Service Termination
Service termination involves forcibly stopping or terminating runtime security services, agents, or daemons that provide protection mechanisms within a containerized or cloud environment. During the Deepening Control phase, attackers target these runtime protection services to eliminate security monitoring capabilities after gaining initial access to the environment. By terminating monitoring agents such as Falco, Sysdig, Aqua Security, or cloud provider security services, attackers can operate with reduced visibility, prevent detection of subsequent activities, and bypass security controls that would otherwise alert on their malicious behavior. This technique is particularly effective because many container security solutions run as standard processes or services that can be identified through process listing commands and terminated using standard operating system commands like kill, pkill, or service stop, assuming the attacker has obtained sufficient privileges. Successfully terminating these protective services creates a blind spot for security teams and allows the attacker to proceed with lateral movement, privilege escalation, or data exfiltration without triggering security alerts.
Mitigations
| ID |
Mitigation |
Description |
| M1026 |
Privileged Account Management |
Limit the ability to stop security services to a small, MFA-protected admin group; audit all stop/kill commands targeting protection daemons. |
| M1040 |
Behavior Prevention on Endpoint |
Enable self-defence and watchdog features so killed agents auto-restart and generate high-severity alerts. |
Detection
| ID |
Data Source |
Detection |
| DS0009 |
Process: Process Termination |
Alert on kill -9, taskkill /F, or Stop-Service commands that reference AV/EDR/RASP processes. |
| DS0015 |
Application Log |
Monitor agent logs for unexpected shutdown events or missing heart-beats within short intervals. |