{ "_id": "1727637399eeafca004e0ae13064538f81309d13ec4b455c2e65ac9fedb621cf", "_index": ".siem-signals-default-000001", "_score": "1", "_type": "_doc", "@timestamp": "2021-07-27T04:03:02.567Z", "agent": { "build": { "original": "version: 7.14.0, compiled: Tue Jul 20 23:52:50 2021, branch: 7.14, commit: 7fc2874ff5c80303ad97f3f41db38eb7ef842b2e" }, "id": "426bf4d4-45b6-4f57-ba61-34dee28b5af9", "type": "endpoint", "version": "7.14.0" }, "data_stream": { "dataset": "endpoint.alerts", "namespace": "default", "type": "logs" }, "ecs": { "version": "1.6.0" }, "elastic": { "agent": { "id": "426bf4d4-45b6-4f57-ba61-34dee28b5af9" } }, "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": "{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"diagnostic-configuration-v1\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-blocklist\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-exceptionlist\"},{\"sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"name\":\"diagnostic-endpointpe-v4-model\"},{\"sha256\":\"61513f0467e0dc9d949d988f9735e9ab5ada179ceae5e81055e809794547af55\",\"name\":\"diagnostic-malware-signature-v1-windows\"},{\"sha256\":\"2ee8d6a3d1dabb5d6fd5e9a389a56dd1d8e4b61a38d48cde9e9a6d22d3656d4b\",\"name\":\"diagnostic-ransomware-v1-windows\"},{\"sha256\":\"8c6930bc058d7a872c5270f668c7b8ec9b2c026705b1e8854eaed6a10f4abc16\",\"name\":\"diagnostic-rules-windows-v1\"},{\"sha256\":\"896ca37d891f15550506578c47e39568837f5cc6cd86655640b923fe386b8cd1\",\"name\":\"endpointpe-v4-blocklist\"},{\"sha256\":\"9a647218b22e72cd5f7eeecad621f3b5604a59551e6bc34947a600e04f1c43b9\",\"name\":\"endpointpe-v4-exceptionlist\"},{\"sha256\":\"f591b00a1162a79e0669b2006a95019bad91b537679ac6e3461ee06dd43b863e\",\"name\":\"endpointpe-v4-model\"},{\"sha256\":\"095ab8f1167892e316e6fc34ec21c9a4c63690dfdd962a2650b431ce849601e5\",\"name\":\"global-exceptionlist-windows\"},{\"sha256\":\"d9589e64b76fcd6f021424ca96f8160409566c50e7a395b2a4e22d7d532ac265\",\"name\":\"global-trustlist-windows-v1\"},{\"sha256\":\"43e6d50fb0d89b920b1618bdccdcc441e0272622baadfa5bba18207db26f3fd2\",\"name\":\"production-malware-signature-v1-windows\"},{\"sha256\":\"075f37f6e9081eaf75a387526f4c907ee3870fb11372278e429988306c59d385\",\"name\":\"production-ransomware-v1-windows\"}", "version": "1.0.124" }, "user": { "identifiers": "{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-eventfilterlist-windows-v1\"},{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-exceptionlist-windows-v1\"},{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-trustlist-windows-v1\"}", "version": "1.0.0" } } } } }, "event": { "action": "execution", "agent_id_status": "verified", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-07-27T04:02:57.419Z", "dataset": "endpoint.alerts", "id": "MDy2yXjtOfqsGi9n++++++8R", "ingested": "2021-07-27T04:03:01.045Z", "kind": "signal", "module": "endpoint", "outcome": "success", "risk_score": "73", "sequence": "2174", "severity": "73", "type": "info,start,denied" }, "file": { "accessed": "2021-07-26T17:50:00.317Z", "code_signature": { "exists": "false" }, "created": "2021-02-22T11:22:00.181Z", "directory": "C:\\Users\\zeus\\Desktop\\mimikatz", "drive_letter": "C", "Ext": { "code_signature": "{\"exists\":false}", "malware_classification": { "identifier": "endpointpe-v4-model", "score": "0.999996185302734", "threshold": "0.62", "version": "4.0.8000" }, "quarantine_message": "Failure to open file", "quarantine_path": "", "quarantine_result": "false", "temp_file_path": "" }, "extension": "exe", "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "mtime": "2019-11-18T09:29:42.215Z", "name": "mimikatz.exe", "owner": "zeus", "path": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "size": "740352" }, "host": { "architecture": "x86_64", "hostname": "deepikatest", "id": "4143c277-074e-47a9-b37d-37f94b508705", "ip": "10.0.6.178,127.0.0.1,::1", "mac": "00:50:56:b1:6d:a6", "name": "deepikatest", "os": { "Ext": { "variant": "Windows 10 Pro" }, "family": "windows", "full": "Windows 10 Pro 2009 (10.0.19042.1110)", "kernel": "2009 (10.0.19042.1110)", "name": "Windows", "platform": "windows", "version": "2009 (10.0.19042.1110)" } }, "message": "Malware Prevention Alert", "process": { "args": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "args_count": "1", "command_line": "\"C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe\" ", "entity_id": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTExOTY4LTEzMjcxODMyMTc3Ljk3MzAzNjAw", "executable": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "Ext": { "ancestry": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTI3OTYtMTMyNzA3MTA5ODQuODg0ODE2MzAw", "architecture": "x86", "code_signature": "{\"exists\":false}", "protection": "", "token": { "domain": "DEEPIKATEST", "elevation": "false", "elevation_type": "limited", "integrity_level_name": "medium", "sid": "S-1-5-21-4215045029-3277270250-148079304-1004", "user": "zeus" }, "user": "zeus" }, "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "name": "mimikatz.exe", "parent": { "args": "C:\\WINDOWS\\Explorer.EXE", "args_count": "1", "command_line": "C:\\WINDOWS\\Explorer.EXE", "entity_id": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTI3OTYtMTMyNzA3MTA5ODQuODg0ODE2MzAw", "executable": "C:\\Windows\\explorer.exe", "Ext": { "architecture": "x86_64", "code_signature": "{\"trusted\":true,\"subject_name\":\"Microsoft Windows\",\"exists\":true,\"status\":\"trusted\"}", "protection": "", "user": "zeus" }, "hash": { "md5": "fd5541611456e27d8bf3e90dda34dc4e", "sha1": "e8f207634e304790b099454338b819d302024d7b", "sha256": "e37f098b56b4a7b6c798cc7fa84cbb50d376eb938c58f31e60296ab545d82a10" }, "name": "explorer.exe", "pid": "2796", "ppid": "10328", "start": "1970-01-19T19:43:57.384Z", "uptime": "1121193" }, "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "pid": "11968", "start": "1970-01-19T20:02:38.577Z", "uptime": "0" }, "rule": { "ruleset": "production" }, "signal": { "_meta": { "version": "45" }, "ancestors": "{\"id\":\"72oh5noBoSd9Vf3QUpld\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.07.27-000001\",\"depth\":0}", "depth": "1", "original_event": { "action": "execution", "agent_id_status": "verified", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-07-27T04:02:57.419Z", "dataset": "endpoint.alerts", "id": "MDy2yXjtOfqsGi9n++++++8R", "ingested": "2021-07-27T04:03:01.045686035Z", "kind": "alert", "module": "endpoint", "outcome": "success", "risk_score": "73", "sequence": "2174", "severity": "73", "type": "info,start,denied" }, "original_time": "2021-07-27T04:02:57.419Z", "parent": { "depth": "0", "id": "72oh5noBoSd9Vf3QUpld", "index": ".ds-logs-endpoint.alerts-default-2021.07.27-000001", "type": "event" }, "parents": "{\"id\":\"72oh5noBoSd9Vf3QUpld\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.07.27-000001\",\"depth\":0}", "rule": { "actions": "", "author": "Elastic", "created_at": "2021-07-27T04:02:32.138Z", "created_by": "396189040", "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": "true", "exceptions_list": "{\"list_id\":\"endpoint_list\",\"namespace_type\":\"agnostic\",\"id\":\"endpoint_list\",\"type\":\"endpoint\"}", "false_positives": "", "filters": "", "from": "now-305s", "id": "77b8dcf0-ee8f-11eb-a2df-818a325433fa", "immutable": "false", "index": "logs-endpoint.alerts-*", "interval": "5s", "language": "kuery", "license": "Elastic License v2", "max_signals": "10000", "meta": { "from": "5m", "riskScoreOverridden": "true", "ruleNameOverridden": "true", "severityOverrideField": "event.severity" }, "name": "Malware Prevention Alert", "output_index": ".siem-signals-default", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "references": "", "risk_score": "73", "risk_score_mapping": "{\"field\":\"event.risk_score\",\"value\":\"\",\"operator\":\"equals\"}", "rule_id": "d2fd05b0-0056-4770-b906-bbed245a75c3", "rule_name_override": "message", "severity": "high", "severity_mapping": "{\"severity\":\"low\",\"field\":\"event.severity\",\"value\":\"21\",\"operator\":\"equals\"},{\"severity\":\"medium\",\"field\":\"event.severity\",\"value\":\"47\",\"operator\":\"equals\"},{\"severity\":\"high\",\"field\":\"event.severity\",\"value\":\"73\",\"operator\":\"equals\"},{\"severity\":\"critical\",\"field\":\"event.severity\",\"value\":\"99\",\"operator\":\"equals\"}", "tags": "Elastic,Endpoint Security", "threat": "", "timestamp_override": "event.ingested", "to": "now", "type": "query", "updated_at": "2021-07-27T04:02:57.425Z", "updated_by": "396189040", "version": "4" }, "status": "open" }, "user": { "domain": "DEEPIKATEST", "name": "zeus" } }