Agent Spoofing - Multiple Hosts Using Same Agent

 1[metadata]
 2creation_date = "2021/07/14"
 3maturity = "production"
 4updated_date = "2023/06/22"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7
 8[rule]
 9author = ["Elastic"]
10description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent
11being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to
12masquerade actual activity to evade detection.
13"""
14false_positives = [
15    """
16    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
17    necessary field, resulting in false positives.
18    """,
19]
20from = "now-9m"
21index = ["logs-*", "metrics-*", "traces-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Agent Spoofing - Multiple Hosts Using Same Agent"
25risk_score = 73
26rule_id = "493834ca-f861-414c-8602-150d5505b777"
27severity = "high"
28tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
29timestamp_override = "event.ingested"
30type = "threshold"
31
32query = '''
33event.agent_id_status:*
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1036"
41name = "Masquerading"
42reference = "https://attack.mitre.org/techniques/T1036/"
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"
49
50
51[rule.threshold]
52field = ["agent.id"]
53value = 2
54
55[[rule.threshold.cardinality]]
56field = "host.id"
57value = 2