Elastic Agent Service Terminated
editElastic Agent Service Terminated
editIdentifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.
Rule type: eql
Rule indices:
- logs-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Linux
- Windows
- macOS
- Threat Detection
- Defense Evasion
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editprocess where /* net, sc or wmic stopping or deleting Elastic Agent on Windows */ (event.type == "start" and process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) or /* service or systemctl used to stop Elastic Agent on Linux */ (event.type == "end" and (process.name : ("systemctl", "service") and process.args : "elastic-agent" and process.args : "stop") or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and event.action : "end"))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/