Skip to content
Threat Feed
medium advisory

Elastic Agent Service Termination Attempt

This rule detects attempts to stop the Elastic endpoint agent service, which may indicate a defense evasion tactic employed by adversaries to disable security monitoring and evade detection.

The Elastic Agent is a crucial component for monitoring and securing endpoints across Windows, Linux, and macOS. Adversaries may attempt to disable or terminate this agent to evade detection and compromise system defenses. This detection rule identifies suspicious termination activities by monitoring specific processes and commands used to stop the Elastic Agent service. The rule focuses on identifying the use of commands like net.exe, sc.exe, systemctl, service, pkill, killall, and kextunload with arguments related to stopping or disabling the Elastic Agent. The rule aims to detect unauthorized attempts to tamper with the agent, which could signal an active intrusion or other malicious activity targeting the endpoint security posture.

Attack Chain

  1. An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
  2. The attacker elevates privileges to gain necessary permissions to interact with system services.
  3. The attacker uses net.exe stop "Elastic Agent" or sc.exe stop elasticendpoint on Windows to attempt to stop the Elastic Agent service.
  4. Alternatively, the attacker may use PowerShell to terminate the agent with commands like Stop-Process targeting elastic-agent.
  5. On Linux, the attacker uses systemctl stop elastic-agent or service elastic-agent stop to stop the agent.
  6. On macOS, the attacker attempts to unload the Elastic Defend extension using kextunload com.apple.iokit.EndpointSecurity.
  7. The attacker verifies the Elastic Agent service is no longer running, confirming the success of their defense evasion attempt.
  8. With the Elastic Agent disabled, the attacker proceeds with their objectives, such as data exfiltration or lateral movement, without being detected by the endpoint security solution.

Impact

If the Elastic Agent service is successfully terminated, the endpoint loses its active security monitoring capabilities. This allows adversaries to operate undetected, potentially leading to data breaches, ransomware deployment, or other malicious activities. The impact can range from a single compromised endpoint to a widespread security incident affecting multiple systems within the organization. The severity depends on the attacker's objectives and the duration the agent remains disabled.

Recommendation

  • Deploy the Sigma rules provided in this brief to your SIEM to detect attempts to stop the Elastic Agent service and tune them for your environment.
  • Enable Sysmon process creation logging on Windows to capture the execution of commands like net.exe and sc.exe as detected by the Sigma rule "Elastic Agent Service Terminated".
  • Monitor process execution logs on Linux for the use of commands such as systemctl and service as detected by the Sigma rule "Elastic Agent Service Terminated Linux".
  • Investigate any alerts generated by the Sigma rules to determine the legitimacy of the termination attempt and respond accordingly, following incident response procedures.
  • Implement stricter access controls to prevent unauthorized users or processes from stopping critical security services like the Elastic Agent.

Detection coverage 3

Elastic Agent Service Terminated

medium

Detects attempts to stop or disable the Elastic Agent service on Windows using net.exe or sc.exe.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Elastic Agent Service Terminated Linux

medium

Detects attempts to stop or disable the Elastic Agent service on Linux using systemctl or service commands.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, linux

Elastic Agent Service Terminated macOS

medium

Detects attempts to unload the Elastic Defend extension on macOS.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, macos

Detection queries are available on the platform. Get full rules →