Jump to content

EFS HIPS Question

Recommended Posts


C:\Windows\System32\svchost.exe;Get access to another application;C:\Windows\System32\lsass.exe;blocked;Self-Defense: Do not allow modification of system processes;Terminate/suspend another application

I think this one needs a detailed investigation. Why?


Cobalt Strike: Built-in Mimikatz credential dump capability executed

A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).

Cobalt Strike: Built-in hash dump capability executed

Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code.


Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...