splApache-2.0from splunk/security_content
Linux Auditd Stop Services
The following analytic detects attempts to stop a service on Linux systems. It leverages data from Linux Auditd. This activity is significant as adversaries often stop or terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_stop_services.yml
`linux_auditd` type=SERVICE_STOP
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type pid comm
exe dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_stop_services_filter`