HIGH Protection Against Security Measures Bypass Techniques - 1903466637

Prevented (Blocked) ID: #37039 | Detected: 2026-01-17 00:29:18 | Malware
View Incident Back
Alert Overview

Attempted bypass of AMSI monitoring

Unclassified
XDR Agent
New
DS:PANW/XDR Agent DOM:Security
Host Information
BOOK-R0BE6S1NC3
10.8.0.10 10.8.0.14 172.27.1.31
ubuntu
fb5c54168a024bea95ad1bfc092f7a53
00:72:ee:3e:51:84
Process Information Process Execution
Actor Process (Executor)
Process Name wscript.exe
Path C:\Windows\System32\wscript.exe
PID 62500
SHA256 5919e37adbf233d1aadf793959eeeb7d1eba073b23b3572016564b407f0ad93f VT
MD5 58e6467c1780f739edfd7df2c6bc74bf
Signature Microsoft Corporation Signed 
"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once
Parent Process (Causality)
Process Name wscript.exe
Path C:\Windows\System32\wscript.exe
SHA256 5919e37adbf233d1aadf793959eeeb7d1eba073b23b3572016564b407f0ad93f VT 
"wscript.exe" "C:\app\cortex-xdr-siem-test\xdr_hidden_runner.vbs" --once
MITRE ATT&CK Mapping
TA0005 - Defense Evasion
T1562.001 - Impair Defenses: Disable or Modify Tools
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
HIGH

High priority investigation needed

Summary
Events 1
IP Addresses 3
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict