[New Rule] Elastic Agent status not validated #3719
Labels
backlog
Domain: Endpoint
esql
ES|QL
OS: Linux
OS: macOS
OS: Windows
windows related rules
Rule: New
Proposal for new rule
Description
If you have local admin permissions on a machine, you can change the agent ID in the local agent configuration, restart the service, and the results will show up in Elasticsearch as the new agent ID.
This would allow an adversary to create a rogue host, where alerts would not be attributable to the right system. TAs would then have additional dwell time as responders looked for intrusions on the wrong system.
Required Info
Target indexes
logs-*
Additional requirements
Target Operating Systems
Windows, Linux, macOS
Tested ECS Version
8.10.0
<- telemetryOptional Info
Query
New fields required in ECS/data sources for this rule?
NA
Related issues or PRs
References
Example Data
H/T @gabriellandau @joe-desimone
The text was updated successfully, but these errors were encountered: