Agent Spoofing - Multiple Hosts Using Same Agent
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/14"
3maturity = "production"
4updated_date = "2025/01/15"
5
6[rule]
7author = ["Elastic"]
8description = """
9Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and
10used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual
11activity to evade detection.
12"""
13false_positives = [
14 """
15 This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
16 necessary field, resulting in false positives.
17 """,
18]
19from = "now-9m"
20index = ["logs-*", "metrics-*", "traces-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Agent Spoofing - Multiple Hosts Using Same Agent"
24risk_score = 73
25rule_id = "493834ca-f861-414c-8602-150d5505b777"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32event.agent_id_status:* and not tags:forwarded
33'''
34note = """## Triage and analysis
35
36> **Disclaimer**:
37> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
38
39### Investigating Agent Spoofing - Multiple Hosts Using Same Agent
40
41In network environments, agents are deployed on hosts to monitor and report activities. Adversaries may exploit these agents by hijacking their IDs to inject false data, masking malicious actions. The detection rule identifies anomalies where multiple hosts report using the same agent ID, signaling potential spoofing attempts. By focusing on unique agent ID usage, it helps uncover evasion tactics aimed at concealing unauthorized activities.
42
43### Possible investigation steps
44
45- Review the alert details to identify the specific agent ID that is being reported by multiple hosts.
46- Cross-reference the agent ID with the list of known and authorized agents to determine if it has been compromised or misconfigured.
47- Examine the network logs and host activity for each host reporting the same agent ID to identify any unusual or unauthorized activities.
48- Check for any recent changes or updates to the agent software on the affected hosts that could explain the anomaly.
49- Investigate the timeline of events to determine when the agent ID started being used by multiple hosts and correlate this with any known incidents or changes in the network environment.
50- Assess the potential impact of the spoofing attempt on the network's security posture and consider isolating affected hosts if necessary to prevent further malicious activity.
51
52### False positive analysis
53
54- Legitimate load balancing or failover scenarios where multiple hosts are configured to use the same agent ID for redundancy can trigger false positives. Users should identify and document these configurations, then create exceptions in the detection rule to exclude these known non-threatening behaviors.
55- Virtualized environments where snapshots or clones of a host are created might result in multiple instances reporting the same agent ID. Users should ensure that each virtual instance is assigned a unique agent ID or adjust the rule to account for these scenarios.
56- Testing or development environments where agents are intentionally duplicated for testing purposes can also lead to false positives. Users should tag these environments appropriately and modify the rule to exclude events from these tags.
57- In cases where agents are temporarily reassigned to different hosts for maintenance or troubleshooting, users should maintain a log of these activities and adjust the detection rule to ignore these temporary changes.
58
59### Response and remediation
60
61- Isolate affected hosts immediately to prevent further spread of potentially malicious activities across the network.
62- Revoke and reissue new agent IDs for the affected hosts to ensure that compromised IDs are no longer in use.
63- Conduct a thorough forensic analysis on the isolated hosts to identify any unauthorized changes or malicious software that may have been introduced.
64- Review and update access controls and authentication mechanisms for agent deployment to prevent unauthorized access and hijacking of agent IDs.
65- Monitor network traffic and logs closely for any signs of continued spoofing attempts or related suspicious activities.
66- Escalate the incident to the security operations center (SOC) and relevant stakeholders to ensure awareness and coordinated response efforts.
67- Implement enhanced logging and alerting for agent ID anomalies to improve detection of similar threats in the future."""
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1036"
74name = "Masquerading"
75reference = "https://attack.mitre.org/techniques/T1036/"
76
77
78[rule.threat.tactic]
79id = "TA0005"
80name = "Defense Evasion"
81reference = "https://attack.mitre.org/tactics/TA0005/"
82
83[rule.threshold]
84field = ["agent.id"]
85value = 2
86[[rule.threshold.cardinality]]
87field = "host.id"
88value = 2
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Agent Spoofing - Multiple Hosts Using Same Agent
In network environments, agents are deployed on hosts to monitor and report activities. Adversaries may exploit these agents by hijacking their IDs to inject false data, masking malicious actions. The detection rule identifies anomalies where multiple hosts report using the same agent ID, signaling potential spoofing attempts. By focusing on unique agent ID usage, it helps uncover evasion tactics aimed at concealing unauthorized activities.
Possible investigation steps
- Review the alert details to identify the specific agent ID that is being reported by multiple hosts.
- Cross-reference the agent ID with the list of known and authorized agents to determine if it has been compromised or misconfigured.
- Examine the network logs and host activity for each host reporting the same agent ID to identify any unusual or unauthorized activities.
- Check for any recent changes or updates to the agent software on the affected hosts that could explain the anomaly.
- Investigate the timeline of events to determine when the agent ID started being used by multiple hosts and correlate this with any known incidents or changes in the network environment.
- Assess the potential impact of the spoofing attempt on the network's security posture and consider isolating affected hosts if necessary to prevent further malicious activity.
False positive analysis
- Legitimate load balancing or failover scenarios where multiple hosts are configured to use the same agent ID for redundancy can trigger false positives. Users should identify and document these configurations, then create exceptions in the detection rule to exclude these known non-threatening behaviors.
- Virtualized environments where snapshots or clones of a host are created might result in multiple instances reporting the same agent ID. Users should ensure that each virtual instance is assigned a unique agent ID or adjust the rule to account for these scenarios.
- Testing or development environments where agents are intentionally duplicated for testing purposes can also lead to false positives. Users should tag these environments appropriately and modify the rule to exclude events from these tags.
- In cases where agents are temporarily reassigned to different hosts for maintenance or troubleshooting, users should maintain a log of these activities and adjust the detection rule to ignore these temporary changes.
Response and remediation
- Isolate affected hosts immediately to prevent further spread of potentially malicious activities across the network.
- Revoke and reissue new agent IDs for the affected hosts to ensure that compromised IDs are no longer in use.
- Conduct a thorough forensic analysis on the isolated hosts to identify any unauthorized changes or malicious software that may have been introduced.
- Review and update access controls and authentication mechanisms for agent deployment to prevent unauthorized access and hijacking of agent IDs.
- Monitor network traffic and logs closely for any signs of continued spoofing attempts or related suspicious activities.
- Escalate the incident to the security operations center (SOC) and relevant stakeholders to ensure awareness and coordinated response efforts.
- Implement enhanced logging and alerting for agent ID anomalies to improve detection of similar threats in the future.
Related rules
- APT Package Manager Configuration File Creation
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance or Cluster Password Modified
- AWS SQS Queue Purge
- Agent Spoofing - Mismatched Agent ID