Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Process Termination (DC0033) | WinEventLog:Sysmon | EventCode=5 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Field | Description |
|---|---|
| ProcessNameExclusions | List of expected administrative tools/processes to prevent false positives. |
| TimeWindow | Defines correlation window linking process termination, registry edits, and service stoppage. |
| ServiceNames | Customizable list of security service names per enterprise deployment. |
Detects kill/systemctl/service commands against EDR, auditd, falco, osquery, rsyslog, journald, or agent processes; configuration edits disabling startup; module unload attempts; abrupt cessation of logs after privileged shell execution.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd) |
| Service Metadata (DC0041) | auditd:CONFIG_CHANGE | delete: Modification of systemd unit files or config for security agents |
| Field | Description |
|---|---|
| AgentServiceNames | List of endpoint protection service names (varies across deployments). |
| AllowedAdminAccounts | Accounts permitted to legitimately stop or reconfigure services. |
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or disabling Gatekeeper/XProtect/logging settings, or removing endpoint agents followed by telemetry loss.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of launchctl unload, kill, or removal of security agent daemons |
| Service Metadata (DC0041) | macos:unifiedlog | Modification of system configuration profiles affecting security tools |
| Field | Description |
|---|---|
| DaemonNames | Expected security agent daemons (e.g., com.crowdstrike.falcon.Agent). |
| TimeWindow | Detection correlation period for multiple security tool disable actions. |
Correlates control-plane API actions disabling cloud-native monitoring or sensor agents (CloudTrail, GuardDuty, Security Hub, Defender, monitoring agents), role abuse preceding disablement, or instance agent uninstall events
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | Delete* / Stop*: DeleteAlarms, StopLogging, or DisableMonitoring API calls |
| Field | Description |
|---|---|
| APIActions | Customizable list of cloud provider API calls related to monitoring/alerting disablement. |
| UserContext | Distinguishes adversary actions from authorized DevOps/CloudOps activities. |
Detects disabling container runtime security controls, removing sidecar sensors, modifying seccomp/AppArmor profiles, mounting host proc/sys paths to interfere with host logging, or killing in-container monitoring agents.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | kubernetes:audit | kubectl delete or patch of security pods/admission controllers |
| Field | Description |
|---|---|
| NamespaceExclusions | Exclusion of namespaces where temporary deletion of monitoring tools is legitimate (e.g., staging). |
Detects disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers/switches/firewalls; correlates privileged login followed by configuration commit reducing visibility.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | networkdevice:config | write: Startup configuration changes disabling security checks |
| Host Status (DC0018) | networkdevice:syslog | no logging host, no aaa new-model, no snmp-server, commit |
| Field | Description |
|---|---|
| ConfigBaseline | Reference configuration state for detecting unauthorized modifications. |
Detects esxcli commands disabling syslog, firewall, lockdown mode, or stopping hostd/vpxa; correlates command execution with reduced forwarding activity.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | esxcli system syslog config set/reload, services.sh restart/stop |
| Service Modification (DC0065) | esxi:hostd | service state change |
| Field | Description |
|---|---|
| ExpectedAdminIPs | Authorized management sources. |