{ "_id": "b3387c29cd34f130f62f8cfcc759ec0aa093826ec12613d0bddfc9808fe744dd", "_index": ".siem-signals-default-000001", "_score": "1", "_type": "_doc", "@timestamp": "2021-03-10T12:20:04.712Z", "agent": { "build": { "original": "version: 7.12.0, compiled: Mon Mar 8 22:19:19 2021, branch: 7.12, commit: 70e9c264f036b26cc2aa332fd6fc3ed127f89809" }, "id": "33efd379-7ef9-ac6d-1272-3f59647fe46c", "type": "endpoint", "version": "7.12.0" }, "data_stream": { "dataset": "endpoint.alerts", "namespace": "default", "type": "logs" }, "ecs": { "version": "1.6.0" }, "elastic": { "agent": { "id": "18f08f50-8199-11eb-8942-27fb849407a9" } }, "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": "{\"sha256\":\"f2386a87f1e0dac3a24dbc103d3d910b8f0ebcd51f882e19629fbd9c1d7db25f\",\"name\":\"diagnostic-configuration-v1\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-blocklist\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-exceptionlist\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-model\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-malware-signature-v1-windows\"},{\"sha256\":\"02220d33967cb830b1937cf718913130811a6a8f7ed5366712fbda3269de741b\",\"name\":\"diagnostic-ransomware-v1-windows\"},{\"sha256\":\"d841749a438cbc41ff384b26b1a74d09c75ac86b68125cced283577e14677374\",\"name\":\"endpointpe-v4-blocklist\"},{\"sha256\":\"d3a026d92ea5058e2f9e017b648f99c8bafafe2553e8420ffaf57c81042a3b41\",\"name\":\"endpointpe-v4-exceptionlist\"},{\"sha256\":\"f1f8623d9ee067476db009bbfb92a80934a0aec0162301c6b9b34686de44d425\",\"name\":\"endpointpe-v4-model\"},{\"sha256\":\"5a503dca0982335890efa91dea4ded796cb27c3d92b05c9ff366a716ddee882a\",\"name\":\"global-exceptionlist-windows\"},{\"sha256\":\"1dab542ec1d8772eb5384b620cd0a5b553eb80a1b5df818c1f0cd72082ea2b90\",\"name\":\"global-trustlist-windows-v1\"},{\"sha256\":\"8956dcb920fe792a73e68906a91d6cc36bf4abb17cb51df3124bbfbdbfa81a4e\",\"name\":\"production-ransomware-v1-windows\"}", "version": "1.0.44" }, "user": { "identifiers": "{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-exceptionlist-windows-v1\"},{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-trustlist-windows-v1\"}", "version": "1.0.2" } } } } }, "event": { "action": "execution", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-03-10T12:19:17.921Z", "dataset": "endpoint.alerts", "id": "M2WqYY1JRnILgLdt+++++4BT", "ingested": "2021-03-10T12:19:20.554Z", "kind": "signal", "module": "endpoint", "outcome": "success", "risk_score": "99", "sequence": "48730", "severity": "99", "type": "info,start,allowed" }, "file": { "accessed": "2021-03-10T12:19:10.808Z", "code_signature": { "exists": "false", "status": "noSignature", "subject_name": "", "trusted": "false" }, "created": "2021-02-06T13:07:02.148Z", "directory": "C:\\karan_qasouce\\Alerts_Files\\Malicious Malware\\another_one\\one\\five", "drive_letter": "C", "Ext": { "code_signature": "{\"trusted\":false,\"subject_name\":\"\",\"exists\":false,\"status\":\"noSignature\"}", "malware_classification": { "identifier": "endpointpe-v4-model", "score": "0.999999761581421", "threshold": "0.62", "version": "4.0.4000" }, "temp_file_path": "" }, "extension": "exe", "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "mtime": "2020-02-28T07:10:53.673Z", "name": "mimikatz.exe", "owner": "zeus", "path": "C:\\karan_qasouce\\Alerts_Files\\Malicious Malware\\another_one\\one\\five\\mimikatz.exe", "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "size": "740352" }, "host": { "architecture": "x86_64", "hostname": "DESKTOP-QBBSCUT", "id": "4143c277-074e-47a9-b37d-37f94b508705", "ip": "10.0.6.26,127.0.0.1,::1", "mac": "00:50:56:b1:91:61", "name": "DESKTOP-QBBSCUT", "os": { "Ext": { "variant": "Windows 10 Pro" }, "family": "windows", "full": "Windows 10 Pro 1909 (10.0.18363.1379)", "kernel": "1909 (10.0.18363.1379)", "name": "Windows", "platform": "windows", "version": "1909 (10.0.18363.1379)" } }, "message": "Malware Detection Alert", "process": { "args": "mimikatz.exe", "args_count": "1", "command_line": "mimikatz.exe", "entity_id": "MzNlZmQzNzktN2VmOS1hYzZkLTEyNzItM2Y1OTY0N2ZlNDZjLTk3MTItMTMyNTk4NTIzNTYuMTU0Mzc5ODAw", "executable": "C:\\karan_qasouce\\Alerts_Files\\Malicious Malware\\another_one\\one\\five\\mimikatz.exe", "Ext": { "ancestry": "MzNlZmQzNzktN2VmOS1hYzZkLTEyNzItM2Y1OTY0N2ZlNDZjLTk0MjAtMTMyNTk4NTIyNjcuOTU5OTExMTAw,MzNlZmQzNzktN2VmOS1hYzZkLTEyNzItM2Y1OTY0N2ZlNDZjLTQ5NzItMTMyNTk4NTIyMzUuMzI2NjI2NDAw,MzNlZmQzNzktN2VmOS1hYzZkLTEyNzItM2Y1OTY0N2ZlNDZjLTIzNzItMTMyNTk3NDYwMjYuODEyMzQ1MzAw", "architecture": "x86", "code_signature": "{\"trusted\":false,\"subject_name\":\"\",\"exists\":false,\"status\":\"noSignature\"}", "token": { "domain": "DESKTOP-QBBSCUT", "elevation_type": "limited", "integrity_level_name": "medium", "sid": "S-1-5-21-4215045029-3277270250-148079304-1004", "user": "zeus" }, "user": "zeus" }, "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "name": "mimikatz.exe", "parent": { "args": "C:\\WINDOWS\\system32\\cmd.exe", "args_count": "1", "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\"", "entity_id": "MzNlZmQzNzktN2VmOS1hYzZkLTEyNzItM2Y1OTY0N2ZlNDZjLTk0MjAtMTMyNTk4NTIyNjcuOTU5OTExMTAw", "executable": "C:\\Windows\\System32\\cmd.exe", "Ext": { "architecture": "x86_64", "code_signature": "{\"trusted\":true,\"subject_name\":\"Microsoft Windows\",\"exists\":true,\"status\":\"trusted\"}", "user": "zeus" }, "hash": { "md5": "f58a3879a07f63bd0f74b022339555d4", "sha1": "3d7a84c1e63362d1213ccf9f25a869fe936c8156", "sha256": "f2c736c4b8a82858e06dffcb08b2d22d2d9d36a7ff92fae2812fc14d16234e10" }, "name": "cmd.exe", "pid": "9420", "ppid": "4972", "start": "1970-01-19T16:42:58.667Z", "uptime": "90" }, "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "pid": "9712", "start": "1970-01-19T16:42:58.756Z", "uptime": "1" }, "rule": { "ruleset": "production" }, "signal": { "_meta": { "version": "25" }, "ancestors": "{\"id\":\"eQMTHHgBIQ9dVtPC4KK3\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.03.10-000001\",\"depth\":0}", "depth": "1", "original_event": { "action": "execution", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-03-10T12:19:17.921Z", "dataset": "endpoint.alerts", "id": "M2WqYY1JRnILgLdt+++++4BT", "ingested": "2021-03-10T12:19:20.554648700Z", "kind": "alert", "module": "endpoint", "outcome": "success", "risk_score": "99", "sequence": "48730", "severity": "99", "type": "info,start,allowed" }, "original_time": "2021-03-10T12:19:17.921Z", "parent": { "depth": "0", "id": "eQMTHHgBIQ9dVtPC4KK3", "index": ".ds-logs-endpoint.alerts-default-2021.03.10-000001", "type": "event" }, "parents": "{\"id\":\"eQMTHHgBIQ9dVtPC4KK3\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.03.10-000001\",\"depth\":0}", "rule": { "actions": "", "author": "Elastic", "created_at": "2021-03-10T12:14:47.536Z", "created_by": "elastic", "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": "true", "exceptions_list": "{\"id\":\"endpoint_list\",\"list_id\":\"endpoint_list\",\"namespace_type\":\"agnostic\",\"type\":\"endpoint\"}", "false_positives": "", "from": "now-10m", "id": "342aa9d0-819a-11eb-8942-27fb849407a9", "immutable": "false", "index": "logs-endpoint.alerts-*", "interval": "5m", "language": "kuery", "license": "Elastic License v2", "max_signals": "10000", "meta": { "severityOverrideField": "event.severity" }, "name": "Malware Detection Alert", "output_index": ".siem-signals-default", "query": "event.kind:alert and event.module:(endpoint and not endgame)", "references": "", "risk_score": "99", "risk_score_mapping": "{\"field\":\"event.risk_score\",\"operator\":\"equals\",\"value\":\"\"}", "rule_id": "92ce3486-fd7e-499d-8ae0-155de3da46bd", "rule_name_override": "message", "severity": "critical", "severity_mapping": "{\"field\":\"event.severity\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"21\"},{\"field\":\"event.severity\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"47\"},{\"field\":\"event.severity\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"73\"},{\"field\":\"event.severity\",\"operator\":\"equals\",\"severity\":\"critical\",\"value\":\"99\"}", "tags": "Elastic,Endpoint Security", "threat": "", "timestamp_override": "event.ingested", "to": "now", "type": "query", "updated_at": "2021-03-10T12:15:01.792Z", "updated_by": "elastic", "version": "3" }, "status": "open" }, "user": { "domain": "DESKTOP-QBBSCUT", "name": "zeus" } }