Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Sigma rule (View on GitHub)
1title: Disable Or Stop Services
2id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
3status: test
4description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
5references:
6 - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/15
9tags:
10 - attack.defense_evasion
11logsource:
12 category: process_creation
13 product: linux
14detection:
15 selection:
16 Image|endswith:
17 - '/service'
18 - '/systemctl'
19 - '/chkconfig'
20 CommandLine|contains:
21 - 'stop'
22 - 'disable'
23 condition: selection
24falsepositives:
25 - Legitimate administration activities
26level: medium
References
-
Plain text links were replaced with Base64-encoded text, while some of the code chunks were downloaded or encoded payloads. This is likely done to hide direct payload links, evade security rules us...
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons