Elastic Agent Service Terminated

  1[metadata]
  2creation_date = "2022/05/23"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
 11disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
 12may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
 13stable state.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Elastic Agent Service Terminated"
 20risk_score = 47
 21rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
 22setup = """## Setup
 23
 24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 27`event.ingested` to @timestamp.
 28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 29"""
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Linux",
 34    "OS: Windows",
 35    "OS: macOS",
 36    "Use Case: Threat Detection",
 37    "Tactic: Defense Evasion",
 38    "Data Source: Elastic Defend",
 39    "Resources: Investigation Guide",
 40]
 41timestamp_override = "event.ingested"
 42type = "eql"
 43query = '''
 44process where
 45/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
 46(event.type == "start" and
 47  process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
 48  process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
 49  process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
 50or
 51/* service or systemctl used to stop Elastic Agent on Linux */
 52(event.type == "end" and
 53  (process.name : ("systemctl", "service") and
 54    process.args : "elastic-agent" and
 55    process.args : ("stop", "disable"))
 56  or
 57  /* pkill , killall used to stop Elastic Agent on Linux */
 58  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
 59  or
 60  /* Unload Elastic Agent extension on MacOS */
 61  (process.name : "kextunload" and
 62    process.args : "com.apple.iokit.EndpointSecurity" and
 63    event.action : "end"))
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Elastic Agent Service Terminated
 71
 72The Elastic Agent is a crucial component for monitoring and securing endpoints across various operating systems. It ensures continuous security oversight by collecting and analyzing data. Adversaries may attempt to disable this agent to evade detection, compromising system defenses. The detection rule identifies suspicious termination activities by monitoring specific processes and commands across Windows, Linux, and macOS, flagging potential defense evasion attempts.
 73
 74### Possible investigation steps
 75
 76- Review the event logs to identify the exact process and command used to terminate the Elastic Agent, focusing on the process names and arguments such as "net.exe", "sc.exe", "systemctl", and "pkill" with arguments like "stop", "uninstall", or "disable".
 77- Check the timeline of events around the termination to identify any preceding suspicious activities or anomalies that might indicate an adversary's presence or actions.
 78- Investigate the user account associated with the process termination to determine if it was authorized or if there are signs of account compromise.
 79- Examine the host for any other signs of tampering or compromise, such as unauthorized changes to system configurations or the presence of other malicious processes.
 80- Verify the current status of the Elastic Agent on the affected host and attempt to restart it if it is not running, ensuring that security monitoring is restored.
 81- Correlate this event with other alerts or logs from the same host or network to identify potential patterns or coordinated attack activities.
 82
 83### False positive analysis
 84
 85- Routine maintenance activities may trigger the rule if administrators use commands like systemctl or service to stop the Elastic Agent for updates or configuration changes. To manage this, create exceptions for known maintenance windows or authorized personnel.
 86- Automated scripts or deployment tools that temporarily disable the Elastic Agent during software installations or updates can cause false positives. Identify these scripts and whitelist their execution paths or specific arguments.
 87- Testing environments where Elastic Agent is frequently started and stopped for development purposes might generate alerts. Exclude these environments by specifying their hostnames or IP addresses in the rule exceptions.
 88- Security tools or processes that interact with the Elastic Agent, such as backup solutions or system monitoring tools, might inadvertently stop the service. Review these interactions and adjust the rule to ignore specific process names or arguments associated with these tools.
 89- User-initiated actions, such as troubleshooting or system performance optimization, may involve stopping the Elastic Agent. Educate users on the impact of these actions and establish a protocol for notifying the security team when such actions are necessary.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by adversaries.
 94- Verify the status of the Elastic Agent on the affected host and attempt to restart the service. If the service fails to restart, investigate potential causes such as corrupted files or missing dependencies.
 95- Conduct a thorough review of recent process execution logs on the affected host to identify any unauthorized or suspicious activities that may have led to the termination of the Elastic Agent.
 96- If malicious activity is confirmed, perform a comprehensive malware scan and remove any identified threats. Ensure that the host is clean before reconnecting it to the network.
 97- Review and update endpoint security configurations to prevent unauthorized termination of security services. This may include implementing stricter access controls or using application whitelisting.
 98- Escalate the incident to the security operations team for further analysis and to determine if additional hosts are affected or if there is a broader security incident underway.
 99- Document the incident, including all actions taken and findings, to enhance future response efforts and update incident response plans as necessary."""
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103
104[[rule.threat.technique]]
105id = "T1562"
106name = "Impair Defenses"
107reference = "https://attack.mitre.org/techniques/T1562/"
108
109[[rule.threat.technique.subtechnique]]
110id = "T1562.001"
111name = "Disable or Modify Tools"
112reference = "https://attack.mitre.org/techniques/T1562/001/"
113
114[rule.threat.tactic]
115id = "TA0005"
116name = "Defense Evasion"
117reference = "https://attack.mitre.org/tactics/TA0005/"