Jump to content


This topic is now archived and is closed to further replies.


EFS HIPS Question

Recommended Posts


C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application

I think this one needs a detailed investigation. Why?


Cobalt Strike: Built-in Mimikatz credential dump capability executed

A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).

Cobalt Strike: Built-in hash dump capability executed

Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code.


Share this post

Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...