filebeat.exe

  • File Path: C:\Program Files\Elastic\Agent\data\elastic-agent-5ae799\install\filebeat-7.15.1-windows-x86_64\filebeat.exe
  • Description: Filebeat sends log files to Logstash or directly to Elasticsearch.
  • Comments: commit=5ae799cb1c3c490c9a27b14cb463dc23696bc7d3

Hashes

Type Hash
MD5 7E4D560121EB137CD4130974EC9DE835
SHA1 34BA04A66117665BC2823008188EB0C576303408
SHA256 393BA05D660901E1034D4C7D0972E2EE3B7E59FD06B95E45AA13A6F04C099C91
SHA384 8D5336B9709D1B613A3D5EED8F7629CB0B4952490C2D7F44294CE4738AC7B7CDEF391864E249C2CDE77CC7D69844D155
SHA512 C5EE1EFD10EA4223832023D771E3AB09EBE981312D7F033DBF504550CC7A768D70CB9046F3DD199EF57C1276C3A690391725E7D364F1D96E510ED99C4D8E8D1D
SSDEEP 786432:w1uxLGubh717hREuxZEahUCodVIS7W4ouuXV5cS2MzK2dLp0DQaK7y/hqzyXReft:1Kut717tmy
IMP 3F0F065D59BD9A8EC45FE4CB67BE72E2
PESHA1 91BE2562A34B35E525151FF41C8F9DFDDE20E05B
PE256 071D7A06AE6C277064112055BCD3C2713386AA95004BB4FC563F1954163BF61D

Runtime Data

Usage (stdout):

Usage:
  filebeat [flags]
  filebeat [command]

Available Commands:
  export      Export current config or index template
  generate    Generate Filebeat modules, filesets and fields.yml
  help        Help about any command
  keystore    Manage secrets keystore
  modules     Manage configured modules
  run         Run filebeat
  setup       Setup index template, dashboards and ML jobs
  test        Test config
  version     Show current version info

Flags:
  -E, --E setting=value              Configuration overwrite
  -M, --M setting=value              Module configuration overwrite
  -N, --N                            Disable actual publishing for testing
  -c, --c string                     Configuration file, relative to path.config (default "filebeat.yml")
      --cpuprofile string            Write cpu profile to file
  -d, --d string                     Enable certain debug selectors
  -e, --e                            Log to stderr and disable syslog/file output
      --environment environmentVar   set environment being ran in (default default)
  -h, --help                         help for filebeat
      --httpprof string              Start pprof http server
      --memprofile string            Write memory profile to this file
      --modules string               List of enabled modules (comma separated)
      --once                         Run filebeat only once until all harvesters reach EOF
      --path.config string           Configuration path
      --path.data string             Data path
      --path.home string             Home path
      --path.logs string             Logs path
      --strict.perms                 Strict permission checking on config files (default true)
      --system.hostfs string         Mount point of the host's filesystem for use in monitoring a host from within a container
  -v, --v                            Log at INFO level

Use "filebeat [command] --help" for more information about a command.

Usage (stderr):

Error: unknown command "/?" for "filebeat"
Run 'filebeat --help' for usage.

Loaded Modules:

Path
C:\Program Files\Elastic\Agent\data\elastic-agent-5ae799\install\filebeat-7.15.1-windows-x86_64\filebeat.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 0D6AC55C87AAE413A8D7E1303C483495
  • Thumbprint: 9F1AE2588723FD3E8F374C688D5A9FCE0EC50F44
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=”Elasticsearch, Inc.”, O=”Elasticsearch, Inc.”, L=Mountain View, S=California, C=US, SERIALNUMBER=5195380, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US

File Metadata

  • Original Filename: filebeat.exe
  • Product Name: Filebeat
  • Company Name: Elastic
  • File Version: 7.15.1
  • Product Version: 7.15.1
  • Language: Language Neutral
  • Legal Copyright: Copyright Elastic, License Elastic License
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/393ba05d660901e1034d4c7d0972e2ee3b7e59fd06b95e45aa13a6f04c099c91/detection

Possible Misuse

The following table contains possible examples of filebeat.exe being misused. While filebeat.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_macos_disable_security_tools.yml - 'filebeat' # elastic log file shipper DRL 1.0
sigma proc_creation_macos_security_software_discovery.yml - 'filebeat' # elastic log file shipper DRL 1.0
sigma proc_creation_lnx_security_software_discovery.yml - 'filebeat' # elastic log file shipper DRL 1.0
sigma ecs-dns.yml - filebeat-* DRL 1.0
sigma ecs-filebeat.yml title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema DRL 1.0
sigma ecs-filebeat.yml defaultindex: filebeat-* DRL 1.0
sigma ecs-proxy.yml - filebeat-* DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml title: Elastic Common Schema (ECS) implementation for Zeek using filebeat modules enabled based on version 7.6.1 DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml index: 'filebeat*' DRL 1.0
sigma ecs-zeek-elastic-beats-implementation.yml defaultindex: 'filebeat*' DRL 1.0
sigma elk-defaultindex-filebeat.yml title: ELK default indices filebeat-* DRL 1.0
sigma elk-defaultindex-filebeat.yml - filebeat-* DRL 1.0
sigma elk-defaultindex.yml title: ELK default indices logstash-* and filebeat-* DRL 1.0
sigma elk-defaultindex.yml - filebeat-* DRL 1.0
sigma filebeat-defaultindex.yml title: Elastic Filebeat default index name DRL 1.0
sigma filebeat-defaultindex.yml - filebeat-* DRL 1.0
atomic-red-team T1518.001.md ps aux | egrep ‘Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu’ MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md ps aux | egrep ‘falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd’ MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.