Incident #210 - XDR Test Manager

HIGH 'Command-line arguments match Mimikatz execution' along with 4 other issues

RESOLVED SECURITY TESTING ID: #210 | Created: 2026-01-03 02:32:15

Alerts

Hosts

Files

Network

Incident Overview

'Command-line arguments match Mimikatz execution' along with 4 other issues generated by XDR BIOC and XDR Agent detected on host desktop-fnumv3u involving 2 users

Alert Count 5

Modified 2026-01-03 02:40

Assigned To Unassigned

Sources XDR BIOC, XDR Agent

Alert Categories

Malware Collection Credential Access

Affected Hosts & Users

Hosts (1)

Users (2)

desktop-fnumv3u\user user

MITRE ATT&CK Mapping

Tactics (6)

TA0003 - Persistence TA0002 - Execution TA0005 - Defense Evasion TA0008 - Lateral Movement TA0006 - Credential Access TA0004 - Privilege Escalation

Techniques (10)

T1059 - Command and Scripting Interpreter T1098 - Account Manipulation T1546.007 - Event Triggered Execution: Netsh Helper DLL T1003 - OS Credential Dumping T1552 - Unsecured Credentials T1140 - Deobfuscate/Decode Files or Information T1059.001 - Command and Scripting Interpreter: PowerShell T1003.001 - OS Credential Dumping: LSASS Memory T1550 - Use Alternate Authentication Material T1207 - Rogue Domain Controller

Related Alerts 5

ID	Severity	Name	Host	Action	Time
3234	HIGH	Persistency - 1983659418	DESKTOP-FNUMV3U	Prevented (Blocked)	01-03 02:37
3229	HIGH	Command-line arguments match Mimikatz execution	DESKTOP-FNUMV3U	Detected	01-03 02:32
3230	MEDIUM	PowerShell runs with known Mimikatz arguments	DESKTOP-FNUMV3U	Detected	01-03 02:32
3228	HIGH	Credential Gathering Protection - 510630382	DESKTOP-FNUMV3U	Prevented (Blocked)	01-03 02:32
3231	HIGH	Possible LSASS memory dump	DESKTOP-FNUMV3U	Detected	01-03 02:32

File Artifacts 11

File Name	Path	SHA256	Signature	Verdict	Actions
cmd.exe	-	`badf4752413cb0cbdc03fb95820ca167f0cdc63b597ccdb5ef43111180e088b0`	SIGNATURE_SIGNED	UNKNOWN	VT
python.exe	-	`467014615a5255aca450ae88100dd2caf887da87657f00e3c2171ec44a685aec`	SIGNATURE_SIGNED	UNKNOWN	VT
powershell.exe	-	`9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3`	SIGNATURE_SIGNED	UNKNOWN	VT
UltimateXdrGenerator.exe	-	`82fabb35db24a714b179c912f8c0cb90ef174c8db9d6c5bbc59346da7478d82d`	SIGNATURE_UNSIGNED	UNKNOWN	VT
conhost.exe	-	`b02ee54fb2ec69673386d41119ee8ed083a6eab3bfca6aa2155d20ce68ef8963`	SIGNATURE_SIGNED	UNKNOWN	VT
cscript.exe	-	`71864a482441889e8a32acead423cf2cefa982695dedc98cc8eb11b78335a5db`	SIGNATURE_SIGNED	UNKNOWN	VT
reg.exe	-	`c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d`	SIGNATURE_SIGNED	UNKNOWN	VT
bitsadmin.exe	-	`739b2dd012ea183895cc01116906f339c9aa1c0baabf6f22c8e59e25a0c12917`	SIGNATURE_SIGNED	UNKNOWN	VT
at.exe	-	`5b97c39d87ad627c53023bfebb0ea1b5227c3f4e86e3bf06b23f3e4b0d6726e2`	SIGNATURE_SIGNED	UNKNOWN	VT
netsh.exe	-	`6b691b06fa865f52c9484ef4f10e2e02ed6d7c3a3f474b8b138a33af7258b2a9`	SIGNATURE_SIGNED	UNKNOWN	VT
WMIC.exe	-	`da603fa720ab43aa6d4d36aa9fdb828dab9645523eabaac209af6451d5b4d757`	SIGNATURE_SIGNED	UNKNOWN	VT

Network Artifacts 0

No network artifacts found for this incident

Process Artifacts 5

Process	Command Line	Parent Process	User
cmd.exe	`C:\WINDOWS\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_incident_runner...`	cmd.exe	User
UltimateXdrGenerator.exe	`"C:\app\cortex-xdr-siem-test\xdr_tools\UltimateXdrGenerator\bin\publish\Ultimate...`	cmd.exe	DESKTOP-FNUMV3U\User
UltimateXdrGenerator.exe	`"C:\app\cortex-xdr-siem-test\xdr_tools\UltimateXdrGenerator\bin\publish\Ultimate...`	cmd.exe	DESKTOP-FNUMV3U\User
cmd.exe	`C:\WINDOWS\SYSTEM32\cmd.exe /c ""C:\app\cortex-xdr-siem-test\xdr_ultimate_runner...`	cmd.exe	User
python.exe	`"python" mega_incident_generator.py --fast --rounds 1`	cmd.exe	DESKTOP-FNUMV3U\User

Registry Artifacts 0

No registry artifacts found for this incident

Analyst Verdict

Classification

Risk Level

HIGH

Recommended Actions

Isolate affected endpoints
Investigate all related alerts
Document findings

Summary

Alerts

Hosts

Files

Network

Alert Categories

Malware Collection Credential Access

Timeline

01-03 02:40:05

Incident Modified

Status or details updated

01-03 02:40:05

Incident Resolved

resolved security testing

01-03 02:37:37

Persistency - 1983659418

high - Prevented (Blocked)

01-03 02:32:15

Incident Created

#210 - 'Command-line arguments match Mimikatz execution' along with 4 other issues

01-03 02:32:15

cmd.exe

Verdict: Unknown

01-03 02:32:15

python.exe

Verdict: Unknown

01-03 02:32:15

powershell.exe

Verdict: Unknown

01-03 02:32:15

UltimateXdrGenerator.exe

Verdict: Unknown

01-03 02:32:15

conhost.exe

Verdict: Unknown

01-03 02:32:15

cscript.exe

Verdict: Unknown

01-03 02:32:15

reg.exe

Verdict: Unknown

01-03 02:32:15

bitsadmin.exe

Verdict: Unknown

01-03 02:32:15

at.exe

Verdict: Unknown

01-03 02:32:15

netsh.exe

Verdict: Unknown

01-03 02:32:07

Command-line arguments match Mimikatz execution

high - Detected

01-03 02:32:07

PowerShell runs with known Mimikatz arguments

medium - Detected

01-03 02:32:07

Credential Gathering Protection - 510630382

high - Prevented (Blocked)

01-03 02:32:05

Possible LSASS memory dump

high - Detected