Nov 18 2021 01:38 AM
Morning community,
I have a question and I hope I am in the right place.
We use M365 Defender as a SIEM solution and a Ransome alert came recently.
In the timeline, there were more than 10 instances of taskkill involved. As far as I am informed the tool is set up to trigger an alert on several taskkill execution events.
However, there was a PGHook.dll clipped/involved in the mix and has a direct link to the Ransomware in the timeline.
My question is: Would the PGHook.dll had assisted in creating the alert or did the M365 defender pick up only on the number of taskkill events?
Thank you in advance.
Dan
Nov 18 2021 01:50 AM
Nov 18 2021 01:55 AM
Nov 18 2021 02:24 AM
Nov 18 2021 04:33 AM
@AmolShelar, unfortunately, I do not have granular visibility on the endpoint' active processes and cannot inspect if there are any suspicious remote connections attempts. Can you please, based on your experience suggest a questionnaire for the technical Team to address potential adversaries on the endpoint? Your help is much appreciated!