security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Elastic Agent Stopped (#1991)

Browse Source 
* new rule for detecting if elastic agent has been stopped

* adjusted query based on feedback; added powershell, taskkill, pskill and processhacker
This commit is contained in:
Terrance DeJesus
2022-05-25 13:16:21 -04:00
committed by Mika Ayenson
parent 4235b5d798
commit c2bcfc575f
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2022/05/23"
maturity = "production"
updated_date = "2022/05/23"
[rule]
author = ["Elastic"]
description = """
Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to
disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This
may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a
stable state.
"""
from = "now-9m"
index = ["logs-*"]
language = "eql"
license = "Elastic License v2"
name = "Elastic Agent Service Terminated"
note = """## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
risk_score = 47
rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where
/* net, sc or wmic stopping or deleting Elastic Agent on Windows */
(event.type == "start" and
process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and
process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and
process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint"))
or
/* service or systemctl used to stop Elastic Agent on Linux */
(event.type == "end" and
(process.name : ("systemctl","service") and
process.args : ("elastic-agent", "stop"))
or
/* Unload Elastic Agent extension on MacOS */
(process.name : "kextunload" and
process.args : "com.apple.iokit.EndpointSecurity" and
event.action : "end"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"