Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Elastic Agent status not validated #3719

Open
peasead opened this issue May 29, 2024 · 4 comments
Open

[New Rule] Elastic Agent status not validated #3719

peasead opened this issue May 29, 2024 · 4 comments
Assignees
@peasead
Labels
backlog Domain: Endpoint esql ES|QL OS: Linux OS: macOS OS: Windows windows related rules Rule: New Proposal for new rule

Comments

@peasead
Copy link
Contributor

peasead commented May 29, 2024
edited
Loading

Description

If you have local admin permissions on a machine, you can change the agent ID in the local agent configuration, restart the service, and the results will show up in Elasticsearch as the new agent ID.

This would allow an adversary to create a rogue host, where alerts would not be attributable to the right system. TAs would then have additional dwell time as responders looked for intrusions on the wrong system.

Required Info

Target indexes

logs-*

Additional requirements

Target Operating Systems

Windows, Linux, macOS

Tested ECS Version

8.10.0 <- telemetry

Optional Info

Query

FROM logs-*
| WHERE event.agent_id_status IS NOT NULL and event.agent_id_status != "verified"
| STATS hosts = count_distinct(agent.id)
| WHERE hosts >= 1

New fields required in ECS/data sources for this rule?

NA

Related issues or PRs

References

Example Data

image

H/T @gabriellandau @joe-desimone
@peasead peasead added OS: Linux OS: macOS Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint esql ES|QL labels May 29, 2024
@peasead peasead self-assigned this May 29, 2024
@gabriellandau
Copy link

cc @joe-desimone

@Aegrah
Copy link
Contributor

Aegrah commented May 31, 2024
edited
Loading

Looking at the current rule to detect this together with @DennisHaug, we noticed that the event.agent_id_status:agent_id_mismatch query does not match the attack during LS24, because the field value is changed to just mismatch. event.agent_id_status:mismatch does show these entries.

I will get a tuning in for that specific rule as a starter.

edit: #3729

@peasead
Copy link
Contributor Author

peasead commented May 31, 2024

I think that rule might be best to be anything BUT verified?

There are several options.

@Aegrah
Copy link
Contributor

Aegrah commented Jun 3, 2024

@peasead I did a recommendation in the PR to make the change. My concern is that we might end up FP'ing to much; but I don't have a good place to check. Will ask around to see what others think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peasead peasead

Labels
backlog Domain: Endpoint esql ES|QL OS: Linux OS: macOS OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Mikaayenson @peasead @gabriellandau @Aegrah