-
Notifications
You must be signed in to change notification settings - Fork 505
/
defense_evasion_agent_spoofing_multiple_hosts.toml
56 lines (47 loc) · 1.41 KB
/
defense_evasion_agent_spoofing_multiple_hosts.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/06/14"
[rule]
author = ["Elastic"]
description = """
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and
used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual
activity to evade detection.
"""
false_positives = [
"""
This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
necessary field, resulting in false positives.
""",
]
from = "now-9m"
index = ["logs-*", "metrics-*", "traces-*"]
language = "kuery"
license = "Elastic License v2"
name = "Agent Spoofing - Multiple Hosts Using Same Agent"
risk_score = 73
rule_id = "493834ca-f861-414c-8602-150d5505b777"
severity = "high"
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.agent_id_status:* and not tags:forwarded
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.threshold]
field = ["agent.id"]
value = 2
[[rule.threshold.cardinality]]
field = "host.id"
value = 2