{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/elastic-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Agent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","endpoint","elastic-agent"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe Elastic Agent is a crucial component for monitoring and securing endpoints across Windows, Linux, and macOS. Adversaries may attempt to disable or terminate this agent to evade detection and compromise system defenses. This detection rule identifies suspicious termination activities by monitoring specific processes and commands used to stop the Elastic Agent service. The rule focuses on identifying the use of commands like \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003esystemctl\u003c/code\u003e, \u003ccode\u003eservice\u003c/code\u003e, \u003ccode\u003epkill\u003c/code\u003e, \u003ccode\u003ekillall\u003c/code\u003e, and \u003ccode\u003ekextunload\u003c/code\u003e with arguments related to stopping or disabling the Elastic Agent. The rule aims to detect unauthorized attempts to tamper with the agent, which could signal an active intrusion or other malicious activity targeting the endpoint security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to interact with system services.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe stop \u0026quot;Elastic Agent\u0026quot;\u003c/code\u003e or \u003ccode\u003esc.exe stop elasticendpoint\u003c/code\u003e on Windows to attempt to stop the Elastic Agent service.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may use PowerShell to terminate the agent with commands like \u003ccode\u003eStop-Process\u003c/code\u003e targeting \u003ccode\u003eelastic-agent\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOn Linux, the attacker uses \u003ccode\u003esystemctl stop elastic-agent\u003c/code\u003e or \u003ccode\u003eservice elastic-agent stop\u003c/code\u003e to stop the agent.\u003c/li\u003e\n\u003cli\u003eOn macOS, the attacker attempts to unload the Elastic Defend extension using \u003ccode\u003ekextunload com.apple.iokit.EndpointSecurity\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the Elastic Agent service is no longer running, confirming the success of their defense evasion attempt.\u003c/li\u003e\n\u003cli\u003eWith the Elastic Agent disabled, the attacker proceeds with their objectives, such as data exfiltration or lateral movement, without being detected by the endpoint security solution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf the Elastic Agent service is successfully terminated, the endpoint loses its active security monitoring capabilities. This allows adversaries to operate undetected, potentially leading to data breaches, ransomware deployment, or other malicious activities. The impact can range from a single compromised endpoint to a widespread security incident affecting multiple systems within the organization. The severity depends on the attacker's objectives and the duration the agent remains disabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect attempts to stop the Elastic Agent service and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging on Windows to capture the execution of commands like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003esc.exe\u003c/code\u003e as detected by the Sigma rule \u0026quot;Elastic Agent Service Terminated\u0026quot;.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs on Linux for the use of commands such as \u003ccode\u003esystemctl\u003c/code\u003e and \u003ccode\u003eservice\u003c/code\u003e as detected by the Sigma rule \u0026quot;Elastic Agent Service Terminated Linux\u0026quot;.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the termination attempt and respond accordingly, following incident response procedures.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls to prevent unauthorized users or processes from stopping critical security services like the Elastic Agent.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-elastic-agent-stop/","summary":"This rule detects attempts to stop the Elastic endpoint agent service, which may indicate a defense evasion tactic employed by adversaries to disable security monitoring and evade detection.","title":"Elastic Agent Service Termination Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-elastic-agent-stop/"}],"language":"en","title":"CraftedSignal Threat Feed - Elastic-Agent","version":"https://jsonfeed.org/version/1.1"}