Hi everyone, 

I am trying to analyze an alert regarding the sticky keys binary hijacking. The process MsMpEng.exe has renamed the binary cmd.exe as utilman.exe under system32 file and then I got the alert Sticky Keys binary hijack detected. I have found nothing suspicious as I analyzed the timeline. So my question is, is there any legitimate use cases that the binary MsMpEng.exe behaves like that? By the way the device is newly onboarded on Defender. 

Kind Regards,