Agent Spoofing - Multiple Hosts Using Same Agent

Last updated 21 days ago on 2025-01-15

Created 4 years ago on 2021-07-14

About

Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.

Tags

Use Case: Threat DetectionTactic: Defense EvasionLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Masquerading (T1036)(opens in a new tab or window)

False Positive Examples

This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-*metrics-*traces-*
Related Integrations: (opens in a new tab or window)
Query

event.agent_id_status:* and not tags:forwarded

Install detection rules in Elastic Security

Detect Agent Spoofing - Multiple Hosts Using Same Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).