Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Service Creation (DC0060) | WinEventLog:Security | EventCode=7045 |
| Process Termination (DC0033) | WinEventLog:Sysmon | EventCode=5 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| ProcessNameExclusions | List of expected administrative tools/processes to prevent false positives. |
| TimeWindow | Defines correlation window linking process termination, registry edits, and service stoppage. |
| ServiceNames | Customizable list of security service names per enterprise deployment. |
Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd) |
| Service Metadata (DC0041) | auditd:CONFIG_CHANGE | delete: Modification of systemd unit files or config for security agents |
| Field | Description |
|---|---|
| AgentServiceNames | List of endpoint protection service names (varies across deployments). |
| AllowedAdminAccounts | Accounts permitted to legitimately stop or reconfigure services. |
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of launchctl unload, kill, or removal of security agent daemons |
| Service Metadata (DC0041) | macos:unifiedlog | Modification of system configuration profiles affecting security tools |
| Field | Description |
|---|---|
| DaemonNames | Expected security agent daemons (e.g., com.crowdstrike.falcon.Agent). |
| TimeWindow | Detection correlation period for multiple security tool disable actions. |
Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | Delete* / Stop*: DeleteAlarms, StopLogging, or DisableMonitoring API calls |
| Field | Description |
|---|---|
| APIActions | Customizable list of cloud provider API calls related to monitoring/alerting disablement. |
| UserContext | Distinguishes adversary actions from authorized DevOps/CloudOps activities. |
Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | kubernetes:audit | kubectl delete or patch of security pods/admission controllers |
| Field | Description |
|---|---|
| NamespaceExclusions | Exclusion of namespaces where temporary deletion of monitoring tools is legitimate (e.g., staging). |
Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | networkdevice:config | write: Startup configuration changes disabling security checks |
| Field | Description |
|---|---|
| ConfigBaseline | Reference configuration state for detecting unauthorized modifications. |