Tamper-Protection Bypass × Elastic Agent

A publicly-reported instance of Tamper-Protection Bypass bypassing Elastic Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic Agent

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-02-29

Config / version noted

Yes

Provenance

github.com
disclosed 2024-02-29 · original source · via exa

Reported as

enrolling a new agent with the '--force' flag overwrites the existing agent without token validation

Mechanism

When Agent Tamper Protection is enabled, uninstalling the agent requires an uninstall token. However, enrolling a new agent with the '--force' flag overwrites the existing agent without token validation, because the agent does not validate policy signatures or check with Endpoint before proceeding. This bypasses the protection meant to prevent unauthorized agent replacement.

Detection & mitigation

Monitor Elastic Agent logs for enrollment events with the '--force' flag or unexpected agent re-enrollment from the same host. Mitigation: Apply the vendor patch that validates policy signatures and requires token verification before forced enrollment.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA FireEye Kemco LoGiC.NET McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.