We have had a hacking attempt on a server ...
Items detected Date/time Type Name Sub-type Details Reference Action taken Username
11/07/2018 09:46:11 Adware or PUA Process Hacker Kernel DriverHacking tool C:\Users\Administrator\Desktop\processhacker-2.39-bin\x64\kprocesshacker.sys Cleaned up NT AUTHORITY\SYSTEM
11/07/2018 09:45:10 Adware or PUA Mimikatz Exploit UtilityHacking tool C:\Users\Administrator\Desktop\tools\extract\Win32\mimidrv.sys Cleaned up NT AUTHORITY\SYSTEM
10/07/2018 20:43:22 Adware or PUA Process Hacker Kernel DriverHacking tool C:\Users\Administrator\Desktop\processhacker-2.39-bin\x64\kprocesshacker.sys Blocked BMA-SVR-TS1\Administrator
10/07/2018 20:43:07 Virus/spyware Troj/Ransom-EY C:\Users\Administrator\Desktop\tools\1\Encode\P1.exe Cleaned up NT AUTHORITY\SYSTEM
10/07/2018 20:42:16 Adware or PUA Mimikatz Exploit UtilityHacking tool C:\Users\Administrator\Desktop\tools\extract\Win32\mimidrv.sys Blocked ***-SVR-TS1\Administrator
10/07/2018 20:42:16 Virus/spyware Troj/Ransom-EY C:\Users\Administrator\Desktop\tools\1\Encode\P1.exe Blocked ***-SVR-TS1\Administrator
As far as we can see - it was blocked by Sophos but any advice welcome
We've changed the admin password on the server !
Thanks
This thread was automatically locked due to age.
