Disable Or Stop Services

 1title: Disable Or Stop Services
 2id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
 3status: test
 4description: |
 5    Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
 6    Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.    
 7references:
 8    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-09-15
11modified: 2025-03-18
12tags:
13    - attack.defense-impairment
14    - attack.t1685
15    - attack.impact
16    - attack.t1489
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection:
22        Image|endswith:
23            - '/service'
24            - '/systemctl'
25            - '/chkconfig'
26        CommandLine|contains:
27            - ' stop '
28            - ' disable '
29    filter_main_legit_snapd:
30        Image|endswith: '/systemctl'
31        CommandLine|contains:
32            - '--no-reload disable snap-snapd-'
33            - ' stop snap-snapd-'
34    filter_main_ssh_preinstall:
35        Image|endswith: '/systemctl'
36        ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
37        CommandLine|contains|all:
38            - ' stop '
39            - 'ssh.'
40    filter_main_ubuntu_upgrade:
41        ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
42        Image|endswith: '/systemctl'
43    filter_optional_aws_agent:
44        Image|endswith: '/systemctl'
45        CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
46    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
47falsepositives:
48    - Legitimate administration activities
49    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
50level: medium