forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_agent_spoofing_multiple_hosts.toml
57 lines (48 loc) · 1.49 KB
/
defense_evasion_agent_spoofing_multiple_hosts.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2021/07/14"
min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
min_stack_version = "7.15.0"
[rule]
author = ["Elastic"]
description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent
being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to
masquerade actual activity to evade detection.
"""
false_positives = [
"""
This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
necessary field, resulting in false positives.
""",
]
from = "now-9m"
index = ["logs-*", "metrics-*", "traces-*"]
language = "kuery"
license = "Elastic License v2"
name = "Agent Spoofing - Multiple Hosts Using Same Agent"
risk_score = 73
rule_id = "493834ca-f861-414c-8602-150d5505b777"
severity = "high"
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.agent_id_status:*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.threshold]
field = ["agent.id"]
value = 2
[[rule.threshold.cardinality]]
field = "host.id"
value = 2