Elastic Agent Service Termination Attempt
This rule detects attempts to stop the Elastic endpoint agent service, which may indicate a defense evasion tactic employed by adversaries to disable security monitoring and evade detection.
The Elastic Agent is a crucial component for monitoring and securing endpoints across Windows, Linux, and macOS. Adversaries may attempt to disable or terminate this agent to evade detection and compromise system defenses. This detection rule identifies suspicious termination activities by monitoring specific processes and commands used to stop the Elastic Agent service. The rule focuses on identifying the use of commands like net.exe, sc.exe, systemctl, service, pkill, killall, and kextunload with arguments related to stopping or disabling the Elastic Agent. The rule aims to detect unauthorized attempts to tamper with the agent, which could signal an active intrusion or other malicious activity targeting the endpoint security posture.
Attack Chain
- An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
- The attacker elevates privileges to gain necessary permissions to interact with system services.
- The attacker uses
net.exe stop "Elastic Agent"orsc.exe stop elasticendpointon Windows to attempt to stop the Elastic Agent service. - Alternatively, the attacker may use PowerShell to terminate the agent with commands like
Stop-Processtargetingelastic-agent. - On Linux, the attacker uses
systemctl stop elastic-agentorservice elastic-agent stopto stop the agent. - On macOS, the attacker attempts to unload the Elastic Defend extension using
kextunload com.apple.iokit.EndpointSecurity. - The attacker verifies the Elastic Agent service is no longer running, confirming the success of their defense evasion attempt.
- With the Elastic Agent disabled, the attacker proceeds with their objectives, such as data exfiltration or lateral movement, without being detected by the endpoint security solution.
Impact
If the Elastic Agent service is successfully terminated, the endpoint loses its active security monitoring capabilities. This allows adversaries to operate undetected, potentially leading to data breaches, ransomware deployment, or other malicious activities. The impact can range from a single compromised endpoint to a widespread security incident affecting multiple systems within the organization. The severity depends on the attacker's objectives and the duration the agent remains disabled.
Recommendation
- Deploy the Sigma rules provided in this brief to your SIEM to detect attempts to stop the Elastic Agent service and tune them for your environment.
- Enable Sysmon process creation logging on Windows to capture the execution of commands like
net.exeandsc.exeas detected by the Sigma rule "Elastic Agent Service Terminated". - Monitor process execution logs on Linux for the use of commands such as
systemctlandserviceas detected by the Sigma rule "Elastic Agent Service Terminated Linux". - Investigate any alerts generated by the Sigma rules to determine the legitimacy of the termination attempt and respond accordingly, following incident response procedures.
- Implement stricter access controls to prevent unauthorized users or processes from stopping critical security services like the Elastic Agent.
Detection coverage 3
Elastic Agent Service Terminated
mediumDetects attempts to stop or disable the Elastic Agent service on Windows using net.exe or sc.exe.
Elastic Agent Service Terminated Linux
mediumDetects attempts to stop or disable the Elastic Agent service on Linux using systemctl or service commands.
Elastic Agent Service Terminated macOS
mediumDetects attempts to unload the Elastic Defend extension on macOS.
Detection queries are available on the platform. Get full rules →