Back to Intelligence

Defending Against Threat Actors Using Elastic Cloud as a Stolen Data Hub

SA
Security Arsenal Team
April 1, 2026
6 min read

Defending Against Threat Actors Using Elastic Cloud as a Stolen Data Hub

Security researchers at Huntress have recently uncovered a concerning campaign where threat actors actively exploit security issues to compromise systems and subsequently use Elastic Cloud SIEM as a central repository to manage stolen data. This tactic highlights a shift in attacker behavior: leveraging legitimate, powerful security infrastructure to organize and parse exfiltrated information.

For defenders, this blurs the lines between legitimate administrative traffic and malicious data staging. Understanding this technique is vital for protecting your organization’s crown jewels.

Technical Analysis

While the initial entry point often involves exploiting unpatched vulnerabilities or security misconfigurations (the specific "security issue" referenced in the report), the unique aspect of this campaign is the post-exploitation activity.

Rather than simply downloading data to a command-and-control (C2) server, attackers are deploying agents or scripts—specifically designed to interact with Elastic Cloud (Elasticsearch)—to funnel stolen logs, credentials, and sensitive documents into a cloud environment they control.

The Attack Chain:

  1. Initial Compromise: Attackers exploit a vulnerability or security weakness to gain a foothold.
  2. Data Collection: Sensitive files and system logs are identified.
  3. Staging via Elastic: Attackers configure the victim machine to ship this data to an Elastic Cloud instance. This may involve installing legitimate Elastic agents (like Filebeat or Elastic Agent) or using scripts (PowerShell/curl) to POST data directly to Elastic Cloud endpoints.
  4. Management: The attackers use the Elastic SIEM interface to search, visualize, and manage the stolen data efficiently.

Why This Matters

Elastic Cloud is a trusted platform. Traffic to endpoints like *.elastic.co or *.es.elastic-cloud.com is often whitelisted by security teams. By blending in with legitimate SaaS traffic, attackers can bypass basic egress filtering and remain undetected for extended periods.

Defensive Monitoring

Detecting this activity requires looking for anomalies in how legitimate tools are used. While Elastic agents are common in enterprise environments, they should be predictable in their installation and configuration.

SIGMA Detection Rules

The following SIGMA rules can help detect unauthorized installation of Elastic agents or suspicious command-line arguments indicative of cloud configuration.

YAML
---
title: Suspicious Elastic Agent Installation via CLI
id: 8a4b2c1d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the installation or execution of Elastic Agent or Filebeat using command line parameters, which may indicate a threat actor setting up data exfiltration.
references:
  - https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'elastic-agent'
      - 'filebeat'
      - 'metricbeat'
      - '--cloud.id'
      - '--cloud.auth'
  condition: selection
falsepositives:
  - Legitimate administrative installation of Elastic stack by IT
level: medium
---
title: Unauthorized Elastic Cloud Configuration File Creation
id: b2c3d4e5-6f7a-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the creation of Elastic Stack configuration files (e.g., filebeat.yml) in non-standard directories or by suspicious processes.
references:
  - https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.defense_evasion
  - attack.t1564.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'filebeat.yml'
      - 'elastic-agent.yml'
      - 'metricbeat.yml'
  filter:
    Image|contains:
      - '\ProgramData\Elastic\'
      - '\Program Files\Elastic\'
  condition: selection and not filter
falsepositives:
  - Legitimate updates by authorized Elastic installers
level: high
---
title: Suspicious Network Connection to Elastic Cloud
id: c3d4e5f6-7a8b-4c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects non-standard processes establishing network connections to known Elastic Cloud infrastructure endpoints.
references:
  - https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
author: Security Arsenal
date: 2025/03/29
tags:
  - attack.exfiltration
  - attack.t1567.002
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - '.elastic.co'
      - '.es.elastic-cloud.com'
    DestinationPort:
      - 443
      - 9200
      - 9243
  filter:
    Image|contains:
      - '\elastic-agent.exe'
      - '\filebeat.exe'
      - '\metricbeat.exe'
  condition: selection and not filter
falsepositives:
  - Custom scripts interacting with Elastic API
level: medium

KQL Queries for Microsoft Sentinel/Defender

Use these queries to hunt for signs of Elastic Cloud misuse within your environment.

KQL — Microsoft Sentinel / Defender
// Hunt for PowerShell processes invoking Elastic binaries or cloud configurations
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any ("elastic-agent", "filebeat", "--cloud.id", "--cloud.auth")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath
| extend Tactic = "Execution"

// Hunt for network connections to Elastic Cloud from non-Elastic agents
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "elastic.co" or RemoteUrl contains "elastic-cloud.com"
| where InitiatingProcessFileName !in~ ("elastic-agent.exe", "filebeat.exe", "metricbeat.exe", "winlogbeat.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort

Velociraptor VQL Hunts

These VQL artifacts help endpoint investigators hunt for persistent Elastic agents or suspicious configurations.

VQL — Velociraptor
-- Hunt for Elastic Agent configurations pointing to Cloud IDs
SELECT FullPath, Mtime, Size, Data
FROM glob(globs='C:/ProgramData/Elastic/**/*')
WHERE Name =~ '.yml'
  AND Data =~ 'cloud\.id'

-- Hunt for active Elastic Agent processes
SELECT Pid, Name, Exe, Cmdline, Username, StartTime
FROM pslist()
WHERE Name =~ 'elastic' OR Name =~ 'filebeat' OR Name =~ 'metricbeat'
  AND Exe NOT LIKE '%\Program Files\Elastic%' AND Exe NOT LIKE '%\ProgramData\Elastic%'

PowerShell Verification Script

Run this script on critical endpoints to identify unauthorized Elastic installations.

PowerShell
# Check for unauthorized Elastic services or processes
Write-Host "Checking for Elastic processes..."
$suspiciousProcesses = Get-Process | Where-Object {
    $_.ProcessName -match 'elastic|filebeat|metricbeat' -and 
    $_.Path -notmatch 'Program Files\Elastic' -and 
    $_.Path -notmatch 'ProgramData\Elastic'
}

if ($suspiciousProcesses) {
    Write-Host "[ALERT] Suspicious Elastic processes found:" -ForegroundColor Red
    $suspiciousProcesses | Format-List Id, ProcessName, Path, StartTime
} else {
    Write-Host "No unauthorized Elastic processes detected." -ForegroundColor Green
}

# Check for config files in temp directories
Write-Host "Checking for config files in temp directories..."
Get-ChildItem -Path $env:TEMP -Recurse -Filter "*.yml" -ErrorAction SilentlyContinue | 
    Select-String -Pattern "cloud\.id|cloud\.auth" | 
    Select-Object Path, Line

Remediation Steps

If you suspect this activity or simply want to harden your environment against this technique:

  1. Vulnerability Management: The entry point for these attacks is often a known security flaw. Ensure all systems, particularly RMM tools or exposed services, are patched immediately.
  2. Asset Inventory: Maintain a strict inventory of authorized logging agents (Elastic, Splunk, etc.). Any agent found running outside of this inventory should be treated as malicious.
  3. Egress Filtering: While blocking Elastic Cloud entirely may impact legitimate business use, consider restricting direct internet access for endpoints. Force internal traffic through a centralized proxy where authentication and URL filtering can be applied.
  4. Least Privilege: Ensure that standard users do not have permissions to install new services or agents on endpoints.
  5. Cloud IAM Review: If you use Elastic Cloud, audit your deployment for any new API keys, users, or deployments that were not created by your authorized DevOps/SOC team.

By understanding that attackers are "borrowing" our best tools for their own malicious gain, Security Arsenal helps you stay one step ahead. If you need assistance hunting for these indicators, our Managed SOC team is ready to help.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectiondata-exfiltrationelastic-cloudthreat-huntingsiem

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action