diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
index 95d258f10..c8ea20b27 100644
--- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/05/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/04"
 
 [rule]
 author = ["Elastic"]
@@ -50,12 +50,12 @@ process where
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
 (event.type == "end" and
-  (process.name : ("systemctl", "service") and
-    process.args : "elastic-agent" and
-    process.args : ("stop", "disable"))
+  (process.name in ("systemctl", "service", "chkconfig", "update-rc.d") and
+    process.args : ("elastic-agent", "elastic-agent.service") and
+    process.args : ("stop", "disable", "remove", "off", "kill", "mask"))
   or
   /* pkill , killall used to stop Elastic Agent on Linux */
-  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
+  ( event.type == "end" and process.name in ("pkill", "killall", "kill") and process.args: "elastic-agent")
   or
   /* Unload Elastic Agent extension on MacOS */
   (process.name : "kextunload" and