Agent Spoofing - Multiple Hosts Using Same Agent
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/14"
3maturity = "production"
4updated_date = "2023/06/22"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9author = ["Elastic"]
10description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent
11being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to
12masquerade actual activity to evade detection.
13"""
14false_positives = [
15 """
16 This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
17 necessary field, resulting in false positives.
18 """,
19]
20from = "now-9m"
21index = ["logs-*", "metrics-*", "traces-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Agent Spoofing - Multiple Hosts Using Same Agent"
25risk_score = 73
26rule_id = "493834ca-f861-414c-8602-150d5505b777"
27severity = "high"
28tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
29timestamp_override = "event.ingested"
30type = "threshold"
31
32query = '''
33event.agent_id_status:*
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1036"
41name = "Masquerading"
42reference = "https://attack.mitre.org/techniques/T1036/"
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"
49
50
51[rule.threshold]
52field = ["agent.id"]
53value = 2
54
55[[rule.threshold.cardinality]]
56field = "host.id"
57value = 2
Related rules
- Agent Spoofing - Mismatched Agent ID
- File Made Executable via Chmod Inside A Container
- Application Removed from Blocklist in Google Workspace
- Azure Alert Suppression Rule Created or Modified
- Azure Application Credential Modification