Agent Spoofing - Multiple Hosts Using Same Agent

 1[metadata]
 2creation_date = "2021/07/14"
 3maturity = "production"
 4updated_date = "2024/06/14"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and
10used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual
11activity to evade detection.
12"""
13false_positives = [
14    """
15    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
16    necessary field, resulting in false positives.
17    """,
18]
19from = "now-9m"
20index = ["logs-*", "metrics-*", "traces-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Agent Spoofing - Multiple Hosts Using Same Agent"
24risk_score = 73
25rule_id = "493834ca-f861-414c-8602-150d5505b777"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32event.agent_id_status:* and not tags:forwarded
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1036"
40name = "Masquerading"
41reference = "https://attack.mitre.org/techniques/T1036/"
42
43
44[rule.threat.tactic]
45id = "TA0005"
46name = "Defense Evasion"
47reference = "https://attack.mitre.org/tactics/TA0005/"
48
49[rule.threshold]
50field = ["agent.id"]
51value = 2
52[[rule.threshold.cardinality]]
53field = "host.id"
54value = 2