Mimikatz credential theft tool probably false positive

Occasional Reader

Hi all,

 

I've recently onboarded all windows servers in defender for endpoint and some servers send an alert about "Mimikatz"

Going in details the specific process is a powershell launched within this chain of events:

MsSense.exe>SenseCM.exe>powershell.exe

so probably this is a false positive and if I extract the full command launched it seems a defender operation:

 

 

Spoiler
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\AntiVirus.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\AntiVirus.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '027d97b761753a1069fc819a0f3e8fdcc54ad9eb6c75e379416aea9a76dafd8e')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\EDR.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\EDR.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '703a9f10e5cfa2809eb0fb1f459cb9ace67073183afaaa0b0bac6428129104cd')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\Firewall.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\Firewall.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'bfdb5cf27fe8e3a2b59e49d8da35601023e8c7cb36ff9d844865ddc30fb14be3')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ASR.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ASR.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '6c4ec1b2bc5cf031b13abeb52b2ce86dca36f059a37a9053d79f25fa6d0c6e3a')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\GroupPolicyObject.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\GroupPolicyObject.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'cd649f4e31dc09a2030f76b92d3eb084ecfeda4e478347eae9b9c9acea167ce1')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ConflictResolutionUtils.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\ConflictResolutionUtils.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'fd360f6a95607c51ea831e2316d7308ad8e902bcad48a9a525355352b8c6c65b')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\SharedUtils.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\SharedUtils.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '6f47e947b2d397becd73cc1c4ef1f9f95e1a2c27d1723da1921b1d7792142f61')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\FeaturesRings.psm1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\FeaturesRings.psm1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '951fe3a99e1667a1ec901145114a8f8d2c018a5786550524c694b4d2a0a7f9af')) { exit 323;};$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'a908118292e43f4746142408fe88fa9e3623c93f8041dfca6410718ec057b9be')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM\PolicyEnforcer.ps1' }"

 

anyone ever seen this behavior?

thank you

 

 

0 Replies