{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Usage Of Web Request Commands And Cmdlets",
  "detect": {
    "event": {
      "BASE_ADDRESS": 140702845763584,
      "COMMAND_LINE": "\"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\osqueryd.exe\" --force=true --config_plugin=osq_config --extensions_interval=3 --database_path=osquery\\osquery.db --utc=true --extensions_timeout=10 --logger_event_type=false --extensions_socket=\\\\.\\pipe\\elastic\\osquery\\fe0ea819-96dc-411e-b5a9-b66ba2f48df0 --disable_watchdog=true --extensions_autoload=osquery\\osquery.autoload --pidfile=osquery\\osquery.pid --flagfile=osquery\\osquery.flags --pack_delimiter=_ --config_refresh=60 --disable_tables=carves,curl --logger_plugin=osq_logger --events_expiry=1",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\osqueryd.exe",
      "HASH": "9ccbc1a4b6de9bd781f054746f30eedcb38299a4adad384cac844b417dce611d",
      "MEMORY_USAGE": 18493440,
      "PARENT": {
        "BASE_ADDRESS": 8519680,
        "COMMAND_LINE": "\"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\agentbeat.exe\" osquerybeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E management.restart_on_output_change=true -E logging.level=info -E logging.to_stderr=true -E gc_percent=${OSQUERYBEAT_GOGC:100} -E logging.event_data.to_stderr=true -E logging.event_data.to_files=false -E http.enabled=true -E http.host=npipe:///Tes-KQnqbUcPQg8uDyx7wTKw8gZCUxhT.sock -E \"path.data=C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\run\\osquery-so-manager_logstash\"",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\agentbeat.exe",
        "MEMORY_USAGE": 108261376,
        "PARENT_ATOM": "b33058f3a70e056b4d2f1ca769c2a7fc",
        "PARENT_PROCESS_ID": 2576,
        "PROCESS_ID": 6032,
        "THIS_ATOM": "24851541e9837cd027dfaa2d69c2a801",
        "THREADS": 12,
        "TIMESTAMP": 1774364669286,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 6032,
      "PROCESS_ID": 6568,
      "THREADS": 21,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "f7a8895a-d9c7-4129-92ad-6fc19010fe89",
      "event_time": 1774364672996,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2952,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "24851541e9837cd027dfaa2d69c2a801",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "958b24a7d210bc678592219e69c2a803"
    }
  },
  "detect_id": "e77bc98c-9791-4564-bb61-110369c2a803",
  "detect_mtd": {
    "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger",
    "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine",
    "falsepositives": [
      "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer."
    ],
    "level": "medium",
    "references": [
      "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
      "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
      "https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps"
    ],
    "tags": [
      "attack.execution",
      "attack.t1059.001"
    ]
  },
  "gen_time": 1774364675952,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364672\u0026selected=958b24a7d210bc678592219e69c2a803",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "f7a8895a-d9c7-4129-92ad-6fc19010fe89",
    "event_time": 1774364672996,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2952,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "24851541e9837cd027dfaa2d69c2a801",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "958b24a7d210bc678592219e69c2a803"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.execution",
    "attack.t1059.001"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets",
  "ts": 1774364676000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 2,
      "type-unsupported": 4,
      "undetected": 70
    }
  }
}

{
  "confidence": 0.925,
  "false_positive_reason": "osqueryd.exe is a legitimate component of the Elastic Security Agent used for endpoint monitoring. The process is running from its expected installation directory with proper digital signatures, and the detection rule flags it as suspicious web request commands which is not applicable to this security monitoring tool.",
  "investigation_questions": [
    "Is the Elastic Agent installed and authorized on this endpoint?",
    "What is the purpose of osqueryd.exe running under SYSTEM context?",
    "Are there any recent policy changes that might have triggered this detection?"
  ],
  "ioc_analysis": "The process file path C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\osqueryd.exe is located in the legitimate software installation directory, not in suspicious system directories. The hash and digital signature confirm this is a known, signed binary from Elastic Security. The process is running under SYSTEM context which is expected for agent processes that require elevated privileges to collect security data.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\osqueryd.exe"
    },
    {
      "type": "hash",
      "value": "9ccbc1a4b6de9bd781f054746f30eedcb38299a4adad384cac844b417dce611d"
    },
    {
      "type": "file_is_signed",
      "value": true
    }
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Add osqueryd.exe to allowlist for Elastic Agent processes",
    "Verify Elastic Agent installation is authorized on this host",
    "Monitor for unexpected changes to agent configuration"
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because osqueryd.exe is a legitimate component of the Elastic Agent used for endpoint security monitoring and data collection. The process is running from its expected directory in Program Files with a valid Microsoft signature.\n\n**IOC Analysis:** The process file path C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-8.18.8-bb58d0\\components\\osqueryd.exe is located in the legitimate software installation directory, not in suspicious system directories. The hash and digital signature confirm this is a known, signed binary from Elastic Security. The process is running under SYSTEM context which is expected for agent processes that require elevated privileges to collect security data.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe process creation event involves osqueryd.exe from Elastic Agent, a legitimate monitoring and security tool. It is signed and running from a standard location, indicating benign activity consistent with expected system operations.\n\n**IOC Analysis:** FILE_PATH is located in C:\\Program Files\\Elastic\\Agent, which is a standard directory for legitimate installed software. FILE_IS_SIGNED is true, confirming the binary is from a known vendor (Elastic). The HASH matches a known Elastic Agent binary, and no malicious indicators were found. The process is spawned by a legitimate parent process (agentbeat.exe), and running as NT AUTHORITY\\SYSTEM is common for system services.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (low, 95% confidence)",
      "deepseek-r1:8b: false_positive (informational, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}