← Back to Explore
elastichighTTP
Multi-Cloud CLI Token and Credential Access Commands
Correlates process telemetry for shells and major cloud/Kubernetes CLIs when command lines match token or credential material access patterns (GCP, Azure, AWS, GitHub, kubectl, DigitalOcean, OCI). Flags hosts where multiple cloud targets appear within a five-minute window.
Detection Query
FROM logs-endpoint.events.process-*, logs-system.security-*, logs-windows.sysmon_operational-* METADATA _id, _index, _version
| WHERE event.category == "process" AND KQL(""" event.type : "start" and not event.action : "fork" """)
AND process.command_line IS NOT NULL
AND (
TO_LOWER(process.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh",
"gcloud", "gcloud.cmd", "az", "az.cmd", "azd", "azd.exe",
"gh", "gh.exe", "aws", "aws.exe",
"kubectl", "kubectl.exe",
"doctl", "doctl.exe",
"oci", "oci.exe"
) OR
TO_LOWER(process.parent.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh", "bun", "bun.exe",
"node", "node.exe", "java", "java.exe"
)
)
AND process.command_line RLIKE """.*(config-helper\s.*--format|auth\s+print-access-token|auth\s+print-identity-token|auth\s+application-default\s+print|get-access-token\s.*--output|Get-AzAccessToken|azd\s+auth\s+token|az\s+account\s+get-access-token|gh\s+auth\s+(token|status)|aws\s+sts\s+(get-session-token|get-caller-identity|assume-role)|aws\s+configure\s+(export-credentials|list)|kubectl\s+config\s+view\s.*--raw|kubectl\s+get\s+secret|doctl\s+auth\s+(list|init)|oci\s+session\s+authenticate|oci\s+iam\s.*token).*"""
| EVAL cloud_target = CASE(
process.command_line RLIKE ".*(gcloud|config-helper|print-access-token|print-identity-token).*", "GCP",
process.command_line RLIKE ".*(azd auth|az account|Get-AzAccessToken).*", "AZURE",
process.command_line RLIKE ".*(aws sts|aws configure).*", "AWS",
process.command_line RLIKE ".*(gh auth).*", "GITHUB",
process.command_line RLIKE ".*(kubectl config|kubectl get secret).*", "KUBERNETES",
process.command_line RLIKE ".*(doctl).*", "DIGITALOCEAN",
process.command_line RLIKE ".*(oci session|oci iam).*", "ORACLE"
)
| WHERE cloud_target IS NOT NULL // drop unclassified events before aggregation
| STATS
Esql.cloud_targets = VALUES(cloud_target),
Esql.unique_clouds = COUNT_DISTINCT(cloud_target),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.first_seen = MIN(@timestamp),
Esql.last_seen = MAX(@timestamp),
Esql.event_count = COUNT(*)
BY host.name, host.id, user.name
| WHERE Esql.unique_clouds >= 2
| KEEP Esql.*, user.name, host.name, host.id
Author
Elastic
Created
2026/04/29
Data Sources
Elastic DefendWindows Security Event LogsSysmon
Tags
Domain: EndpointDomain: CloudOS: WindowsOS: LinuxOS: macOSUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendData Source: Windows Security Event LogsData Source: SysmonResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/29"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2026/04/29"
[rule]
author = ["Elastic"]
description = """
Correlates process telemetry for shells and major cloud/Kubernetes CLIs when command lines match token or credential
material access patterns (GCP, Azure, AWS, GitHub, kubectl, DigitalOcean, OCI). Flags hosts where multiple cloud
targets appear within a five-minute window.
"""
false_positives = [
"""
Automation, CI runners, and platform engineering scripts may legitimately print tokens or dump kubeconfig across
providers in one session. Baseline approved identities and runner images before tuning thresholds.
""",
]
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "Multi-Cloud CLI Token and Credential Access Commands"
note = """## Triage and analysis
### Investigating Multi-Cloud CLI Token and Credential Access Commands
Each result row summarizes activity for one host, user, and five-minute time bucket. Review `Esql.process_command_line_values` for the
exact invocations and confirm whether the session was interactive, automated, or tied to a known pipeline.
### Possible investigation steps
- Map `Esql.cloud_targets` and `Esql.unique_clouds` to the underlying `process.command_line` values and parent
executables.
- Correlate with authentication, Kubernetes audit, and cloud API logs for misuse of printed tokens.
- Identify whether the parent chain indicates a remote shell, RMM, or scheduled task.
### Response and remediation
- If unauthorized, isolate the host, invalidate any printed material at the identity provider, and hunt for lateral
movement using the same time window as the alert.
**GCP (gcloud / application-default credentials)**
- Sign the user or build identity out of local gcloud sessions on the affected machine (example host session):
`gcloud auth revoke --all`
- Remove leaked Application Default Credentials on that host (often used by client libraries):
`gcloud auth application-default revoke`
- If a user OAuth refresh token or service account key was exposed, revoke or rotate it in Google Cloud Console (IAM
and admin: delete compromised keys; for end users, revoke OAuth tokens under Security or Workspace admin tools as
applicable).
**Azure (`az` / `azd`)**
- Clear cached CLI sessions on the host so new tokens are not silently reusable from disk:
`az logout`
`az account clear`
- If `az account get-access-token`, `Get-AzAccessToken`, or `azd auth token` output was captured, treat the bearer as
compromised: rotate the underlying secret (for example app registration client secret or federated credential),
revoke sessions in Microsoft Entra ID where supported, and enforce re-authentication with Conditional Access.
**GitHub (`gh` / PATs)**
- Remove the GitHub CLI session from the affected profile:
`gh auth logout`
- If a personal access token or fine-grained token was printed, revoke it under GitHub user or organization settings
(Developer settings → Personal access tokens), and rotate any secrets or deploy keys that were readable with that
token.
For all providers, prefer provider-console revocation and rotation when a token string left the trust boundary; local
`logout`/`revoke` alone does not invalidate tokens that were already copied off-host.
"""
references = [
"https://attack.mitre.org/techniques/T1528/",
"https://attack.mitre.org/techniques/T1552/",
]
risk_score = 73
rule_id = "2b9a3b7a-0891-4a89-abbe-dca753c403cd"
severity = "high"
tags = [
"Domain: Endpoint",
"Domain: Cloud",
"OS: Windows",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Windows Security Event Logs",
"Data Source: Sysmon",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
FROM logs-endpoint.events.process-*, logs-system.security-*, logs-windows.sysmon_operational-* METADATA _id, _index, _version
| WHERE event.category == "process" AND KQL(""" event.type : "start" and not event.action : "fork" """)
AND process.command_line IS NOT NULL
AND (
TO_LOWER(process.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh",
"gcloud", "gcloud.cmd", "az", "az.cmd", "azd", "azd.exe",
"gh", "gh.exe", "aws", "aws.exe",
"kubectl", "kubectl.exe",
"doctl", "doctl.exe",
"oci", "oci.exe"
) OR
TO_LOWER(process.parent.name) IN (
"cmd.exe", "powershell.exe", "pwsh.exe",
"sh", "bash", "zsh", "dash", "fish", "ksh", "bun", "bun.exe",
"node", "node.exe", "java", "java.exe"
)
)
AND process.command_line RLIKE """.*(config-helper\s.*--format|auth\s+print-access-token|auth\s+print-identity-token|auth\s+application-default\s+print|get-access-token\s.*--output|Get-AzAccessToken|azd\s+auth\s+token|az\s+account\s+get-access-token|gh\s+auth\s+(token|status)|aws\s+sts\s+(get-session-token|get-caller-identity|assume-role)|aws\s+configure\s+(export-credentials|list)|kubectl\s+config\s+view\s.*--raw|kubectl\s+get\s+secret|doctl\s+auth\s+(list|init)|oci\s+session\s+authenticate|oci\s+iam\s.*token).*"""
| EVAL cloud_target = CASE(
process.command_line RLIKE ".*(gcloud|config-helper|print-access-token|print-identity-token).*", "GCP",
process.command_line RLIKE ".*(azd auth|az account|Get-AzAccessToken).*", "AZURE",
process.command_line RLIKE ".*(aws sts|aws configure).*", "AWS",
process.command_line RLIKE ".*(gh auth).*", "GITHUB",
process.command_line RLIKE ".*(kubectl config|kubectl get secret).*", "KUBERNETES",
process.command_line RLIKE ".*(doctl).*", "DIGITALOCEAN",
process.command_line RLIKE ".*(oci session|oci iam).*", "ORACLE"
)
| WHERE cloud_target IS NOT NULL // drop unclassified events before aggregation
| STATS
Esql.cloud_targets = VALUES(cloud_target),
Esql.unique_clouds = COUNT_DISTINCT(cloud_target),
Esql.process_command_line_values = VALUES(process.command_line),
Esql.process_parent_executable_values = VALUES(process.parent.executable),
Esql.first_seen = MIN(@timestamp),
Esql.last_seen = MAX(@timestamp),
Esql.event_count = COUNT(*)
BY host.name, host.id, user.name
| WHERE Esql.unique_clouds >= 2
| KEEP Esql.*, user.name, host.name, host.id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"