Elastic Agent Service Terminated
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/05/23"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/10/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
11disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
12may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
13stable state.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Elastic Agent Service Terminated"
20risk_score = 47
21rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Linux",
34 "OS: Windows",
35 "OS: macOS",
36 "Use Case: Threat Detection",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Defend",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42query = '''
43process where
44/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
45(event.type == "start" and
46 process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
47 process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
48 process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
49or
50/* service or systemctl used to stop Elastic Agent on Linux */
51(event.type == "end" and
52 (process.name : ("systemctl", "service") and
53 process.args : "elastic-agent" and
54 process.args : ("stop", "disable"))
55 or
56 /* pkill , killall used to stop Elastic Agent on Linux */
57 ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
58 or
59 /* Unload Elastic Agent extension on MacOS */
60 (process.name : "kextunload" and
61 process.args : "com.apple.iokit.EndpointSecurity" and
62 event.action : "end"))
63'''
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67
68[[rule.threat.technique]]
69id = "T1562"
70name = "Impair Defenses"
71reference = "https://attack.mitre.org/techniques/T1562/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1562.001"
75name = "Disable or Modify Tools"
76reference = "https://attack.mitre.org/techniques/T1562/001/"
77
78[rule.threat.tactic]
79id = "TA0005"
80name = "Defense Evasion"
81reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Masquerading Space After Filename
- Tampering of Shell Command-Line History
- ROT Encoded Python Script Execution
- Timestomping using Touch Command
- Deprecated - Suspicious JAVA Child Process