[Rule Tuning] Elastic Agent Service Terminated (#5272)

alstolten · tradebot-elastic · commit 09207eedc413 · 2025-11-12T11:37:34.000Z
* rule-tuning: Elastic Agent service termination improve for detection * [Rule Tuning]: Elastic Agent Service terminated, updated date field * Enhance detection rules for stopping Elastic Agent * Fix syntax for process name checks in TOML file --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 21217e5)
diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/05/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/04"
 
 [rule]
 author = ["Elastic"]
@@ -50,12 +50,12 @@ process where
 or
 /* service or systemctl used to stop Elastic Agent on Linux */
 (event.type == "end" and
-  (process.name : ("systemctl", "service") and
-    process.args : "elastic-agent" and
-    process.args : ("stop", "disable"))
+  (process.name in ("systemctl", "service", "chkconfig", "update-rc.d") and
+    process.args : ("elastic-agent", "elastic-agent.service") and
+    process.args : ("stop", "disable", "remove", "off", "kill", "mask"))
   or
   /* pkill , killall used to stop Elastic Agent on Linux */
-  ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent")
+  ( event.type == "end" and process.name in ("pkill", "killall", "kill") and process.args: "elastic-agent")
   or
   /* Unload Elastic Agent extension on MacOS */
   (process.name : "kextunload" and
