Multi-Cloud CLI Token and Credential Access Commands
editMulti-Cloud CLI Token and Credential Access Commands
editCorrelates process telemetry for shells and major cloud/Kubernetes CLIs when command lines match token or credential material access patterns (GCP, Azure, AWS, GitHub, kubectl, DigitalOcean, OCI). Flags hosts where multiple cloud targets appear within a five-minute window.
Rule type: esql
Rule indices: None
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- Domain: Cloud
- OS: Windows
- OS: Linux
- OS: macOS
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Elastic Defend
- Data Source: Windows Security Event Logs
- Data Source: Sysmon
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Multi-Cloud CLI Token and Credential Access Commands
Each result row summarizes activity for one host, user, and five-minute time bucket. Review Esql.process_command_line_values for the
exact invocations and confirm whether the session was interactive, automated, or tied to a known pipeline.
Possible investigation steps
-
Map
Esql.cloud_targetsandEsql.unique_cloudsto the underlyingprocess.command_linevalues and parent executables. - Correlate with authentication, Kubernetes audit, and cloud API logs for misuse of printed tokens.
- Identify whether the parent chain indicates a remote shell, RMM, or scheduled task.
Response and remediation
- If unauthorized, isolate the host, invalidate any printed material at the identity provider, and hunt for lateral movement using the same time window as the alert.
GCP (gcloud / application-default credentials)
-
Sign the user or build identity out of local gcloud sessions on the affected machine (example host session):
`gcloud auth revoke --all`
-
Remove leaked Application Default Credentials on that host (often used by client libraries):
`gcloud auth application-default revoke`
- If a user OAuth refresh token or service account key was exposed, revoke or rotate it in Google Cloud Console (IAM and admin: delete compromised keys; for end users, revoke OAuth tokens under Security or Workspace admin tools as applicable).
Azure (az / azd)
-
Clear cached CLI sessions on the host so new tokens are not silently reusable from disk:
`az logout`
`az account clear`
-
If
az account get-access-token,Get-AzAccessToken, orazd auth tokenoutput was captured, treat the bearer as compromised: rotate the underlying secret (for example app registration client secret or federated credential), revoke sessions in Microsoft Entra ID where supported, and enforce re-authentication with Conditional Access.
GitHub (gh / PATs)
-
Remove the GitHub CLI session from the affected profile:
`gh auth logout`
- If a personal access token or fine-grained token was printed, revoke it under GitHub user or organization settings (Developer settings → Personal access tokens), and rotate any secrets or deploy keys that were readable with that token.
For all providers, prefer provider-console revocation and rotation when a token string left the trust boundary; local
logout/revoke alone does not invalidate tokens that were already copied off-host.
Rule query
editFROM logs-endpoint.events.process-*, logs-system.security-*, logs-windows.sysmon_operational-* METADATA _id, _index, _version
| WHERE event.category == "process" AND KQL(""" event.type : "start" and not event.action : "fork" """)
AND process.command_line IS NOT NULL
AND (
TO_LOWER(process.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh",
"gcloud", "gcloud.cmd", "az", "az.cmd", "azd", "azd.exe",
"gh", "gh.exe", "aws", "aws.exe",
"kubectl", "kubectl.exe",
"doctl", "doctl.exe",
"oci", "oci.exe"
) OR
TO_LOWER(process.parent.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh", "bun", "bun.exe",
"node", "node.exe", "java", "java.exe"
)
)
AND process.command_line RLIKE """.*(config-helper\s.*--format|auth\s+print-access-token|auth\s+print-identity-token|auth\s+application-default\s+print|get-access-token\s.*--output|Get-AzAccessToken|azd\s+auth\s+token|az\s+account\s+get-access-token|gh\s+auth\s+(token|status)|aws\s+sts\s+(get-session-token|get-caller-identity|assume-role)|aws\s+configure\s+(export-credentials|list)|kubectl\s+config\s+view\s.*--raw|kubectl\s+get\s+secret|doctl\s+auth\s+(list|init)|oci\s+session\s+authenticate|oci\s+iam\s.*token).*"""
| EVAL cloud_target = CASE(
process.command_line RLIKE ".*(gcloud|config-helper|print-access-token|print-identity-token).*", "GCP",
process.command_line RLIKE ".*(azd auth|az account|Get-AzAccessToken).*", "AZURE",
process.command_line RLIKE ".*(aws sts|aws configure).*", "AWS",
process.command_line RLIKE ".*(gh auth).*", "GITHUB",
process.command_line RLIKE ".*(kubectl config|kubectl get secret).*", "KUBERNETES",
process.command_line RLIKE ".*(doctl).*", "DIGITALOCEAN",
process.command_line RLIKE ".*(oci session|oci iam).*", "ORACLE"
)
| WHERE cloud_target IS NOT NULL // drop unclassified events before aggregation
| STATS
Esql.cloud_targets = VALUES(cloud_target),
Esql.unique_clouds = COUNT_DISTINCT(cloud_target),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.first_seen = MIN(@timestamp),
Esql.last_seen = MAX(@timestamp),
Esql.event_count = COUNT(*)
BY host.name, host.id, user.name
| WHERE Esql.unique_clouds >= 2
| KEEP Esql.*, user.name, host.name, host.id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal Application Access Token
- ID: T1528
- Reference URL: https://attack.mitre.org/techniques/T1528/
-
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
-
Sub-technique:
- Name: Credentials In Files
- ID: T1552.001
- Reference URL: https://attack.mitre.org/techniques/T1552/001/