DC0041 Service Metadata
| Item | Value |
|---|---|
| ID | DC0041 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| auditd:CONFIG_CHANGE | delete: Modification of systemd unit files or config for security agents |
| esxi:hostd | Stop VM or disable service events via vim-cmd |
| esxi:hostd | registers services with legitimate-sounding names |
| esxi:hostd | Service events |
| kubernetes:audit | seccomp or AppArmor profile changes |
| kubernetes:audit | kubectl delete or patch of security pods/admission controllers |
| linux:osquery | scheduled/real-time |
| linux:syslog | service stopped messages |
| linux:syslog | auditd service stopped or disabled |
| linux:syslog | Service restart with modified executable path |
| macos:osquery | launchd |
| macos:unifiedlog | launchctl disable or bootout calls |
| macos:unifiedlog | subsystem=com.apple.launchservices |
| macos:unifiedlog | Observed loading of new LaunchAgent or LaunchDaemon plist |
| macos:unifiedlog | Modification of system configuration profiles affecting security tools |
| networkdevice:config | write: Startup configuration changes disabling security checks |
| Service | None |
| WinEventLog:Sysmon | EventCode=4 |
| WinEventLog:System | EventCode=7035 |
| WinEventLog:System | Service stopped or RecoveryDisabled set via REAgentC |
| WinEventLog:WinRM | EventCode=6 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0021 | Behavioral Detection for Service Stop across Platforms | T1489 |
| DET0329 | Behavioral Detection for T1490 - Inhibit System Recovery | T1490 |
| DET0127 | Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy | T1036 |
| DET0477 | Behavioral Detection of WinRM-Based Remote Access | T1021.006 |
| DET0274 | Boot or Logon Autostart Execution Detection Strategy | T1547 |
| DET0112 | Boot or Logon Initialization Scripts Detection Strategy | T1037 |
| DET0187 | Detect disabled Windows event logging | T1562.002 |
| DET0497 | Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. | T1562.001 |
| DET0117 | Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution | T1036.004 |
| DET0765 | Detection of Service Stop | T0881 |
| DET0062 | Detection Strategy for Disable or Modify Linux Audit System | T1562.012 |
| DET0218 | Detection Strategy for Hijack Execution Flow across OS platforms. | T1574 |
| DET0317 | Detection Strategy for Impair Defenses Across Platforms | T1562 |
| DET0347 | Detection Strategy for Masquerading via Legitimate Resource Name or Location | T1036.005 |