| Informational |
80% |
ldt |
DESKTOP-FNUMV3U |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:50 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 07:50 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 07:50 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:50 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree. |
Lateral Movement |
12-22 07:50 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree. |
Lateral Movement |
12-22 07:50 |
|
| Informational |
80% |
ldt |
DESKTOP-FNUMV3U |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:38 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:38 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 07:38 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 07:38 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:38 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:38 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:38 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A module was loaded from an unusual path or with an unusual file name. Review the DLLs loaded by the process. |
Execution |
12-22 07:37 |
|
| Medium |
80% |
ldt |
DESKTOP-FNUMV3U |
A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware. |
Post-Exploit |
12-22 07:37 |
|
| Medium |
80% |
ldt |
DESKTOP-FNUMV3U |
A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware. |
Post-Exploit |
12-22 07:37 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A module was loaded from an unusual path or with an unusual file name. Review the DLLs loaded by the process. |
Execution |
12-22 07:37 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process made a suspicious change to the registry that might indicate a malicious persistence mechanism. Investigate the registry key. |
Persistence |
12-22 07:37 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:25 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:24 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:24 |
|
| Informational |
80% |
ldt |
DESKTOP-FNUMV3U |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:24 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. |
Command and Control |
12-22 07:24 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:24 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:24 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:24 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. |
Execution |
12-22 07:24 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:24 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:12 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:12 |
|
| Informational |
80% |
ldt |
DESKTOP-FNUMV3U |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:12 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:12 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:12 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:11 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 07:11 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:11 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 07:11 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:11 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:11 |
|
| High |
70% |
ldt |
DESKTOP-FNUMV3U |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:11 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 07:11 |
|
| High |
80% |
ldt |
DESKTOP-FNUMV3U |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 07:11 |
|
| Critical |
80% |
ldt |
DESKTOP-FNUMV3U |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 07:11 |
|