{"id": "da637614561636797173_-1201871031", "incidentId": 11306, "investigationId": null, "assignedTo": "David@MTPDemos.net", "severity": "High", "status": "Resolved", "classification": "TruePositive", "determination": "SecurityTesting", "investigationState": "UnsupportedAlertType", "detectionSource": "WindowsDefenderAtp", "detectorId": "f5d3c5d8-ec3a-4412-ab45-934d8faff42c", "category": "CredentialAccess", "threatFamilyName": null, "title": "Malicious credential theft tool execution detected", "description": "A known credential theft tool execution command line was detected.\nEither the process itself or its command line indicated an intent to dump users' credentials, keys, plain-text passwords and more.", "alertCreationTime": "2021-07-09T19:36:03.6497153Z", "firstEventTime": "2021-07-09T19:34:34.495593Z", "lastEventTime": "2021-07-09T19:34:34.495593Z", "lastUpdateTime": "2021-07-16T18:18:16.8166667Z", "resolvedTime": "2021-07-16T18:11:19.4556916Z", "machineId": "0239a66791c29e8db233abc0d5bc43e56b26aa15", "computerDnsName": "annetteh-pc.mtpdemos.net", "rbacGroupName": "Full Auto", "aadTenantId": "cfda2bf1-d0e7-4417-ac82-a7c9a3001d22", "threatName": null, "mitreTechniques": ["T1003"], "relatedUser": {"userName": "Annette.Hill", "domainName": "MTPDEMOS"}, "comments": [], "evidence": [{"entityType": "User", "evidenceCreationTime": "2021-07-09T19:36:03.7366667Z", "sha1": null, "sha256": null, "fileName": null, "filePath": null, "processId": null, "processCommandLine": null, "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, "parentProcessFileName": null, "parentProcessFilePath": null, "ipAddress": null, "url": null, "registryKey": null, "registryHive": null, "registryValueType": null, "registryValue": null, "accountName": "Annette.Hill", "domainName": "MTPDEMOS", "userSid": "S-1-5-21-1137142824-3273894016-956573326-1162", "aadUserId": "cf5c5238-b82a-41db-8898-bda63de17e39", "userPrincipalName": "AnnHill@MTPDemos.net", "detectionStatus": null}, {"entityType": "Process", "evidenceCreationTime": "2021-07-09T19:36:03.7366667Z", "sha1": "d241df7b9d2ec0b8194751cd5ce153e27cc40fa4", "sha256": "31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc", "fileName": "mimikatz.exe", "filePath": "C:\\Exploits\\MimiKatz\\x64", "processId": 1188, "processCommandLine": "\"mimikatz.exe\" privilege::debug \"kerberos::ptt C:\\exploits\\tickets07092021\" exit", "processCreationTime": "2021-07-09T19:34:33.4908173Z", "parentProcessId": 7704, "parentProcessCreationTime": "2021-07-09T19:31:52.4534635Z", "parentProcessFileName": "powershell.exe", "parentProcessFilePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "ipAddress": null, "url": null, "registryKey": null, "registryHive": null, "registryValueType": null, "registryValue": null, "accountName": "Annette.Hill", "domainName": "MTPDEMOS", "userSid": "S-1-5-21-1137142824-3273894016-956573326-1162", "aadUserId": "cf5c5238-b82a-41db-8898-bda63de17e39", "userPrincipalName": "AnnHill@MTPDemos.net", "detectionStatus": "Detected"}]}