PsExecSvc service persistence and lateral movement infrastructure

Event log clear or audit log manipulation detected (TA0005: Defense Evasion, TA0006: Credential Access)

Suspicious executable p.exe staged in Windows temp directory executed via cmd.exe

cmd.exe spawning suspicious p.exe from temporary directory

PowerShell process with multiple RWX memory regions indicating code injection

OUTLOOK.EXE with RWX memory regions and localhost high-port network listener

UpdaterUI.exe with RWX memory region injected code

PowerShell reflection-based code loading detected in event logs

Staged execution artifacts detected in AppCompatCache: PWDumpX, PsExec, DismHost

Subject_srv.exe listening on non-standard port 3262 with F-Response fingerprint

Multiple rundll32.exe processes with elevated privileges (SeDebug, SeImpersonate, SeLoadDriver)

Conhost.exe with elevated sensitive privileges (SeDebug, SeImpersonate, SeLoadDriver)

Suspicious PowerShell command with reflection-based assembly loading detected

PsExec service persistence detected in registry

PowerShell 64-bit spawning 32-bit PowerShell child process

Multiple rundll32.exe processes spawned from child PowerShell with null command lines

Multiple rundll32.exe processes spawned from child PowerShell with null command lines

Multiple privileged network services listening on non-standard ports

Multiple privileged network services listening on non-standard ports

Network connections to external IP 172.16.4.10:8080 in ESTABLISHED and CLOSE_WAIT states

Network connections to internal targets on RDP port 3389 in CLOSED state

Network connection to SMB port from internal system to 172.16.7.15 in ESTABLISHED state

Suspicious SMB connection from internal system to 172.16.6.14:445 in ESTABLISHED state

PowerShell reflection-based code loading (TA0005: Defense Evasion)

Explicit credential usage by SYSTEM account (TA0008: Lateral Movement)

Persistence via SafeBoot alternate shell registry modification

Network connections to external C2 infrastructure

OUTLOOK.EXE with RWX memory regions and localhost socket listener

Reflection-based PowerShell command with code injection pattern (TA0002: Execution)

PWDumpX credential dumping tool staged in temp directory (TA0006: Credential Access)

WmiPrvSE elevated privilege context with SeImpersonate and SeDebug enabled (TA0004: Privilege Escalation, TA0005: Defense Evasion)

rundll32.exe with sensitive privilege escalation flags (TA0004: Privilege Escalation)

Conhost.exe with SeImpersonate and SeDebug privileges (TA0004: Privilege Escalation)

Multiple outbound TCP connections to remote IP 172.16.4.10:8080 with CLOSE_WAIT state (TA0010: Exfiltration, TA0011: Command and Control)

Additional outbound RDP and SMB reconnaissance connections (TA0007: Discovery, TA0008: Lateral Movement)

NCPA monitoring agent staged in temp directory with execution (TA0002: Execution, TA0009: Collection)

DismHost lateral movement artifacts in temp directories (TA0008: Lateral Movement, TA0002: Execution)

Adobe ARM helper staging with execution in temp (TA0002: Execution, TA0009: Collection)

PowerShell and Windows command-line lolbin execution batch (TA0002: Execution)

lateral movement admin share: ip:172.16.5.26

lateral movement admin share: ip:172.16.10.12