Incident Graph example

In this example, we will explain one incident in the Incident Graph:

In the example graph, you can see:

1.User alex.hayden executed trusted utilities (whoami.exe, net.exe, net1.exe) from PowerShell. Which indicates that this action intends to gather information about the system users and domain-level groups.

2.Multiple malicious files (winpeasx64.exe, winpeasany.exe, winpeasany_ofs.exe, gmer.exe, winpeasx86_ofs.exe, winpeasx64_ofs.exe) were accessed by Windows File Explorer (explorer.exe).

3.Actions in step 2 led to the detection of MSIL/HackTool.Agent.OS.

4.Execution of processhacker.exe and kprocesshacker.sys indicated an attempt to disable security software and gain kernel-level privileges.

5.Task Manager (taskmgr.exe) and rundll32.exe were used to access the LSASS process (lsass.dmp) and create minidump files with a potential for credential dumping.

6.Trusted utilities (net1.exe and reg.exe) were used to add and hide a user account and modify registry items.

7.AnyDesk (anydesk.exe) remote desktop software was silently installed and configured to start on boot. This was consistent with Conti ransomware gang settings.

8.7-Zip utility (7z.exe) was used to create a password-protected archive file. This action possibly indicates a suspicious collection or filecoder activity.

9.wevtutil.exe was used to clear the application event log. This action potentially indicates an attempt to remove evidence of malicious activity.