forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Elastic Agent Stopped (elastic#1991)
* new rule for detecting if elastic agent has been stopped * adjusted query based on feedback; added powershell, taskkill, pskill and processhacker
- Loading branch information
1 parent
fd7a6d6
commit cdc5c72
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
67 changes: 67 additions & 0 deletions
67
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| [metadata] | ||
| creation_date = "2022/05/23" | ||
| maturity = "production" | ||
| updated_date = "2022/05/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to | ||
| disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This | ||
| may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a | ||
| stable state. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Elastic Agent Service Terminated" | ||
| note = """## Config | ||
| If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. | ||
| """ | ||
| risk_score = 47 | ||
| rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd" | ||
| severity = "medium" | ||
| tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| process where | ||
| /* net, sc or wmic stopping or deleting Elastic Agent on Windows */ | ||
| (event.type == "start" and | ||
| process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and | ||
| process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and | ||
| process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) | ||
| or | ||
| /* service or systemctl used to stop Elastic Agent on Linux */ | ||
| (event.type == "end" and | ||
| (process.name : ("systemctl","service") and | ||
| process.args : ("elastic-agent", "stop")) | ||
| or | ||
| /* Unload Elastic Agent extension on MacOS */ | ||
| (process.name : "kextunload" and | ||
| process.args : "com.apple.iokit.EndpointSecurity" and | ||
| event.action : "end")) | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1562" | ||
| name = "Impair Defenses" | ||
| reference = "https://attack.mitre.org/techniques/T1562/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1562.001" | ||
| name = "Disable or Modify Tools" | ||
| reference = "https://attack.mitre.org/techniques/T1562/001/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" | ||
|
|