HIGH Command-line arguments match Mimikatz execution

Detected ID: #35021 | Detected: 2026-01-15 15:35:08 | Credential Access
View Incident Back
Alert Overview

Process action type = execution AND target process cmd = *privilege::debug*, *sekurlsa*, *kerberos::tgt*, *logonpasswords*, *kerberos::ptt*, *kerberos::golden*, *kerberos::list*

Unclassified
XDR BIOC
New
DS:PANW/XDR Agent DOM:Security
Host Information
DESKTOP-FNUMV3U
172.30.1.80 172.29.32.1 172.26.224.1
DESKTOP-FNUMV3U\User
6761b82386d0481190f91c4255079cb7
-
Process Information Process Execution
Actor Process (Executor)
Process Name python.exe
Path C:\Python314\python.exe
PID 14424
SHA256 467014615a5255aca450ae88100dd2caf887da87657f00e3c2171ec44a685aec VT
MD5 ea9864af41a0640d7c5e01932c585a2e
Signature Python Software Foundation Signed 
"python"  mega_incident_generator.py --fast --rounds 1
Action Process (Target)
Process Name cmd.exe
SHA256 badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0 VT
Signature Microsoft Corporation Signed 
C:\WINDOWS\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords""
Parent Process (Causality)
Process Name cmd.exe
Path C:\Windows\System32\cmd.exe
SHA256 badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0 VT
MD5 2b40c98ed0f7a1d3b091a3e8353132dc 
C:\WINDOWS\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_incident_runner.bat""
MITRE ATT&CK Mapping
TA0006 - Credential Access
T1003 - OS Credential Dumping
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
HIGH

High priority investigation needed

Summary
Events 1
IP Addresses 3
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict