Detects unusual command executions and service modifications that indicate self-patching or disabling of vulnerable services post-compromise. Defenders should monitor for service stop commands, suspicious process termination, and execution of binaries or scripts aligned with known patching or service management tools outside of expected admin contexts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Termination (DC0033) | WinEventLog:Sysmon | EventCode=5 |
| Field | Description |
|---|---|
| ServiceList | Tunable list of critical or vulnerable services that defenders want to monitor for unexpected disabling. |
| TimeWindow | Defines correlation window (e.g., 5–15 minutes) between suspicious command execution and subsequent process termination. |
Detects adversary attempts to monopolize control of compromised systems by issuing service stop commands, unloading vulnerable modules, or forcefully killing competing processes. Defenders should monitor audit logs and syslog for administrative utilities (systemctl, service, kill) being invoked outside of normal change management.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Commands like systemctl stop |
| Process Termination (DC0033) | linux:syslog | Unexpected termination of daemons or critical services not aligned with admin change tickets |
| Field | Description |
|---|---|
| CriticalProcessList | Defines specific Linux daemons and processes that should not be terminated outside maintenance windows. |
| AdminUserContext | Defines expected accounts permitted to execute service stop commands; deviations may be suspicious. |
Detects unauthorized termination of system daemons or commands issued through launchctl or kill to stop competing services or malware processes. Defenders should monitor unified logs and EDR telemetry for unusual service modifications or terminations.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | launchctl unload, kill, or pkill commands affecting daemons or background services |
| Process Termination (DC0033) | macos:osquery | process_termination: Unexpected termination of processes tied to vulnerable or high-value services |
| Field | Description |
|---|---|
| ProtectedServiceList | Defines macOS services (e.g., securityd, keychain-related daemons) that should never be disabled. |