Adversaries may disable or stop critical services to prevent detection or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential sabotage or evasion tactics.
Detection Rule
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- 'stop'
- 'disable'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where (TargetProcessName endswith "/service" or TargetProcessName endswith "/systemctl" or TargetProcessName endswith "/chkconfig") and (TargetProcessCommandLine contains "stop" or TargetProcessCommandLine contains "disable")Scenario: A system administrator is disabling a non-critical service during a routine maintenance window using systemctl disable.
Filter/Exclusion: Check if the service name is in a predefined list of known non-critical services (e.g., avahi-daemon, bluetooth, cups).
Scenario: A scheduled job (e.g., via cron or systemd-timer) is configured to stop a service temporarily to perform an update or backup.
Filter/Exclusion: Include a check for the presence of a scheduled job or timer unit in the service command (e.g., systemctl stop <service>.timer).
Scenario: An IT team is disabling a service as part of a security patching process using the service command.
Filter/Exclusion: Filter by services commonly associated with patching (e.g., iptables, firewalld, dnsmasq), or check for the presence of a patching script or log entry.
Scenario: A developer is stopping a service temporarily to debug an application using systemctl stop or service stop.
Filter/Exclusion: Include a check for the presence of a debugging script, log entry, or user context (e.g., sudo -u developer).
Scenario: A system update or upgrade process uses systemctl disable to ensure a service is not running during the update.
Filter/Exclusion: Check for the presence of an update script or package manager command (e.g., apt, yum, dnf) in the same log entry or timestamp window.