| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. |
Credential Access |
12-15 03:09 |
|
| Critical |
80% |
ldt |
DESKTOP-0TNTPTE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-15 03:08 |
|
| Medium |
80% |
ldt |
DESKTOP-0TNTPTE |
A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee. |
Defense Evasion |
12-15 03:08 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. |
Credential Access |
12-15 02:55 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-15 02:54 |
|
| High |
70% |
ldt |
DESKTOP-0TNTPTE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-15 02:53 |
|
| Critical |
80% |
ldt |
DESKTOP-0TNTPTE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-15 02:53 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. |
Command and Control |
12-15 02:53 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. |
Defense Evasion |
12-15 02:53 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-15 02:53 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-15 02:51 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-15 02:51 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. |
Command and Control |
12-15 02:51 |
|
| Informational |
80% |
ldt |
DESKTOP-0TNTPTE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-15 02:49 |
|
| High |
70% |
ldt |
DESKTOP-0TNTPTE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-15 02:49 |
|
| High |
80% |
ldt |
DESKTOP-0TNTPTE |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-15 02:49 |
|
| Critical |
80% |
ldt |
DESKTOP-0TNTPTE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-15 02:49 |
|
| Informational |
80% |
ldt |
DESKTOP-0TNTPTE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-15 02:48 |
|
| Informational |
80% |
ldt |
DESKTOP-0TNTPTE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-15 02:44 |
|
| Critical |
80% |
ldt |
DESKTOP-0TNTPTE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-15 02:43 |
|
| Medium |
80% |
ldt |
DESKTOP-0TNTPTE |
A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script. |
Execution |
12-12 18:23 |
|
| Medium |
80% |
ldt |
DESKTOP-0TNTPTE |
A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script. |
Execution |
12-12 18:22 |
|
| Medium |
80% |
ldt |
DESKTOP-0TNTPTE |
A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script. |
Execution |
12-12 18:21 |
|
| Medium |
80% |
ldt |
DESKTOP-0TNTPTE |
A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script. |
Execution |
12-12 17:45 |
|