PowerShell Suspicious Discovery Related Windows API Functions alerts about C:\ProgramData\Microsoft\

Hi,

We are getting alerts named "PowerShell Suspicious Discovery Related Windows API Functions" about executing a ps script named with numbers under the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\". Are these legit actions or not?

The query contains:

NetShareEnum

NetWkstaUserEnum

NetSessionEnum

NetLocalGroupEnum

NetLocalGroupGetMembers

DsGetSiteName

DsEnumerateDomainTrusts

WTSEnumerateSessionsEx

WTSQuerySessionInformation

LsaGetLogonSessionData

QueryServiceObjectSecurity

Thank you.

Alerts

microsoft defender for endpoint

siem

Forum Discussion

PowerShell Suspicious Discovery Related Windows API Functions alerts about C:\ProgramData\Microsoft\

Share

Resources