Elastic Agent Service Terminated

 1[metadata]
 2creation_date = "2022/05/23"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/06/22"
 7integration = ["endpoint"]
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
13disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
14may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
15stable state.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Elastic Agent Service Terminated"
22note = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
25"""
26risk_score = 47
27rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34process where
35/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
36(event.type == "start" and
37  process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
38  process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
39  process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
40or
41/* service or systemctl used to stop Elastic Agent on Linux */
42(event.type == "end" and
43  (process.name : ("systemctl", "service") and
44    process.args : "elastic-agent" and
45    process.args : "stop")
46  or
47  /* pkill , killall used to stop Elastic Agent on Linux */
48  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
49  or
50  /* Unload Elastic Agent extension on MacOS */
51  (process.name : "kextunload" and
52    process.args : "com.apple.iokit.EndpointSecurity" and
53    event.action : "end"))
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1562"
61name = "Impair Defenses"
62reference = "https://attack.mitre.org/techniques/T1562/"
63[[rule.threat.technique.subtechnique]]
64id = "T1562.001"
65name = "Disable or Modify Tools"
66reference = "https://attack.mitre.org/techniques/T1562/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"