Elastic Agent Service Terminated
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/05/23"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/10/19"
7integration = ["endpoint"]
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
13disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
14may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
15stable state.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Elastic Agent Service Terminated"
22risk_score = 47
23rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "medium"
33tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where
39/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
40(event.type == "start" and
41 process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
42 process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
43 process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
44or
45/* service or systemctl used to stop Elastic Agent on Linux */
46(event.type == "end" and
47 (process.name : ("systemctl", "service") and
48 process.args : "elastic-agent" and
49 process.args : "stop")
50 or
51 /* pkill , killall used to stop Elastic Agent on Linux */
52 ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
53 or
54 /* Unload Elastic Agent extension on MacOS */
55 (process.name : "kextunload" and
56 process.args : "com.apple.iokit.EndpointSecurity" and
57 event.action : "end"))
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1562"
65name = "Impair Defenses"
66reference = "https://attack.mitre.org/techniques/T1562/"
67[[rule.threat.technique.subtechnique]]
68id = "T1562.001"
69name = "Disable or Modify Tools"
70reference = "https://attack.mitre.org/techniques/T1562/001/"
71
72
73
74[rule.threat.tactic]
75id = "TA0005"
76name = "Defense Evasion"
77reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Hosts File Modified
- Masquerading Space After Filename
- Potential Cookies Theft via Browser Debugging
- Python Script Execution via Command Line
- Tampering of Shell Command-Line History