Again Help with Discover Functions

Copper Contributor

Hi,

 

We are getting alerts named "PowerShell Suspicious Discovery Related Windows API Functions" about executing a ps script named with numbers under the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\". Are these legit actions or not?

 

The query contains:

 

NetShareEnum
NetWkstaUserEnum
NetSessionEnum
NetLocalGroupEnum
NetLocalGroupGetMembers
DsGetSiteName
DsEnumerateDomainTrusts
WTSEnumerateSessionsEx
WTSQuerySessionInformation
LsaGetLogonSessionData
QueryServiceObjectSecurity

Thank you.

0 Replies