Linux Service Stop and Disable Detection
Attackers may halt or disable security services on Linux systems to evade defenses, maintain persistence, or disrupt operations, detected through the use of utilities like 'systemctl', 'service', and 'chkconfig'.
Attackers may attempt to stop or disable services on a compromised Linux system to impair security tools, disrupt operations, or facilitate further malicious activities. This can involve disabling security software, logging mechanisms, or other critical services that could hinder the attacker’s objectives. This activity often forms part of a broader attack campaign aimed at maintaining persistence, evading detection, or causing system-wide disruption. The commands systemctl, service, and…
Detection coverage 3
Detect Systemctl Service Stop or Disable
mediumDetects the use of systemctl to stop or disable services on Linux systems, potentially indicating an attempt to evade defenses or disrupt operations.
Detect Service Command Stop or Disable
mediumDetects the use of the 'service' command to stop or disable services, indicative of potential malicious activity.
Detect Chkconfig Service Manipulation
mediumDetects the usage of chkconfig to disable services, often used for persistence or defense evasion.
Detection queries are kept inside the platform. Get full rules →