Veritas
All 49Confirmed 2Suspicious 39Benign / FP 5Inconclusive 3
F005HIGH
Staged p.exe execution from temp perfmon directory
extract_mft_timelineget_amcacherun_stringsvol_cmdline+8
Confirmed malicious51 proofs
F008CRITICAL
PsExec and PWDumpX staged in Windows Temp (Credential Access / Lateral Movement)
extract_mft_timelineget_amcacheparse_event_logsparse_userassist+1
Confirmed malicious4 proofs
F001MEDIUM⚖ AI overruled
PowerShell process memory injection (reflective load)
vol_handlesvol_malfindvol_psscanvol_pstree
Suspicious50 proofs
F002MEDIUM⚖ AI overruled
PowerShell process memory injection (reflective load)
vol_malfindvol_psscanvol_pstree
Suspicious50 proofs
F035MEDIUM⚖ AI overruled
Defense evasion via rundll32 with null command lines
vol_cmdlinevol_psscanvol_pstree
Suspicious50 proofs
F036MEDIUM⚖ AI overruled
Defense evasion via rundll32 with null command lines
vol_cmdlinevol_psscanvol_pstree
Suspicious50 proofs
F003MEDIUM
Reflective PE-load PowerShell execution
parse_event_logs
Suspicious0 proofs
F004LOW
OUTLOOK.EXE RWX injected region
vol_cmdlinevol_handlesvol_malfindvol_netscan+2
Benign / FP50 proofs
F007HIGH
cmd.exe launches staged p.exe (Execution)
get_amcachevol_cmdlinevol_handlesvol_pstree
Suspicious50 proofs
F009HIGH
PsExecSvc service registered (Lateral Movement / Persistence)
extract_mft_timelineget_amcacheparse_event_logsparse_registry_persistence+1
Suspicious3 proofs
F010MEDIUM
UpdaterUI.exe RWX injected region
vol_cmdlinevol_handlesvol_malfindvol_psscan+1
Benign / FP50 proofs
F011LOW
subject_srv.exe remote-management listener (C2/Remote access)
get_amcachevol_cmdlinevol_netscanvol_pstree
Benign / FP139 proofs
F012MEDIUM
rundll32.exe defense-evasion chain (null cmdline)
vol_cmdlinevol_psscanvol_pstree
Suspicious50 proofs
F013MEDIUM
rundll32.exe defense-evasion chain (null cmdline)
vol_cmdlinevol_psscanvol_pstree
Suspicious50 proofs
F015
Security log cleared - Event 1102 (Defense Evasion)
parse_event_logs
Suspicious0 proofs
F016
Explicit-credential logons (Event 4648) from DMZ-FTP$
parse_event_logs
Suspicious0 proofs
F017
Image File Execution Options debugger on sethc.exe (Persistence/Backdoor)
Inconclusive0 proofs
F018
SafeBoot AlternateShell registry persistence
Inconclusive0 proofs
F019
Admin-share access to 172.16.5.26 / 172.16.10.12
extract_network_iocsparse_event_logs
Suspicious0 proofs
F020
Outbound RDP (3389) and WinRM (5985) to internal hosts
parse_event_logsvol_netscan
Suspicious0 proofs
F022MEDIUM
PowerShell reflective DLL load / shellcode injection
parse_event_logs
Suspicious0 proofs
F023MEDIUM
Multiple rundll32 children with null command lines (injection/evasion)
vol_cmdlinevol_psscanvol_pstree
Suspicious50 proofs
F024LOW
Remote access service subject_srv.exe listening with external connection
vol_netscanvol_psscanvol_pstree
Benign / FP50 proofs
F025
Repeated outbound connections to internal peer on port 8080 (C2-like)
extract_network_iocsvol_netscan
Suspicious0 proofs
F026MEDIUM
Image File Execution Options debugger on sethc.exe
parse_event_logs
Suspicious1 proofs
F027
Audit log cleared - anti-forensics
parse_event_logs
Suspicious0 proofs
F028
Explicit-credential logons indicating lateral movement
get_amcacheparse_event_logs
Suspicious0 proofs
F029
Admin-share access to internal host 172.16.5.26
extract_network_iocsparse_event_logs
Suspicious0 proofs
F030LOW
Repeated DismHost execution from temp GUID staging paths
extract_mft_timelineparse_event_logsrun_appcompatcacheparsersleuthkit_tsk_recover
Suspicious2 proofs
F031LOW
Nagios NCPA installer executed from temp
extract_mft_timelineget_amcacherun_appcompatcacheparser
Suspicious3 proofs
F032LOW
SafeBoot AlternateShell registry persistence
Inconclusive1 proofs
F033LOW
Local high-port listeners and loopback staging context
extract_network_iocsvol_cmdlinevol_handlesvol_netscan+1
Benign / FP50 proofs
F034MEDIUM
Encoded reflective-load PowerShell execution
parse_event_logs
Suspicious0 proofs
F037
Repeated beacon-like connections to 172.16.4.10:8080
extract_network_iocsvol_netscan
Suspicious0 proofs
F038
Security event log cleared (anti-forensics)
parse_event_logs
Suspicious0 proofs
F039
Admin-share lateral movement to 172.16.5.26
extract_network_iocsget_amcacheparse_event_logs
Suspicious0 proofs
F040
Outbound SMB to internal hosts (lateral movement)
vol_netscan
Suspicious0 proofs
F041
Image File Execution Options debugger on sethc.exe
parse_event_logs
Suspicious0 proofs
F042
Explicit-credential logons (4648) from DMZ-FTP$
parse_event_logs
Suspicious0 proofs
F043HIGH
Encoded/reflective-load PowerShell execution
parse_event_logsvol_malfind
Suspicious0 proofs
F044
Repeated outbound connections to 172.16.4.10:8080 (beacon-like)
extract_network_iocsvol_netscan
Suspicious0 proofs
F045
SMB admin-share access to 172.16.5.26
extract_network_iocsget_amcacheparse_event_logs
Suspicious0 proofs
F046
Outbound WinRM (5985) connection to 172.16.5.21
get_amcacheparse_event_logsvol_netscan
Suspicious0 proofs
F047
Outbound RDP attempts to 172.16.4.5
parse_event_logsvol_netscan
Suspicious0 proofs
F050
Anti-forensics: Security event log cleared
parse_event_logs
Suspicious0 proofs
F051
Credential access: explicit-credential logons with DMZ-FTP$
get_amcacheparse_event_logs
Suspicious0 proofs
F052MEDIUM
lateral movement admin share: ip:172.16.5.26
extract_network_iocsparse_event_logs
Suspicious19 proofs
F053MEDIUM
lateral movement admin share: ip:172.16.10.12
extract_network_iocsparse_event_logs
Suspicious19 proofs
F054MEDIUM
defense evasion anti forensics: event:1102 (audit log cleared) · microsoft-windows-eventlog
parse_event_logs
Suspicious1 proofs