High
Detection ID
Detection Name
Description
Hostname
User
dokji
Tactic
Credential Access
Technique
OS Credential Dumping
Objective
Gain Access
Event Time
2025-12-22 08:06:06
Received
2025-12-22 09:18:07
Process Information
File Name
powershell.exe
File Path
\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line
"powershell.exe" -c sekurlsa::logonpasswords
Process ID
35386667627
Parent PID
35377799263
SHA256
0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46 VT
MD5
a97e6573b97b44c96122bfa543a82ea1
Disposition
2048
Prevention, process was blocked from execution.
Raw JSON Data 
{
  "metadata": {
    "customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
    "offset": 157991,
    "eventType": "EppDetectionSummaryEvent",
    "eventCreationTime": 1766358366000,
    "version": "1.0"
  },
  "event": {
    "ProcessStartTime": 1766358303,
    "ProcessEndTime": 1766358303,
    "ProcessId": 35386667627,
    "ParentProcessId": 35377799263,
    "Hostname": "TEAHEE",
    "UserName": "dokji",
    "Name": "Credential Theft",
    "Description": "A process appears to be launching mimikatz, a password dumping utility. mimikatz\u0027s primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further.",
    "Severity": 70,
    "SeverityName": "High",
    "FileName": "powershell.exe",
    "FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "CommandLine": "\u0022powershell.exe\u0022 -c sekurlsa::logonpasswords",
    "SHA256String": "0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46",
    "MD5String": "a97e6573b97b44c96122bfa543a82ea1",
    "SHA1String": "0000000000000000000000000000000000000000",
    "LogonDomain": "TEAHEE",
    "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35386667627-10146-11275536?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
    "AgentId": "47186ef241ea495885522e5d4930eda3",
    "IOCType": "hash_sha256",
    "IOCValue": "0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46",
    "CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35386667627-10146-11275536",
    "LocalIP": "172.27.1.26",
    "MACAddress": "e8-84-a5-3f-53-7c",
    "Tactic": "Credential Access",
    "Technique": "OS Credential Dumping",
    "Objective": "Gain Access",
    "PatternDispositionDescription": "Prevention, process was blocked from execution.",
    "PatternDispositionValue": 2048,
    "PatternDispositionFlags": {
      "Indicator": false,
      "Detect": false,
      "InddetMask": false,
      "SensorOnly": false,
      "Rooting": false,
      "KillProcess": false,
      "KillSubProcess": false,
      "QuarantineMachine": false,
      "QuarantineFile": false,
      "PolicyDisabled": false,
      "KillParent": false,
      "OperationBlocked": false,
      "ProcessBlocked": true,
      "RegistryOperationBlocked": false,
      "CriticalProcessDisabled": false,
      "BootupSafeguardEnabled": false,
      "FsOperationBlocked": false,
      "HandleOperationDowngraded": false,
      "KillActionFailed": false,
      "BlockingUnsupportedOrDisabled": false,
      "SuspendProcess": false,
      "SuspendParent": false,
      "ContainmentFileSystem": false
    },
    "ParentImageFileName": "UltimateXdrGenerator.exe",
    "ParentCommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\xdr_tools\\UltimateXdrGenerator\\bin\\publish\\UltimateXdrGenerator.exe\u0022  --once --scenarios 20 ",
    "GrandParentImageFileName": "cmd.exe",
    "GrandParentCommandLine": "C:\\WINDOWS\\SYSTEM32\\cmd.exe /c \u0022\u0022C:\\app\\cortex-xdr-siem-test\\xdr_ultimate_runner.bat\u0022\u0022",
    "HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
    "AssociatedFile": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "PatternId": 10146,
    "SourceVendors": "CrowdStrike",
    "SourceProducts": "Falcon Insight",
    "DataDomains": "Endpoint",
    "AggregateId": "aggind:47186ef241ea495885522e5d4930eda3:9255225672",
    "Type": "ldt",
    "ParentImageFilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\xdr_tools\\UltimateXdrGenerator\\bin\\publish\\UltimateXdrGenerator.exe",
    "GrandParentImageFilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
    "LocalIPv6": "",
    "PlatformId": "0",
    "PlatformName": "Windows",
    "MitreAttack": [
      {
        "Tactic": "Credential Access",
        "TacticID": "TA0006",
        "Technique": "OS Credential Dumping",
        "TechniqueID": "T1003",
        "PatternID": 10146
      }
    ],
    "CloudIndicator": false,
    "RiskScore": 42
  }
}
Actions
View in Falcon Console Back to Detections