Introduction
In a concerning shift in tactics, threat actors are no longer just targeting security tools; they are weaponizing them. Recent research by Huntress has uncovered a campaign where attackers exploit standard security vulnerabilities to gain initial access, but rather than using traditional Command and Control (C2) servers, they utilize Elastic Cloud SIEM to manage and store stolen data.
For defenders, this highlights a critical blind spot. Because Elastic Cloud is a legitimate, high-reputation service used by thousands of enterprises for security operations, traffic destined for it often flies under the radar of egress filters. This post breaks down this threat and provides the detection queries and remediation steps needed to protect your organization.
Technical Analysis
The attack campaign identified by researchers involves a two-stage process:
- Initial Exploitation: Attackers leverage security issues and vulnerabilities in public-facing assets (such as unpatched web applications or misconfigured services) to gain a foothold on the target network.
- Data Exfiltration to Legitimate Infrastructure: Instead of setting up a obscure server to receive stolen data, the actors spin up instances or utilize trial accounts on Elastic Cloud. They configure the compromised victim’s systems to send sensitive data directly to these Elastic endpoints.
The Risk: This technique effectively bypasses traditional "reputation-based" blocking. Since Elastic Cloud IPs are generally trusted, firewalls and proxies often allow this traffic unchecked. Furthermore, if the organization itself does not use Elastic Cloud, any traffic bound for it should be considered inherently suspicious. If they do use it, the malicious traffic blends in with legitimate administrative traffic.
Defensive Monitoring
To detect this type of abuse, Security Operations Centers (SOCs) must monitor for anomalous connections to cloud SIEM providers, particularly from workstations or servers that should not be generating this traffic.
Microsoft Sentinel / Defender KQL Queries
The following KQL queries can help identify potential data exfiltration to Elastic Cloud infrastructure. Adjust the lists based on your organization's sanctioned usage of Elastic Cloud.
1. Detect connections to Elastic Cloud from non-admin assets: This query looks for network connections to known Elastic Cloud domains from devices that are not part of your known security administration team.
DeviceNetworkEvents
| where RemoteUrl has_suffix(".elastic-cloud.com") or RemoteUrl has_suffix(".aws.elastic-cloud.com")
| extend DeviceCategory = tostring(DeviceCategory)
| where DeviceCategory != "Server" // Filter or adjust based on your environment
| summarize Count = count(), TotalBytes = sum(TotalBytesSent) by DeviceName, InitiatingProcessFileName, RemoteUrl
| where TotalBytes > 5000000 // Flag large data transfers (e.g., > 5MB)
| order by TotalBytes desc
**2. Identify unusual processes connecting to Elastic Cloud:**
Legitimate Elastic agents typically have specific process names. Connections initiated by PowerShell or cmd.exe are highly suspicious.
DeviceProcessEvents
| where InitiatingProcessFileName in~("powershell.exe", "pwsh.exe", "cmd.exe", "curl.exe")
| join (DeviceNetworkEvents
| where RemoteUrl contains "elastic") on DeviceId
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
Verification PowerShell Script
Use the following PowerShell script to audit your environment for unexpected Elastic Fleet agents or configurations that may have been planted by an attacker.
# Check for running Elastic Agent processes that are not in standard directories
Write-Host "Checking for Elastic Agent processes..."
$elasticProcesses = Get-Process -Name "elastic-agent" -ErrorAction SilentlyContinue
if ($elasticProcesses) {
foreach ($proc in $elasticProcesses) {
$path = $proc.Path
# Standard installation paths usually contain 'Elastic' or 'Program Files'
# Deviations may indicate a portable malicious binary
if (-not ($path -like "*Program Files*" -or $path -like "*Elastic*")) {
Write-Host "WARNING: Unusual Elastic Agent path found: $path" -ForegroundColor Red
} else {
Write-Host "INFO: Standard agent found at $path" -ForegroundColor Green
}
}
} else {
Write-Host "No Elastic Agent processes currently running."
}
Remediation
If you suspect or detect this type of activity, immediate action is required to stop data loss and evict the attacker.
-
Block Unauthorized Egress: If your organization does not use Elastic Cloud, configure your firewalls and secure web gateways to block all traffic to
*.elastic-cloud.comand associated IP ranges immediately. -
Implement Strict Allow-Listing: If you do use Elastic Cloud, do not rely on generic allow-rules. Identify the specific Elastic Cloud deployment IDs and IP addresses assigned to your tenant. Block all other Elastic Cloud IPs that are not part of your sanctioned infrastructure.
-
Patch and Harden: Review the vulnerability used for initial access (often referenced in related threat intelligence reports regarding web application flaws). Ensure all public-facing systems are fully patched and employ Web Application Firewalls (WAF) to block exploitation attempts.
-
Audit Cloud Accounts: Review your cloud service providers for any newly created trial accounts or unauthorized projects. Attackers often use free trials to create these "rogue" data hubs.
-
Data Loss Prevention (DLP): Enable DLP policies that specifically monitor for uploads of sensitive files (PII, intellectual property) to non-corporate cloud storage and analytics platforms.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.