Elastic Security Detection Rules

Multi-Cloud CLI Token and Credential Access Commands

Last updated 4 days ago on 2026-04-29
Created 4 days ago on 2026-04-29

About

Correlates process telemetry for shells and major cloud/Kubernetes CLIs when command lines match token or credential material access patterns (GCP, Azure, AWS, GitHub, kubectl, DigitalOcean, OCI). Flags hosts where multiple cloud targets appear within a five-minute window.
Tags
Domain: EndpointDomain: CloudOS: WindowsOS: LinuxOS: macOSUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendData Source: Windows Security Event LogsData Source: SysmonLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Application Access Token (T1528)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples
Automation, CI runners, and platform engineering scripts may legitimately print tokens or dump kubeconfig across providers in one session. Baseline approved identities and runner images before tuning thresholds.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

Query
text code block:
FROM logs-endpoint.events.process-*, logs-system.security-*, logs-windows.sysmon_operational-* METADATA _id, _index, _version
| WHERE event.category == "process" AND KQL(""" event.type : "start" and not event.action : "fork" """)
  AND process.command_line IS NOT NULL 
  AND (
    TO_LOWER(process.name) IN (
      "cmd.exe", "powershell.exe", "pwsh.exe", 
      "sh", "bash", "zsh", "dash", "fish", "ksh",
      "gcloud", "gcloud.cmd", "az", "az.cmd", "azd", "azd.exe",
      "gh", "gh.exe", "aws", "aws.exe",
      "kubectl", "kubectl.exe",
      "doctl", "doctl.exe",
      "oci", "oci.exe"
    ) OR
    TO_LOWER(process.parent.name) IN (
      "cmd.exe", "powershell.exe", "pwsh.exe",
      "sh", "bash", "zsh", "dash", "fish", "ksh", "bun", "bun.exe", 
      "node", "node.exe", "java", "java.exe"
    )
  )
  AND process.command_line RLIKE """.*(config-helper\s.*--format|auth\s+print-access-token|auth\s+print-identity-token|auth\s+application-default\s+print|get-access-token\s.*--output|Get-AzAccessToken|azd\s+auth\s+token|az\s+account\s+get-access-token|gh\s+auth\s+(token|status)|aws\s+sts\s+(get-session-token|get-caller-identity|assume-role)|aws\s+configure\s+(export-credentials|list)|kubectl\s+config\s+view\s.*--raw|kubectl\s+get\s+secret|doctl\s+auth\s+(list|init)|oci\s+session\s+authenticate|oci\s+iam\s.*token).*"""
| EVAL cloud_target = CASE(
    process.command_line RLIKE ".*(gcloud|config-helper|print-access-token|print-identity-token).*", "GCP",
    process.command_line RLIKE ".*(azd auth|az account|Get-AzAccessToken).*", "AZURE",
    process.command_line RLIKE ".*(aws sts|aws configure).*", "AWS",
    process.command_line RLIKE ".*(gh auth).*", "GITHUB",
    process.command_line RLIKE ".*(kubectl config|kubectl get secret).*", "KUBERNETES",
    process.command_line RLIKE ".*(doctl).*", "DIGITALOCEAN",
    process.command_line RLIKE ".*(oci session|oci iam).*", "ORACLE"
  )
| WHERE cloud_target IS NOT NULL // drop unclassified events before aggregation
| STATS
    Esql.cloud_targets = VALUES(cloud_target),
    Esql.unique_clouds = COUNT_DISTINCT(cloud_target),
    Esql.process_command_line_values = VALUES(process.command_line),
    Esql.process_parent_executable_values = VALUES(process.parent.executable),
    Esql.first_seen = MIN(@timestamp),
    Esql.last_seen = MAX(@timestamp),
    Esql.event_count = COUNT(*)
  BY host.name, host.id, user.name
| WHERE Esql.unique_clouds >= 2
| KEEP Esql.*, user.name, host.name, host.id

Install detection rules in Elastic Security

Detect Multi-Cloud CLI Token and Credential Access Commands in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).