{ "_id": "998f0bb9c3edabcdbda81fed40146d9fd2a496bc4c4b984dced9ec6fdb072613", "_index": ".siem-signals-default-000001", "_score": "1", "_type": "_doc", "@timestamp": "2021-07-27T04:06:38.965Z", "agent": { "build": { "original": "version: 7.14.0, compiled: Tue Jul 20 23:52:50 2021, branch: 7.14, commit: 7fc2874ff5c80303ad97f3f41db38eb7ef842b2e" }, "id": "426bf4d4-45b6-4f57-ba61-34dee28b5af9", "type": "endpoint", "version": "7.14.0" }, "data_stream": { "dataset": "endpoint.alerts", "namespace": "default", "type": "logs" }, "ecs": { "version": "1.6.0" }, "elastic": { "agent": { "id": "426bf4d4-45b6-4f57-ba61-34dee28b5af9" } }, "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": "{\"sha256\":\"72adef6ff20f5de3ea68f921a4a268b02220634b9d0a376dba965edd67f4865d\",\"name\":\"diagnostic-configuration-v1\"},{\"sha256\":\"ec4316b6c622f3c488ac93aa584055f93d99c2946f38583dfbde4cf8f120f30b\",\"name\":\"diagnostic-endpointpe-v4-blocklist\"},{\"sha256\":\"c4df1f2fcdda250b6d3fa384525e6f89a45411367ec055d08c107c0c547ecfbd\",\"name\":\"diagnostic-endpointpe-v4-exceptionlist\"},{\"sha256\":\"4247b4bb07aa2f6316dc426abbd80eb525a8f427681751e349db232bfef9429b\",\"name\":\"diagnostic-endpointpe-v4-model\"},{\"sha256\":\"8793b7846b44c596a142b746edc882aaff3a7016bb517fbc82d4e22e9e47f88d\",\"name\":\"diagnostic-malware-signature-v1-windows\"},{\"sha256\":\"2ee8d6a3d1dabb5d6fd5e9a389a56dd1d8e4b61a38d48cde9e9a6d22d3656d4b\",\"name\":\"diagnostic-ransomware-v1-windows\"},{\"sha256\":\"8c6930bc058d7a872c5270f668c7b8ec9b2c026705b1e8854eaed6a10f4abc16\",\"name\":\"diagnostic-rules-windows-v1\"},{\"sha256\":\"896ca37d891f15550506578c47e39568837f5cc6cd86655640b923fe386b8cd1\",\"name\":\"endpointpe-v4-blocklist\"},{\"sha256\":\"9a647218b22e72cd5f7eeecad621f3b5604a59551e6bc34947a600e04f1c43b9\",\"name\":\"endpointpe-v4-exceptionlist\"},{\"sha256\":\"f591b00a1162a79e0669b2006a95019bad91b537679ac6e3461ee06dd43b863e\",\"name\":\"endpointpe-v4-model\"},{\"sha256\":\"095ab8f1167892e316e6fc34ec21c9a4c63690dfdd962a2650b431ce849601e5\",\"name\":\"global-exceptionlist-windows\"},{\"sha256\":\"d9589e64b76fcd6f021424ca96f8160409566c50e7a395b2a4e22d7d532ac265\",\"name\":\"global-trustlist-windows-v1\"},{\"sha256\":\"43e6d50fb0d89b920b1618bdccdcc441e0272622baadfa5bba18207db26f3fd2\",\"name\":\"production-malware-signature-v1-windows\"},{\"sha256\":\"075f37f6e9081eaf75a387526f4c907ee3870fb11372278e429988306c59d385\",\"name\":\"production-ransomware-v1-windows\"}", "version": "1.0.129" }, "user": { "identifiers": "{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-eventfilterlist-windows-v1\"},{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-exceptionlist-windows-v1\"},{\"sha256\":\"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658\",\"name\":\"endpoint-trustlist-windows-v1\"}", "version": "1.0.0" } } } } }, "event": { "action": "execution", "agent_id_status": "verified", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-07-27T04:06:34.388Z", "dataset": "endpoint.alerts", "id": "MDy2yXjtOfqsGi9n++++++L2", "ingested": "2021-07-27T04:06:36.451Z", "kind": "signal", "module": "endpoint", "outcome": "success", "risk_score": "99", "sequence": "4013", "severity": "99", "type": "info,start,allowed" }, "file": { "accessed": "2021-07-26T17:50:00.317Z", "code_signature": { "exists": "false" }, "created": "2021-02-22T11:22:00.181Z", "directory": "C:\\Users\\zeus\\Desktop\\mimikatz", "drive_letter": "C", "Ext": { "code_signature": "{\"exists\":false}", "malware_classification": { "identifier": "endpointpe-v4-model", "score": "0.999996185302734", "threshold": "0.62", "version": "4.0.8000" }, "temp_file_path": "" }, "extension": "exe", "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "mtime": "2019-11-18T09:29:42.215Z", "name": "mimikatz.exe", "owner": "zeus", "path": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "size": "740352" }, "host": { "architecture": "x86_64", "hostname": "deepikatest", "id": "4143c277-074e-47a9-b37d-37f94b508705", "ip": "10.0.6.178,127.0.0.1,::1", "mac": "00:50:56:b1:6d:a6", "name": "deepikatest", "os": { "Ext": { "variant": "Windows 10 Pro" }, "family": "windows", "full": "Windows 10 Pro 2009 (10.0.19042.1110)", "kernel": "2009 (10.0.19042.1110)", "name": "Windows", "platform": "windows", "version": "2009 (10.0.19042.1110)" } }, "message": "Malware Detection Alert", "process": { "args": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "args_count": "1", "command_line": "\"C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe\" ", "entity_id": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTU1OTItMTMyNzE4MzIzOTQuMzU3OTkxNzAw", "executable": "C:\\Users\\zeus\\Desktop\\mimikatz\\mimikatz.exe", "Ext": { "ancestry": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTI3OTYtMTMyNzA3MTA5ODQuODg0ODE2MzAw", "architecture": "x86", "code_signature": "{\"exists\":false}", "protection": "", "token": { "domain": "DEEPIKATEST", "elevation": "false", "elevation_type": "limited", "integrity_level_name": "medium", "sid": "S-1-5-21-4215045029-3277270250-148079304-1004", "user": "zeus" }, "user": "zeus" }, "hash": { "md5": "8425d9cb947435285cce1b14ad04f4cd", "sha1": "233d7555806b1abfa0a3a57afe3e355ca06e64e3", "sha256": "80b16acf372c70365fd201059959f179c369de642fcfae8f4fe3dffcf703931f" }, "name": "mimikatz.exe", "parent": { "args": "C:\\WINDOWS\\Explorer.EXE", "args_count": "1", "command_line": "C:\\WINDOWS\\Explorer.EXE", "entity_id": "NDI2YmY0ZDQtNDViNi00ZjU3LWJhNjEtMzRkZWUyOGI1YWY5LTI3OTYtMTMyNzA3MTA5ODQuODg0ODE2MzAw", "executable": "C:\\Windows\\explorer.exe", "Ext": { "architecture": "x86_64", "code_signature": "{\"trusted\":true,\"subject_name\":\"Microsoft Windows\",\"exists\":true,\"status\":\"trusted\"}", "protection": "", "user": "zeus" }, "hash": { "md5": "fd5541611456e27d8bf3e90dda34dc4e", "sha1": "e8f207634e304790b099454338b819d302024d7b", "sha256": "e37f098b56b4a7b6c798cc7fa84cbb50d376eb938c58f31e60296ab545d82a10" }, "name": "explorer.exe", "pid": "2796", "ppid": "10328", "start": "1970-01-19T19:43:57.384Z", "uptime": "1121410" }, "pe": { "company": "gentilkiwi (Benjamin DELPY)", "description": "mimikatz for Windows", "file_version": "2.1.0.0", "original_file_name": "mimikatz.exe", "product": "mimikatz" }, "pid": "5592", "start": "1970-01-19T20:02:38.794Z", "uptime": "0" }, "rule": { "ruleset": "production" }, "signal": { "_meta": { "version": "45" }, "ancestors": "{\"id\":\"ag8k5noBU80FQQGUmoaj\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.07.27-000001\",\"depth\":0}", "depth": "1", "original_event": { "action": "execution", "agent_id_status": "verified", "category": "malware,intrusion_detection,process", "code": "malicious_file", "created": "2021-07-27T04:06:34.388Z", "dataset": "endpoint.alerts", "id": "MDy2yXjtOfqsGi9n++++++L2", "ingested": "2021-07-27T04:06:36.451248783Z", "kind": "alert", "module": "endpoint", "outcome": "success", "risk_score": "99", "sequence": "4013", "severity": "99", "type": "info,start,allowed" }, "original_time": "2021-07-27T04:06:34.388Z", "parent": { "depth": "0", "id": "ag8k5noBU80FQQGUmoaj", "index": ".ds-logs-endpoint.alerts-default-2021.07.27-000001", "type": "event" }, "parents": "{\"id\":\"ag8k5noBU80FQQGUmoaj\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.alerts-default-2021.07.27-000001\",\"depth\":0}", "rule": { "actions": "", "author": "Elastic", "created_at": "2021-07-27T04:02:32.138Z", "created_by": "396189040", "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": "true", "exceptions_list": "{\"list_id\":\"endpoint_list\",\"namespace_type\":\"agnostic\",\"id\":\"endpoint_list\",\"type\":\"endpoint\"}", "false_positives": "", "filters": "", "from": "now-305s", "id": "77b8dcf0-ee8f-11eb-a2df-818a325433fa", "immutable": "false", "index": "logs-endpoint.alerts-*", "interval": "5s", "language": "kuery", "license": "Elastic License v2", "max_signals": "10000", "meta": { "from": "5m", "riskScoreOverridden": "true", "ruleNameOverridden": "true", "severityOverrideField": "event.severity" }, "name": "Malware Detection Alert", "output_index": ".siem-signals-default", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "references": "", "risk_score": "99", "risk_score_mapping": "{\"field\":\"event.risk_score\",\"value\":\"\",\"operator\":\"equals\"}", "rule_id": "d2fd05b0-0056-4770-b906-bbed245a75c3", "rule_name_override": "message", "severity": "critical", "severity_mapping": "{\"severity\":\"low\",\"field\":\"event.severity\",\"value\":\"21\",\"operator\":\"equals\"},{\"severity\":\"medium\",\"field\":\"event.severity\",\"value\":\"47\",\"operator\":\"equals\"},{\"severity\":\"high\",\"field\":\"event.severity\",\"value\":\"73\",\"operator\":\"equals\"},{\"severity\":\"critical\",\"field\":\"event.severity\",\"value\":\"99\",\"operator\":\"equals\"}", "tags": "Elastic,Endpoint Security", "threat": "", "timestamp_override": "event.ingested", "to": "now", "type": "query", "updated_at": "2021-07-27T04:06:34.009Z", "updated_by": "396189040", "version": "4" }, "status": "open" }, "user": { "domain": "DEEPIKATEST", "name": "zeus" } }