DESKTOP-0TNTPTE
Normal
- Device ID
d403078a73c1471f9199f846a04a1b58- 호스트명
- DESKTOP-0TNTPTE
- Local IP
- 172.30.1.90
- External IP
- 14.47.49.244
- 플랫폼
- Windows
- OS 버전
- Windows 11
- Agent 버전
- 7.31.20309.0
- 처음 연결
- 2025-12-15 02:37:14
- 마지막 연결
- 2025-12-16 01:07:43
Tags
태그 없음
Related Alerts
전체 보기
| 심각도 | 설명 | 시간 |
|---|---|---|
| High | A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. | 12-15 03:09 |
| Critical | A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. | 12-15 03:08 |
| Medium | A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee. | 12-15 03:08 |
| High | A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. | 12-15 02:55 |
| High | A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. | 12-15 02:54 |
| High | Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. | 12-15 02:53 |
| Critical | A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. | 12-15 02:53 |
| High | Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. | 12-15 02:53 |
| High | A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. | 12-15 02:53 |
| High | A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. | 12-15 02:53 |
Raw JSON Data
{"device_id":"d403078a73c1471f9199f846a04a1b58","cid":"84393bf974fd44bda943a25a6a7bc27f","agent_version":"7.31.20309.0","hostname":"DESKTOP-0TNTPTE","local_ip":"172.30.1.90","external_ip":"14.47.49.244","mac_address":"00-0c-29-2a-10-1c","platform_name":"Windows","os_version":"Windows 11","system_product_name":"VMware20,1","status":"normal","first_seen":"2025-12-14T17:37:14Z","last_seen":"2025-12-15T16:07:43Z","tags":[],"groups":[],"group_hash":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","policies":[{"policy_type":"prevention","policy_id":"64c665c08ab745759d0a84d7db7a784d","applied":true,"applied_date":"2025-12-14T17:44:07.356120866Z"}],"reduced_functionality_mode":"no","is_online":false,"FirstSeenAt":"2025-12-15T02:37:14+09:00","LastSeenAt":"2025-12-16T01:07:43+09:00"}
Status
- Connection Offline
- Isolation Normal
- 관련 알림 10
Actions
Uninstall Token
센서 삭제 시 필요한 토큰입니다. Uninstall Protection이 활성화된 경우에만 필요합니다.