<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elastic-Agent - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/elastic-agent/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/elastic-agent/feed.xml" rel="self" type="application/rss+xml"/><item><title>Elastic Agent Service Termination Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-elastic-agent-stop/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-elastic-agent-stop/</guid><description>This rule detects attempts to stop the Elastic endpoint agent service, which may indicate a defense evasion tactic employed by adversaries to disable security monitoring and evade detection.</description><content:encoded><![CDATA[<p>The Elastic Agent is a crucial component for monitoring and securing endpoints across Windows, Linux, and macOS. Adversaries may attempt to disable or terminate this agent to evade detection and compromise system defenses. This detection rule identifies suspicious termination activities by monitoring specific processes and commands used to stop the Elastic Agent service. The rule focuses on identifying the use of commands like <code>net.exe</code>, <code>sc.exe</code>, <code>systemctl</code>, <code>service</code>, <code>pkill</code>, <code>killall</code>, and <code>kextunload</code> with arguments related to stopping or disabling the Elastic Agent. The rule aims to detect unauthorized attempts to tamper with the agent, which could signal an active intrusion or other malicious activity targeting the endpoint security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.</li>
<li>The attacker elevates privileges to gain necessary permissions to interact with system services.</li>
<li>The attacker uses <code>net.exe stop &quot;Elastic Agent&quot;</code> or <code>sc.exe stop elasticendpoint</code> on Windows to attempt to stop the Elastic Agent service.</li>
<li>Alternatively, the attacker may use PowerShell to terminate the agent with commands like <code>Stop-Process</code> targeting <code>elastic-agent</code>.</li>
<li>On Linux, the attacker uses <code>systemctl stop elastic-agent</code> or <code>service elastic-agent stop</code> to stop the agent.</li>
<li>On macOS, the attacker attempts to unload the Elastic Defend extension using <code>kextunload com.apple.iokit.EndpointSecurity</code>.</li>
<li>The attacker verifies the Elastic Agent service is no longer running, confirming the success of their defense evasion attempt.</li>
<li>With the Elastic Agent disabled, the attacker proceeds with their objectives, such as data exfiltration or lateral movement, without being detected by the endpoint security solution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If the Elastic Agent service is successfully terminated, the endpoint loses its active security monitoring capabilities. This allows adversaries to operate undetected, potentially leading to data breaches, ransomware deployment, or other malicious activities. The impact can range from a single compromised endpoint to a widespread security incident affecting multiple systems within the organization. The severity depends on the attacker's objectives and the duration the agent remains disabled.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect attempts to stop the Elastic Agent service and tune them for your environment.</li>
<li>Enable Sysmon process creation logging on Windows to capture the execution of commands like <code>net.exe</code> and <code>sc.exe</code> as detected by the Sigma rule &quot;Elastic Agent Service Terminated&quot;.</li>
<li>Monitor process execution logs on Linux for the use of commands such as <code>systemctl</code> and <code>service</code> as detected by the Sigma rule &quot;Elastic Agent Service Terminated Linux&quot;.</li>
<li>Investigate any alerts generated by the Sigma rules to determine the legitimacy of the termination attempt and respond accordingly, following incident response procedures.</li>
<li>Implement stricter access controls to prevent unauthorized users or processes from stopping critical security services like the Elastic Agent.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-evasion</category><category>endpoint</category><category>elastic-agent</category></item></channel></rss>