Forum Discussion
Mimikatz credential theft tool probably false positive
Hi all,
I've recently onboarded all windows servers in defender for endpoint and some servers send an alert about "Mimikatz"
Going in details the specific process is a powershell launched within this chain of events:
MsSense.exe>SenseCM.exe>powershell.exe
so probably this is a false positive and if I extract the full command launched it seems a defender operation:
Spoiler
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\AntiVirus.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\AntiVirus.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '027d97b761753a1069fc819a0f3e8fdcc54ad9eb6c75e379416aea9a76dafd8e')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\EDR.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\EDR.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '703a9f10e5cfa2809eb0fb1f459cb9ace67073183afaaa0b0bac6428129104cd')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\Firewall.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\Firewall.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'bfdb5cf27fe8e3a2b59e49d8da35601023e8c7cb36ff9d844865ddc30fb14be3')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ASR.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ASR.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '6c4ec1b2bc5cf031b13abeb52b2ce86dca36f059a37a9053d79f25fa6d0c6e3a')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\GroupPolicyObject.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\GroupPolicyObject.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'cd649f4e31dc09a2030f76b92d3eb084ecfeda4e478347eae9b9c9acea167ce1')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ConflictResolutionUtils.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ConflictResolutionUtils.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'fd360f6a95607c51ea831e2316d7308ad8e902bcad48a9a525355352b8c6c65b')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\SharedUtils.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\SharedUtils.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '6f47e947b2d397becd73cc1c4ef1f9f95e1a2c27d1723da1921b1d7792142f61')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\FeaturesRings.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\FeaturesRings.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '951fe3a99e1667a1ec901145114a8f8d2c018a5786550524c694b4d2a0a7f9af')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'a908118292e43f4746142408fe88fa9e3623c93f8041dfca6410718ec057b9be')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1' }"
anyone ever seen this behavior?
thank you
No RepliesBe the first to reply