this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.

t1036
cross-platform
elastic

Techniques

T1036

Sample rules

Agent Spoofing - Multiple Hosts Using Same Agent

source: elastic
technicques:
- T1036

Description

Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.

Detection logic

event.agent_id_status:* and not tags:forwarded

Agent Spoofing - Mismatched Agent ID

source: elastic
technicques:
- T1036

Description

Detects events that have a mismatch on the expected event agent ID. The status “agent_id_mismatch/mismatch” occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.

Detection logic

event.agent_id_status:(agent_id_mismatch or mismatch)