{ "_index": ".internal.alerts-security.alerts-default-000001", "_id": "9ed5c4920e7d7e252ee7926e27ac9b5b03e2232225bd5e69a192ef6c07faa184", "_score": 1, "_source": { "kibana.version": "8.2.0-SNAPSHOT", "kibana.alert.rule.category": "Custom Query Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "60b48e32-04b1-4e75-83be-a74ae95eb077", "kibana.alert.rule.name": "Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity", "kibana.alert.rule.producer": "siem", "kibana.alert.rule.rule_type_id": "siem.queryRule", "kibana.alert.rule.uuid": "e74fd420-bb02-11ec-bed6-6b9d2b7a5fb5", "kibana.space_ids": [ "default" ], "kibana.alert.rule.tags": [ "Elastic", "Endpoint Security" ], "@timestamp": "2022-04-13T08:25:22.717Z", "agent": { "build": { "original": "version: 8.2.0-SNAPSHOT, compiled: Sun Apr 10 02:00:00 2022, branch: 8.2, commit: 7a1c4a4718c9b12103b36ee1fdd98375cc4618a3" }, "id": "dd2757a4-a564-415c-9712-eb58106d7314", "type": "endpoint", "version": "8.2.0-SNAPSHOT" }, "process": { "Ext": { "ancestry": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTc4NDAtMTMyOTQzMTE4NTEuNTI5MTQwMDA=", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTQ0MDQtMTMyOTQzMDA1NzkuNzgxOTE0NDAw" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "authentication_id": "0x65d8c0", "token": { "integrity_level_name": "high", "security_attributes": [ "TSA://ProcUnique" ], "elevation_level": "full" } }, "args": [ "bitsadmin", "download", "abc.html" ], "parent": { "args": [ "eqnedt32.exe", "/c", "bitsadmin", "download", "abc.html" ], "name": "eqnedt32.exe", "pid": 2232, "args_count": 5, "entity_id": "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "command_line": "eqnedt32.exe /c bitsadmin download abc.html", "executable": "C:\\Windows\\System32\\eqnedt32.exe" }, "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "pe": { "original_file_name": "bitsadmin.exe" }, "name": "bitsadmin.exe", "pid": 5188, "args_count": 3, "entity_id": "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTUxODgtMTMyOTQzMTE4ODIuMjI0ODQyNjAw", "command_line": "bitsadmin download abc.html", "executable": "C:\\Windows\\System32\\bitsadmin.exe", "hash": { "sha1": "3fd6eb9a72446f34f309adfaa6b8695eecd5b4b6", "sha256": "739b2dd012ea183895cc01116906f339c9aa1c0baabf6f22c8e59e25a0c12917", "md5": "01aab62d5799f75b0d69eb29c1ca6855" } }, "rule": { "reference": [ "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" ], "name": "Suspicious Bitsadmin Activity", "ruleset": "production", "description": "Identifies downloads, transfers, or job creations using Windows Background Intelligent Transfer Service (BITS) Admin Tool. This tactic may be indicative of malicious activity where malware is downloading second stage payloads using obscure methods.", "id": "676ac66c-4899-498f-ae21-ed5620af5477", "version": "1.0.5" }, "message": "Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity", "Endpoint": { "policy": { "applied": { "artifacts": { "global": { "identifiers": [ { "sha256": "e57a7d5638060e9655c64ac1d02f7949b87e5f5f27f2074329608db1e06d645b", "name": "diagnostic-configuration-v1" }, { "sha256": "c33693fcadb720d4d37706cd2ca77b28a8c59a424ab3f251b2b07ac7975eb2f4", "name": "diagnostic-endpointpe-v4-blocklist" }, { "sha256": "d47bfd600e3a8f79e290dfb0306e8abe7be11b75b36ba98132f46b8971f7f071", "name": "diagnostic-endpointpe-v4-exceptionlist" }, { "sha256": "8609faa372f8761bf199a03325f56577d2fd47630d6dba386b6eb33562aef6e3", "name": "diagnostic-endpointpe-v4-model" }, { "sha256": "52bc8b59292b5017bb091f97fa395881b127b07dec6182f91c4b84074ae6e7bc", "name": "diagnostic-malware-signature-v1-windows" }, { "sha256": "dcbaa744fc672d8db32010a1422aafa6e0cf86816d34b1d4df9f273f106be425", "name": "diagnostic-ransomware-v1-windows" }, { "sha256": "b680beed0f3ca83ae78802e972bf4bb12ecea2b1649a7aafd16e6fec8c9a0ede", "name": "diagnostic-rules-windows-v1" }, { "sha256": "1d591a12ce8ae215ebdcdabc81fc912cd51162e7a8e35bcdc1676bc3125cebbf", "name": "endpointpe-v4-blocklist" }, { "sha256": "8490cfcc8126e2f33aebe0d80a4a13d7ff548b9c2d55abd98125645ef020e2b2", "name": "endpointpe-v4-exceptionlist" }, { "sha256": "c05c025cce1c2b5808c180dc4986eb519c0affd30d7c27f67fdd14bde3224638", "name": "endpointpe-v4-model" }, { "sha256": "b98dc812e3cd9c9aa21462bb8b2bac86158d6d2d97ea4aac6731c069f6babb4d", "name": "global-configuration-v1" }, { "sha256": "7acbe147698a40c817775d471ea30c2fe4dfa7a9f54271e6dbc073131c5a3bcb", "name": "global-exceptionlist-windows" }, { "sha256": "dfb2b428357b756d9f5b593c02dce99b026c9e2afeb76cdb8e8c76c6db78290a", "name": "global-trustlist-windows-v1" }, { "sha256": "611a02c398c58ebe2f6d9d63621778de96263ef7fa885098ce62a22c411d67bc", "name": "production-malware-signature-v1-windows" }, { "sha256": "363cb9d7bbc013d9bc171a6a29fdfe486f1c987ef2c0cdfa3c283fc4c5a4a595", "name": "production-ransomware-v1-windows" }, { "sha256": "b07cf3beacd69e6922d344448a8c6d03e96ae6d5ec1e540415fe2f4804bcb631", "name": "production-rules-windows-v1" } ], "version": "1.0.264" }, "user": { "identifiers": [ { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-blocklist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-eventfilterlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-exceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-hostisolationexceptionlist-windows-v1" }, { "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "name": "endpoint-trustlist-windows-v1" } ], "version": "1.0.0" } } } } }, "ecs": { "version": "1.11.0" }, "Events": [ { "process": { "Ext": { "ancestry": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTc4NDAtMTMyOTQzMTE4NTEuNTI5MTQwMDA=", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTQ0MDQtMTMyOTQzMDA1NzkuNzgxOTE0NDAw" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "authentication_id": "0x65d8c0", "token": { "integrity_level_name": "high", "security_attributes": [ "TSA://ProcUnique" ], "elevation_level": "full" } }, "args": [ "bitsadmin", "download", "abc.html" ], "parent": { "args": [ "eqnedt32.exe", "/c", "bitsadmin", "download", "abc.html" ], "name": "eqnedt32.exe", "pid": 2232, "args_count": 5, "entity_id": "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "command_line": "eqnedt32.exe /c bitsadmin download abc.html", "executable": "C:\\Windows\\System32\\eqnedt32.exe" }, "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "pe": { "original_file_name": "bitsadmin.exe" }, "name": "bitsadmin.exe", "pid": 5188, "args_count": 3, "entity_id": "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTUxODgtMTMyOTQzMTE4ODIuMjI0ODQyNjAw", "command_line": "bitsadmin download abc.html", "executable": "C:\\Windows\\System32\\bitsadmin.exe", "hash": { "sha1": "3fd6eb9a72446f34f309adfaa6b8695eecd5b4b6", "sha256": "739b2dd012ea183895cc01116906f339c9aa1c0baabf6f22c8e59e25a0c12917", "md5": "01aab62d5799f75b0d69eb29c1ca6855" } }, "@timestamp": "2022-04-13T08:24:42.2248426Z", "_state": 0, "host": { "hostname": "DESKTOP-QBBSCUT", "os": { "Ext": { "variant": "Windows 10 Pro" }, "kernel": "21H2 (10.0.19044.1645)", "name": "Windows", "family": "windows", "type": "windows", "version": "21H2 (10.0.19044.1645)", "platform": "windows", "full": "Windows 10 Pro 21H2 (10.0.19044.1645)" }, "ip": [ "10.0.5.8", "127.0.0.1", "::1" ], "name": "DESKTOP-QBBSCUT", "id": "4143c277-074e-47a9-b37d-37f94b508705", "mac": [ "00:50:56:b1:43:d9" ], "architecture": "x86_64" }, "event": { "created": "2022-04-13T08:24:42.2248426Z", "kind": "event", "action": "start", "id": "MZNUKrVaIngrO+Qd+++++VLs", "category": [ "process" ], "type": [ "start" ] }, "message": "Endpoint process event", "user": { "domain": "DESKTOP-QBBSCUT", "name": "zeus", "id": "S-1-5-21-4215045029-3277270250-148079304-1004" }, "_label": "process_executed_to_download_payload" } ], "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.alerts" }, "elastic": { "agent": { "id": "dd2757a4-a564-415c-9712-eb58106d7314" } }, "host": { "hostname": "DESKTOP-QBBSCUT", "os": { "Ext": { "variant": "Windows 10 Pro" }, "kernel": "21H2 (10.0.19044.1645)", "name": "Windows", "family": "windows", "type": "windows", "version": "21H2 (10.0.19044.1645)", "platform": "windows", "full": "Windows 10 Pro 21H2 (10.0.19044.1645)" }, "ip": [ "10.0.5.8", "127.0.0.1", "::1" ], "name": "DESKTOP-QBBSCUT", "id": "4143c277-074e-47a9-b37d-37f94b508705", "mac": [ "00:50:56:b1:43:d9" ], "architecture": "x86_64" }, "threat": [ { "framework": "MITRE ATT&CK", "technique": [ { "reference": "https://attack.mitre.org/techniques/T1197/", "name": "BITS Jobs", "id": "T1197" } ], "tactic": { "reference": "https://attack.mitre.org/tactics/TA0005/", "name": "Defense Evasion", "id": "TA0005" } } ], "user": { "domain": "DESKTOP-QBBSCUT", "name": "zeus", "id": "S-1-5-21-4215045029-3277270250-148079304-1004" }, "event.severity": 99, "event.code": "behavior", "event.risk_score": 99, "event.created": "2022-04-13T08:24:43.0455038Z", "event.kind": "signal", "event.module": "endpoint", "event.type": [ "info", "allowed" ], "event.agent_id_status": "verified", "event.sequence": 28181, "event.ingested": "2022-04-13T08:25:15Z", "event.action": "rule_detection", "event.id": "MZNUKrVaIngrO+Qd+++++VMq", "event.category": [ "malware", "intrusion_detection" ], "event.dataset": "endpoint.alerts", "event.outcome": "success", "kibana.alert.original_time": "2022-04-13T08:24:43.045Z", "kibana.alert.ancestors": [ { "id": "VXUGIoABbHsL1SdA1_wV", "type": "event", "index": ".ds-logs-endpoint.alerts-default-2022.04.13-000001", "depth": 0 } ], "kibana.alert.status": "active", "kibana.alert.workflow_status": "open", "kibana.alert.depth": 1, "kibana.alert.reason": "malware, intrusion_detection event with process bitsadmin.exe, parent process eqnedt32.exe, by zeus on DESKTOP-QBBSCUT created critical alert Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity.", "kibana.alert.severity": "critical", "kibana.alert.risk_score": 99, "kibana.alert.rule.parameters": { "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "risk_score": 47, "severity": "medium", "license": "Elastic License v2", "meta": { "from": "5m" }, "rule_name_override": "message", "timestamp_override": "event.ingested", "author": [ "Elastic" ], "false_positives": [], "from": "now-305s", "rule_id": "ba8918c8-3d65-4fc0-a47a-0454c59db7a1", "max_signals": 10000, "risk_score_mapping": [ { "field": "event.risk_score", "value": "", "operator": "equals" } ], "severity_mapping": [ { "severity": "low", "field": "event.severity", "value": "21", "operator": "equals" }, { "severity": "medium", "field": "event.severity", "value": "47", "operator": "equals" }, { "severity": "high", "field": "event.severity", "value": "73", "operator": "equals" }, { "severity": "critical", "field": "event.severity", "value": "99", "operator": "equals" } ], "threat": [], "to": "now", "references": [], "version": 4, "exceptions_list": [ { "list_id": "endpoint_list", "namespace_type": "agnostic", "id": "endpoint_list", "type": "endpoint" } ], "immutable": false, "type": "query", "language": "kuery", "index": [ "logs-endpoint.alerts-*" ], "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "filters": [] }, "kibana.alert.rule.actions": [], "kibana.alert.rule.author": [ "Elastic" ], "kibana.alert.rule.created_at": "2022-04-13T08:22:48.680Z", "kibana.alert.rule.created_by": "mgulati", "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "kibana.alert.rule.enabled": true, "kibana.alert.rule.exceptions_list": [ { "list_id": "endpoint_list", "namespace_type": "agnostic", "id": "endpoint_list", "type": "endpoint" } ], "kibana.alert.rule.false_positives": [], "kibana.alert.rule.from": "now-305s", "kibana.alert.rule.immutable": false, "kibana.alert.rule.interval": "5s", "kibana.alert.rule.license": "Elastic License v2", "kibana.alert.rule.max_signals": 10000, "kibana.alert.rule.references": [], "kibana.alert.rule.risk_score_mapping": [ { "field": "event.risk_score", "value": "", "operator": "equals" } ], "kibana.alert.rule.rule_id": "ba8918c8-3d65-4fc0-a47a-0454c59db7a1", "kibana.alert.rule.rule_name_override": "message", "kibana.alert.rule.severity_mapping": [ { "severity": "low", "field": "event.severity", "value": "21", "operator": "equals" }, { "severity": "medium", "field": "event.severity", "value": "47", "operator": "equals" }, { "severity": "high", "field": "event.severity", "value": "73", "operator": "equals" }, { "severity": "critical", "field": "event.severity", "value": "99", "operator": "equals" } ], "kibana.alert.rule.threat": [], "kibana.alert.rule.timestamp_override": "event.ingested", "kibana.alert.rule.to": "now", "kibana.alert.rule.type": "query", "kibana.alert.rule.updated_at": "2022-04-13T08:23:10.406Z", "kibana.alert.rule.updated_by": "mgulati", "kibana.alert.rule.version": 4, "kibana.alert.rule.meta.from": "5m", "kibana.alert.rule.risk_score": 47, "kibana.alert.rule.severity": "medium", "kibana.alert.original_event.severity": 99, "kibana.alert.original_event.code": "behavior", "kibana.alert.original_event.risk_score": 99, "kibana.alert.original_event.created": "2022-04-13T08:24:43.0455038Z", "kibana.alert.original_event.kind": "alert", "kibana.alert.original_event.module": "endpoint", "kibana.alert.original_event.type": [ "info", "allowed" ], "kibana.alert.original_event.agent_id_status": "verified", "kibana.alert.original_event.sequence": 28181, "kibana.alert.original_event.ingested": "2022-04-13T08:25:15Z", "kibana.alert.original_event.action": "rule_detection", "kibana.alert.original_event.id": "MZNUKrVaIngrO+Qd+++++VMq", "kibana.alert.original_event.category": [ "malware", "intrusion_detection" ], "kibana.alert.original_event.dataset": "endpoint.alerts", "kibana.alert.original_event.outcome": "success", "kibana.alert.uuid": "9ed5c4920e7d7e252ee7926e27ac9b5b03e2232225bd5e69a192ef6c07faa184" }, "fields": { "process.hash.md5": [ "01aab62d5799f75b0d69eb29c1ca6855" ], "kibana.alert.rule.updated_by": [ "mgulati" ], "kibana.alert.rule.rule_name_override": [ "message" ], "process.hash.sha256": [ "739b2dd012ea183895cc01116906f339c9aa1c0baabf6f22c8e59e25a0c12917" ], "host.hostname": [ "DESKTOP-QBBSCUT" ], "signal.original_event.created": [ "2022-04-13T08:24:43.045Z" ], "host.mac": [ "00:50:56:b1:43:d9" ], "elastic.agent.id": [ "dd2757a4-a564-415c-9712-eb58106d7314" ], "signal.rule.enabled": [ "true" ], "host.os.version": [ "21H2 (10.0.19044.1645)" ], "signal.rule.max_signals": [ 10000 ], "kibana.alert.risk_score": [ 99 ], "signal.rule.updated_at": [ "2022-04-13T08:23:10.406Z" ], "Events.process.args": [ "bitsadmin", "download", "abc.html" ], "kibana.alert.original_event.id": [ "MZNUKrVaIngrO+Qd+++++VMq" ], "event.severity": [ 99 ], "host.os.type": [ "windows" ], "signal.original_event.code": [ "behavior" ], "kibana.alert.original_event.module": [ "endpoint" ], "kibana.alert.rule.interval": [ "5s" ], "kibana.alert.rule.type": [ "query" ], "kibana.alert.rule.immutable": [ "false" ], "Events.process.parent.args_count": [ 5 ], "kibana.alert.rule.exceptions_list.list_id": [ "endpoint_list" ], "Events.process.hash.md5": [ "01aab62d5799f75b0d69eb29c1ca6855" ], "kibana.alert.rule.version": [ "4" ], "Events.process.code_signature.trusted": [ true ], "Events.process.Ext.token.security_attributes": [ "TSA://ProcUnique" ], "Events.process.parent.executable": [ "C:\\Windows\\System32\\eqnedt32.exe" ], "Events.host.mac": [ "00:50:56:b1:43:d9" ], "signal.original_event.outcome": [ "success" ], "threat.framework": [ "MITRE ATT&CK" ], "process.entity_id": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTUxODgtMTMyOTQzMTE4ODIuMjI0ODQyNjAw" ], "host.ip": [ "10.0.5.8", "127.0.0.1", "::1" ], "process.pe.original_file_name": [ "bitsadmin.exe" ], "agent.type": [ "endpoint" ], "signal.original_event.category": [ "malware", "intrusion_detection" ], "Events.user.id": [ "S-1-5-21-4215045029-3277270250-148079304-1004" ], "Events.process.command_line": [ "bitsadmin download abc.html" ], "host.id": [ "4143c277-074e-47a9-b37d-37f94b508705" ], "process.Ext.code_signature.subject_name": [ "Microsoft Windows" ], "Events.@timestamp": [ "2022-04-13T08:24:42.2248426Z" ], "Events.user.name": [ "zeus" ], "host.os.Ext.variant": [ "Windows 10 Pro" ], "Events.event.action": [ "start" ], "signal.rule.updated_by": [ "mgulati" ], "host.os.platform": [ "windows" ], "kibana.alert.rule.severity": [ "medium" ], "Events.process.Ext.ancestry": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTc4NDAtMTMyOTQzMTE4NTEuNTI5MTQwMDA=", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTQ0MDQtMTMyOTQzMDA1NzkuNzgxOTE0NDAw" ], "Endpoint.policy.applied.artifacts.user.identifiers.sha256": [ "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658" ], "Events.process.Ext.token.integrity_level_name": [ "high" ], "kibana.version": [ "8.2.0-SNAPSHOT" ], "event.id": [ "MZNUKrVaIngrO+Qd+++++VMq" ], "signal.ancestors.type": [ "event" ], "kibana.alert.ancestors.id": [ "VXUGIoABbHsL1SdA1_wV" ], "Events.process.hash.sha1": [ "3fd6eb9a72446f34f309adfaa6b8695eecd5b4b6" ], "host.os.full": [ "Windows 10 Pro 21H2 (10.0.19044.1645)" ], "kibana.alert.original_event.code": [ "behavior" ], "Endpoint.policy.applied.artifacts.global.identifiers.name": [ "diagnostic-configuration-v1", "diagnostic-endpointpe-v4-blocklist", "diagnostic-endpointpe-v4-exceptionlist", "diagnostic-endpointpe-v4-model", "diagnostic-malware-signature-v1-windows", "diagnostic-ransomware-v1-windows", "diagnostic-rules-windows-v1", "endpointpe-v4-blocklist", "endpointpe-v4-exceptionlist", "endpointpe-v4-model", "global-configuration-v1", "global-exceptionlist-windows", "global-trustlist-windows-v1", "production-malware-signature-v1-windows", "production-ransomware-v1-windows", "production-rules-windows-v1" ], "kibana.alert.rule.description": [ "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts." ], "kibana.alert.rule.producer": [ "siem" ], "kibana.alert.rule.to": [ "now" ], "Endpoint.policy.applied.artifacts.user.version": [ "1.0.0" ], "kibana.alert.original_event.ingested": [ "2022-04-13T08:25:15.000Z" ], "signal.rule.id": [ "e74fd420-bb02-11ec-bed6-6b9d2b7a5fb5" ], "rule.ruleset": [ "production" ], "signal.rule.risk_score": [ 99 ], "signal.reason": [ "malware, intrusion_detection event with process bitsadmin.exe, parent process eqnedt32.exe, by zeus on DESKTOP-QBBSCUT created critical alert Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity." ], "host.os.name": [ "Windows" ], "signal.status": [ "open" ], "Events.host.os.full": [ "Windows 10 Pro 21H2 (10.0.19044.1645)" ], "kibana.alert.rule.severity_mapping.value": [ "21", "47", "73", "99" ], "signal.rule.tags": [ "Elastic", "Endpoint Security" ], "rule.name": [ "Suspicious Bitsadmin Activity" ], "kibana.alert.rule.uuid": [ "e74fd420-bb02-11ec-bed6-6b9d2b7a5fb5" ], "Events.process.executable": [ "C:\\Windows\\System32\\bitsadmin.exe" ], "kibana.alert.original_event.category": [ "malware", "intrusion_detection" ], "signal.original_event.risk_score": [ 99 ], "Events.host.os.name": [ "Windows" ], "rule.description": [ "Identifies downloads, transfers, or job creations using Windows Background Intelligent Transfer Service (BITS) Admin Tool. This tactic may be indicative of malicious activity where malware is downloading second stage payloads using obscure methods." ], "threat.technique.id": [ "T1197" ], "Events.process.args_count": [ 3 ], "Events.process.name": [ "bitsadmin.exe" ], "process.name": [ "bitsadmin.exe" ], "Events.process.Ext.code_signature.status": [ "trusted" ], "Events.process.code_signature.status": [ "trusted" ], "kibana.alert.ancestors.index": [ ".ds-logs-endpoint.alerts-default-2022.04.13-000001" ], "process.Ext.code_signature.trusted": [ true ], "signal.original_event.severity": [ 99 ], "agent.version": [ "8.2.0-SNAPSHOT" ], "kibana.alert.rule.risk_score_mapping.operator": [ "equals" ], "host.os.family": [ "windows" ], "kibana.alert.rule.from": [ "now-305s" ], "kibana.alert.rule.parameters": [ { "severity_mapping": [ { "severity": "low", "field": "event.severity", "value": "21", "operator": "equals" }, { "severity": "medium", "field": "event.severity", "value": "47", "operator": "equals" }, { "severity": "high", "field": "event.severity", "value": "73", "operator": "equals" }, { "severity": "critical", "field": "event.severity", "value": "99", "operator": "equals" } ], "references": [], "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "language": "kuery", "type": "query", "rule_name_override": "message", "exceptions_list": [ { "namespace_type": "agnostic", "id": "endpoint_list", "list_id": "endpoint_list", "type": "endpoint" } ], "timestamp_override": "event.ingested", "from": "now-305s", "severity": "medium", "max_signals": 10000, "risk_score": 47, "risk_score_mapping": [ { "field": "event.risk_score", "value": "", "operator": "equals" } ], "author": [ "Elastic" ], "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "index": [ "logs-endpoint.alerts-*" ], "filters": [], "version": 4, "rule_id": "ba8918c8-3d65-4fc0-a47a-0454c59db7a1", "license": "Elastic License v2", "immutable": false, "meta": { "from": "5m" }, "false_positives": [], "threat": [], "to": "now" } ], "signal.original_event.kind": [ "alert" ], "threat.technique.name": [ "BITS Jobs" ], "Events.event.type": [ "start" ], "Events.event.created": [ "2022-04-13T08:24:42.2248426Z" ], "signal.depth": [ 1 ], "signal.rule.immutable": [ "false" ], "event.sequence": [ 28181 ], "signal.rule.name": [ "Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity" ], "event.module": [ "endpoint" ], "kibana.alert.rule.severity_mapping.operator": [ "equals", "equals", "equals", "equals" ], "host.os.kernel": [ "21H2 (10.0.19044.1645)" ], "kibana.alert.rule.license": [ "Elastic License v2" ], "kibana.alert.original_event.kind": [ "alert" ], "signal.rule.description": [ "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts." ], "process.args": [ "bitsadmin", "download", "abc.html" ], "message": [ "Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity" ], "process.Ext.authentication_id": [ "0x65d8c0" ], "rule.version": [ "1.0.5" ], "process.Ext.token.elevation_level": [ "full" ], "kibana.alert.original_event.sequence": [ 28181 ], "kibana.alert.original_event.outcome": [ "success" ], "kibana.alert.rule.exceptions_list.namespace_type": [ "agnostic" ], "threat.technique.reference": [ "https://attack.mitre.org/techniques/T1197/" ], "kibana.space_ids": [ "default" ], "rule.id": [ "676ac66c-4899-498f-ae21-ed5620af5477" ], "kibana.alert.severity": [ "critical" ], "signal.ancestors.depth": [ 0 ], "event.category": [ "malware", "intrusion_detection" ], "Endpoint.policy.applied.artifacts.global.identifiers.sha256": [ "e57a7d5638060e9655c64ac1d02f7949b87e5f5f27f2074329608db1e06d645b", "c33693fcadb720d4d37706cd2ca77b28a8c59a424ab3f251b2b07ac7975eb2f4", "d47bfd600e3a8f79e290dfb0306e8abe7be11b75b36ba98132f46b8971f7f071", "8609faa372f8761bf199a03325f56577d2fd47630d6dba386b6eb33562aef6e3", "52bc8b59292b5017bb091f97fa395881b127b07dec6182f91c4b84074ae6e7bc", "dcbaa744fc672d8db32010a1422aafa6e0cf86816d34b1d4df9f273f106be425", "b680beed0f3ca83ae78802e972bf4bb12ecea2b1649a7aafd16e6fec8c9a0ede", "1d591a12ce8ae215ebdcdabc81fc912cd51162e7a8e35bcdc1676bc3125cebbf", "8490cfcc8126e2f33aebe0d80a4a13d7ff548b9c2d55abd98125645ef020e2b2", "c05c025cce1c2b5808c180dc4986eb519c0affd30d7c27f67fdd14bde3224638", "b98dc812e3cd9c9aa21462bb8b2bac86158d6d2d97ea4aac6731c069f6babb4d", "7acbe147698a40c817775d471ea30c2fe4dfa7a9f54271e6dbc073131c5a3bcb", "dfb2b428357b756d9f5b593c02dce99b026c9e2afeb76cdb8e8c76c6db78290a", "611a02c398c58ebe2f6d9d63621778de96263ef7fa885098ce62a22c411d67bc", "363cb9d7bbc013d9bc171a6a29fdfe486f1c987ef2c0cdfa3c283fc4c5a4a595", "b07cf3beacd69e6922d344448a8c6d03e96ae6d5ec1e540415fe2f4804bcb631" ], "rule.reference": [ "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" ], "Events.host.ip": [ "10.0.5.8", "127.0.0.1", "::1" ], "process.parent.command_line": [ "eqnedt32.exe /c bitsadmin download abc.html" ], "process.parent.name": [ "eqnedt32.exe" ], "process.parent.pid": [ 2232 ], "kibana.alert.original_event.risk_score": [ 99 ], "kibana.alert.rule.tags": [ "Elastic", "Endpoint Security" ], "process.code_signature.exists": [ true ], "Events.process.Ext.code_signature.trusted": [ true ], "kibana.alert.ancestors.depth": [ 0 ], "Events.host.id": [ "4143c277-074e-47a9-b37d-37f94b508705" ], "Events.process.parent.args": [ "eqnedt32.exe", "/c", "bitsadmin", "download", "abc.html" ], "kibana.alert.rule.severity_mapping.severity": [ "low", "medium", "high", "critical" ], "agent.build.original": [ "version: 8.2.0-SNAPSHOT, compiled: Sun Apr 10 02:00:00 2022, branch: 8.2, commit: 7a1c4a4718c9b12103b36ee1fdd98375cc4618a3" ], "Events.process.parent.entity_id": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw" ], "event.agent_id_status": [ "verified" ], "Events.process.parent.command_line": [ "eqnedt32.exe /c bitsadmin download abc.html" ], "event.outcome": [ "success" ], "Events.event.kind": [ "event" ], "kibana.alert.rule.risk_score_mapping.value": [ "" ], "user.id": [ "S-1-5-21-4215045029-3277270250-148079304-1004" ], "process.Ext.ancestry": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTc4NDAtMTMyOTQzMTE4NTEuNTI5MTQwMDA=", "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTQ0MDQtMTMyOTQzMDA1NzkuNzgxOTE0NDAw" ], "signal.original_event.sequence": [ 28181 ], "event.risk_score": [ 99 ], "Events.host.hostname": [ "DESKTOP-QBBSCUT" ], "host.architecture": [ "x86_64" ], "process.Ext.code_signature.status": [ "trusted" ], "kibana.alert.original_event.type": [ "info", "allowed" ], "event.code": [ "behavior" ], "agent.id": [ "dd2757a4-a564-415c-9712-eb58106d7314" ], "signal.original_event.module": [ "endpoint" ], "signal.rule.from": [ "now-305s" ], "kibana.alert.rule.exceptions_list.type": [ "endpoint" ], "kibana.alert.rule.enabled": [ "true" ], "Events.process.Ext.authentication_id": [ "0x65d8c0" ], "kibana.alert.ancestors.type": [ "event" ], "Events.host.os.type": [ "windows" ], "Events.process.code_signature.subject_name": [ "Microsoft Windows" ], "user.name": [ "zeus" ], "signal.ancestors.index": [ ".ds-logs-endpoint.alerts-default-2022.04.13-000001" ], "Events.process.Ext.code_signature.subject_name": [ "Microsoft Windows" ], "Endpoint.policy.applied.artifacts.global.version": [ "1.0.264" ], "Events.host.os.Ext.variant": [ "Windows 10 Pro" ], "signal.original_event.id": [ "MZNUKrVaIngrO+Qd+++++VMq" ], "Events.event.category": [ "process" ], "user.domain": [ "DESKTOP-QBBSCUT" ], "process.Ext.token.integrity_level_name": [ "high" ], "signal.original_event.type": [ "info", "allowed" ], "kibana.alert.rule.max_signals": [ 10000 ], "signal.rule.author": [ "Elastic" ], "kibana.alert.rule.risk_score": [ 47 ], "process.code_signature.status": [ "trusted" ], "signal.original_event.dataset": [ "endpoint.alerts" ], "Events.process.parent.pid": [ 2232 ], "Events.process.Ext.token.elevation_level": [ "full" ], "kibana.alert.rule.consumer": [ "siem" ], "kibana.alert.rule.category": [ "Custom Query Rule" ], "event.action": [ "rule_detection" ], "event.ingested": [ "2022-04-13T08:25:15.000Z" ], "@timestamp": [ "2022-04-13T08:25:22.717Z" ], "kibana.alert.original_event.action": [ "rule_detection" ], "kibana.alert.original_event.agent_id_status": [ "verified" ], "data_stream.dataset": [ "endpoint.alerts" ], "signal.rule.timestamp_override": [ "event.ingested" ], "kibana.alert.uuid": [ "9ed5c4920e7d7e252ee7926e27ac9b5b03e2232225bd5e69a192ef6c07faa184" ], "kibana.alert.rule.execution.uuid": [ "60b48e32-04b1-4e75-83be-a74ae95eb077" ], "process.hash.sha1": [ "3fd6eb9a72446f34f309adfaa6b8695eecd5b4b6" ], "Endpoint.policy.applied.artifacts.user.identifiers.name": [ "endpoint-blocklist-windows-v1", "endpoint-eventfilterlist-windows-v1", "endpoint-exceptionlist-windows-v1", "endpoint-hostisolationexceptionlist-windows-v1", "endpoint-trustlist-windows-v1" ], "signal.rule.license": [ "Elastic License v2" ], "kibana.alert.rule.rule_id": [ "ba8918c8-3d65-4fc0-a47a-0454c59db7a1" ], "signal.rule.type": [ "query" ], "signal.rule.rule_name_override": [ "message" ], "Events.process.Ext.code_signature.exists": [ true ], "kibana.alert.rule.risk_score_mapping.field": [ "event.risk_score" ], "Events._label": [ "process_executed_to_download_payload" ], "process.pid": [ 5188 ], "signal.rule.created_by": [ "mgulati" ], "signal.rule.interval": [ "5s" ], "kibana.alert.rule.created_by": [ "mgulati" ], "kibana.alert.rule.timestamp_override": [ "event.ingested" ], "Events.process.entity_id": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTUxODgtMTMyOTQzMTE4ODIuMjI0ODQyNjAw" ], "process.code_signature.subject_name": [ "Microsoft Windows" ], "process.parent.entity_id": [ "ZGQyNzU3YTQtYTU2NC00MTVjLTk3MTItZWI1ODEwNmQ3MzE0LTIyMzItMTMyOTQzMTE4ODIuMTUwNTU1MzAw" ], "kibana.alert.rule.name": [ "Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity" ], "host.name": [ "DESKTOP-QBBSCUT" ], "Events.process.parent.name": [ "eqnedt32.exe" ], "event.kind": [ "signal" ], "process.code_signature.trusted": [ true ], "signal.rule.created_at": [ "2022-04-13T08:22:48.680Z" ], "kibana.alert.workflow_status": [ "open" ], "Events.host.name": [ "DESKTOP-QBBSCUT" ], "kibana.alert.original_event.created": [ "2022-04-13T08:24:43.045Z" ], "threat.tactic.id": [ "TA0005" ], "Events.host.os.platform": [ "windows" ], "Events.host.architecture": [ "x86_64" ], "Events.host.os.kernel": [ "21H2 (10.0.19044.1645)" ], "threat.tactic.name": [ "Defense Evasion" ], "kibana.alert.reason": [ "malware, intrusion_detection event with process bitsadmin.exe, parent process eqnedt32.exe, by zeus on DESKTOP-QBBSCUT created critical alert Malicious Behavior Detection Alert: Suspicious Bitsadmin Activity." ], "process.parent.args_count": [ 5 ], "data_stream.type": [ "logs" ], "signal.original_time": [ "2022-04-13T08:24:43.045Z" ], "signal.ancestors.id": [ "VXUGIoABbHsL1SdA1_wV" ], "process.Ext.token.security_attributes": [ "TSA://ProcUnique" ], "signal.rule.severity": [ "critical" ], "ecs.version": [ "1.11.0" ], "event.created": [ "2022-04-13T08:24:43.045Z" ], "kibana.alert.depth": [ 1 ], "Events.message": [ "Endpoint process event" ], "signal.rule.version": [ "4" ], "kibana.alert.status": [ "active" ], "Events.host.os.family": [ "windows" ], "threat.tactic.reference": [ "https://attack.mitre.org/tactics/TA0005/" ], "Events.user.domain": [ "DESKTOP-QBBSCUT" ], "kibana.alert.rule.severity_mapping.field": [ "event.severity", "event.severity", "event.severity", "event.severity" ], "Events.process.pe.original_file_name": [ "bitsadmin.exe" ], "kibana.alert.original_event.dataset": [ "endpoint.alerts" ], "Events._state": [ 0 ], "kibana.alert.rule.rule_type_id": [ "siem.queryRule" ], "signal.rule.rule_id": [ "ba8918c8-3d65-4fc0-a47a-0454c59db7a1" ], "process.executable": [ "C:\\Windows\\System32\\bitsadmin.exe" ], "kibana.alert.original_event.severity": [ 99 ], "process.parent.executable": [ "C:\\Windows\\System32\\eqnedt32.exe" ], "Events.host.os.version": [ "21H2 (10.0.19044.1645)" ], "process.args_count": [ 3 ], "kibana.alert.rule.updated_at": [ "2022-04-13T08:23:10.406Z" ], "Events.event.id": [ "MZNUKrVaIngrO+Qd+++++VLs" ], "data_stream.namespace": [ "default" ], "kibana.alert.rule.author": [ "Elastic" ], "process.Ext.code_signature.exists": [ true ], "Events.process.pid": [ 5188 ], "process.parent.args": [ "eqnedt32.exe", "/c", "bitsadmin", "download", "abc.html" ], "signal.original_event.action": [ "rule_detection" ], "signal.rule.to": [ "now" ], "kibana.alert.rule.created_at": [ "2022-04-13T08:22:48.680Z" ], "event.type": [ "info", "allowed" ], "process.command_line": [ "bitsadmin download abc.html" ], "Events.process.hash.sha256": [ "739b2dd012ea183895cc01116906f339c9aa1c0baabf6f22c8e59e25a0c12917" ], "Events.process.code_signature.exists": [ true ], "kibana.alert.rule.meta.from": [ "5m" ], "kibana.alert.rule.exceptions_list.id": [ "endpoint_list" ], "event.dataset": [ "endpoint.alerts" ], "kibana.alert.original_time": [ "2022-04-13T08:24:43.045Z" ] } }