Agent Spoofing - Multiple Hosts Using Same Agent

Last updated 15 days ago on 2025-12-10

Created 4 years ago on 2021-07-14

About

Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.

Tags

Use Case: Threat DetectionTactic: Defense EvasionLanguage: esql

Severity

high

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Masquerading (T1036)(external, opens in a new tab or window)

False Positive Examples

This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-endpoint.*  metadata _id
| where event.agent_id_status is not null and agent.id is not null
| stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
| where Esql.count_distinct_host_ids >= 2
| keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id

Install detection rules in Elastic Security

Detect Agent Spoofing - Multiple Hosts Using Same Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).