| Informational |
80% |
ldt |
TEAHEE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:15 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 08:15 |
|
| High |
80% |
ldt |
TEAHEE |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 08:15 |
|
| Critical |
80% |
ldt |
TEAHEE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:15 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 08:15 |
|
| High |
80% |
ldt |
TEAHEE |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:15 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 08:15 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 08:15 |
|
| Informational |
80% |
ldt |
TEAHEE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:12 |
|
| High |
80% |
ldt |
TEAHEE |
Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. |
Command and Control |
12-22 08:12 |
|
| Critical |
80% |
ldt |
TEAHEE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:12 |
|
| High |
80% |
ldt |
TEAHEE |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:12 |
|
| Critical |
80% |
ldt |
TEAHEE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:12 |
|
| High |
80% |
ldt |
TEAHEE |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 08:12 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A suspicious process was identified by CrowdStrike. Review the process tree. |
Execution |
12-22 08:07 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A suspicious process was identified by CrowdStrike. Review the process tree. |
Execution |
12-22 08:07 |
|
| High |
80% |
ldt |
TEAHEE |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 08:06 |
|
| High |
80% |
ldt |
TEAHEE |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 08:06 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:02 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. |
Execution |
12-22 08:02 |
|
| Informational |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. |
Defense Evasion |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. |
Defense Evasion |
12-22 08:01 |
|
| Critical |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 08:01 |
|
| High |
80% |
ldt |
BOOK-R0BE6S1NC3 |
A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. |
Defense Evasion |
12-22 08:01 |
|
| High |
70% |
ldt |
TEAHEE |
A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware. |
Machine Learning |
12-22 08:01 |
|
| High |
70% |
ldt |
TEAHEE |
A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware. |
Machine Learning |
12-22 08:01 |
|
| High |
70% |
ldt |
TEAHEE |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 08:00 |
|
| High |
70% |
ldt |
TEAHEE |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 08:00 |
|
| High |
70% |
ldt |
TEAHEE |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:59 |
|
| Informational |
80% |
ldt |
TEAHEE |
A process has written a known EICAR test file. Review the files written by the triggered process. |
Execution |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. |
AI Powered IOA |
12-22 07:59 |
|
| High |
80% |
ldt |
TEAHEE |
A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. |
Execution |
12-22 07:59 |
|
| High |
80% |
ldt |
TEAHEE |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:59 |
|
| High |
80% |
ldt |
TEAHEE |
A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. |
Credential Access |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:59 |
|
| High |
70% |
ldt |
TEAHEE |
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. |
Persistence |
12-22 07:59 |
|
| Critical |
80% |
ldt |
TEAHEE |
A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. |
Credential Access |
12-22 07:59 |
|