HIGH Command-line arguments match Mimikatz execution

Detected ID: #620 | Detected: 2026-01-01 09:50:08 | Credential Access
View Incident Back
Alert Overview

Process action type = execution AND target process cmd = *privilege::debug*, *sekurlsa*, *kerberos::tgt*, *logonpasswords*, *kerberos::ptt*, *kerberos::golden*, *kerberos::list*

Unclassified
XDR BIOC
New
DS:PANW/XDR Agent DOM:Security
Host Information
BOOK-R0BE6S1NC3
172.27.1.18
BOOK-R0BE6S1NC3\ubuntu
fb5c54168a024bea95ad1bfc092f7a53
-
Process Information Process Execution
Actor Process (Executor)
Process Name python.exe
Path C:\Users\ubuntu\scoop\apps\python\3.13.2\python.exe
PID 14128
SHA256 7d96a4ed35d6e596cd9dd8933feafc66349cc21f75be3b15c89fd336e50140c1 VT
MD5 5b4a9fba45e770366c5a8f973f6c6ab1
Signature Python Software Foundation Signed 
"C:\app\cortex-xdr-siem-test\.venv\Scripts\python.exe"  mega_incident_generator.py --rounds 1
Action Process (Target)
Process Name cmd.exe
SHA256 64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4 VT
Signature Microsoft Corporation Signed 
C:\windows\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords""
Parent Process (Causality)
Process Name cmd.exe
Path C:\Windows\System32\cmd.exe
SHA256 64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4 VT
MD5 6d109a3a00f210c1ab89c3b08399ed48 
C:\windows\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_incident_runner.bat""
MITRE ATT&CK Mapping
TA0006 - Credential Access
T1003 - OS Credential Dumping
Quick Actions
View Related Incident View Endpoint Check Hash on VirusTotal Back to Alerts
Severity Analysis
HIGH

High priority investigation needed

Summary
Events 1
IP Addresses 1
Tags 2
File Artifacts Yes
Network Artifacts No
Registry Artifacts No
Analyst Verdict