ChinaChopper.ndjson

{"author":["Austin Songer"],"actions":[],"created_at":"2021-05-12T01:08:35.269Z","updated_at":"2021-05-12T01:08:35.269Z","created_by":"574623007","description":"China Chopper","enabled":false,"false_positives":[],"filters":[],"from":"now-900s","id":"93774650-b2be-11eb-9be8-157e49b5bd7c","immutable":false,"index":["filebeat-*","winlogbeat-*","logs-endpoint.events.*","logs-windows.*"],"interval":"5m","rule_id":"cd816b24-2d5a-4448-8c37-c38b29af452e","language":"lucene","license":"","output_index":".siem-signals-default","max_signals":100,"risk_score":73,"risk_score_mapping":[],"name":"China Chopper","query":"((process.parent.executable:(*\\\\\\\\w3wp.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\httpd.exe) OR process.parent.executable:(*\\\\\\\\apache* OR *\\\\\\\\tomcat*)) AND (((process.command_line:(*\\\\ user\\\\ * OR *\\\\ use\\\\ * OR *\\\\ group\\\\ *) AND process.executable:(*\\\\\\\\net.exe OR *\\\\\\\\net1.exe)) OR (process.command_line:*\\\\ \\\\-n\\\\ * AND process.executable:*\\\\\\\\ping.exe) OR process.command_line:(*&cd&echo* OR *cd\\\\ \\\\/d\\\\ *)) OR (process.command_line:*\\\\ \\\\/node\\\\:* AND process.executable:*\\\\\\\\wmic.exe) OR process.executable:(*\\\\\\\\whoami.exe OR *\\\\\\\\systeminfo.exe OR *\\\\\\\\quser.exe OR *\\\\\\\\ipconfig.exe OR *\\\\\\\\pathping.exe OR *\\\\\\\\tracert.exe OR *\\\\\\\\netstat.exe OR *\\\\\\\\schtasks.exe OR *\\\\\\\\vssadmin.exe OR *\\\\\\\\wevtutil.exe OR *\\\\\\\\tasklist.exe) OR process.command_line:(*\\\\ Test\\\\-NetConnection\\\\ * OR *dir\\\\ \\\\\\\\*)))","references":[],"meta":{"from":"10m","kibana_siem_app_url":""},"severity":"high","severity_mapping":[],"updated_by":"574623007","tags":["Elastic","Windows","Shell","China Chopper"],"to":"now","type":"query","threat":[],"throttle":"no_actions","timestamp_override":"event.ingested","version":1,"exceptions_list":[]}
{"exported_count":1,"missing_rules":[],"missing_rules_count":0}