| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A suspicious process was identified by CrowdStrike. Review the process tree. |
Execution |
12-22 08:07 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A suspicious process was identified by CrowdStrike. Review the process tree. |
Execution |
12-22 08:07 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. |
Execution |
12-22 08:02 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 08:01 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware. |
Machine Learning |
12-22 07:55 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware. |
Machine Learning |
12-22 07:51 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. |
Credential Access |
12-22 07:50 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:49 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:49 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:49 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:49 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:49 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:49 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:49 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 07:49 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. |
Credential Access |
12-22 07:49 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. |
Credential Access |
12-22 07:49 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:49 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:48 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:48 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:48 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 07:48 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:48 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:48 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:48 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:48 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:48 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:48 |
|
| High |
70% |
ldt |
BOOK-R0BE6S1NC3 |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:48 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 07:48 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:43 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:29 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:22 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:22 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:22 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. |
Defense Evasion |
12-22 07:22 |
|