastic Agent extension on MacOS */
(process.name : "kextunload" and
process.args : "com.apple.iokit.EndpointSecurity" and
event.action : "end"))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/