app-armor-stopped

Hunt Hypothesis

The app-armor-stopped rule detects potential adversary tampering with application isolation mechanisms, indicating possible evasion of security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Sysrv botnet activity that could lead to resource theft and cryptocurrency mining.

KQL Query

DeviceProcessEvents
| where InitiatingProcessCommandLine  has "/bin/bash /tmp/" and ProcessCommandLine has "service apparmor stop"

Analytic Rule Definition

id: a188fa21-dd3a-4cf9-910b-1384711f7dce
name: app-armor-stopped
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of the attacker attempting to stop the AppArmor network security service on devices running Linux.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where InitiatingProcessCommandLine  has "/bin/bash /tmp/" and ProcessCommandLine has "service apparmor stop"

Required Data Sources

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/app-armor-stopped.yaml)

False Positive Guidance

• Scenario: System administrator manually stops AppArmor service during routine maintenance.
  Filter/Exclusion: process.name != "apparmor" OR process.name != "apparmor.service"

• Scenario: Scheduled job runs to temporarily disable AppArmor for patching or configuration changes.
  Filter/Exclusion: process.name != "apparmor" OR process.name != "apparmor.service" OR event.type != "service_stop"

• Scenario: A legitimate security tool or script (e.g., debsecan, apt or apt-get) temporarily stops AppArmor to perform system updates.
  Filter/Exclusion: process.name != "apparmor" OR process.name != "apparmor.service" OR process.parent.name != "apt"

• Scenario: A system update or package manager (e.g., apt, yum, dnf) stops AppArmor as part of its upgrade process.
  Filter/Exclusion: process.name != "apparmor" OR process.name != "apparmor.service" OR process.parent.name IN ("apt", "yum", "dnf")

• Scenario: An admin uses systemctl to stop AppArmor for troubleshooting or diagnostics.
  Filter/Exclusion: process.name != "apparmor" OR process.name != "apparmor.service" OR event.type != "service_stop" OR process.parent.name != "systemctl"