This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 89%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
We received an alert from Microsoft defender that there was a "defense evasion incident detected on one endpoint" and there was 2 categories:
There were commands like this reported in the incident:
I couldnt find much info on ttb, but the little i found about it is it has something to do with taskbar operations?
If so, Im assuming there is no need for concern here? But if so, why was this flagged considering we perform lots of taskbar operations as well yet they dont get flagged?
Well it could be another user, malware, or a wide range of things. Look through the device history for other malware detections.
I'm not sure how to address file renames. Might be more of a local decision there. Your options are to ignore, run a full or partial AV scan, Windows also supports a more intensive offline AV scan, and if you are really concerned you might consider reimaging the system. Maybe also check the user's local access level which may be too high or local admin.
@Andrew Blumhardt thanks for the insights. and one more thing, can you give me examples of questions to survey the user with?
Any question you might ask in person or over the phone. For example, have you experienced any unusual activity recently? Has the device been out of your possession or used by someone else recently? Where were you located or were you traveling at the time of the incident? Were you logged in at the time of the reported incident? Have you had any unusual phone calls from tech support or anyone asking for login information or remote access? Have you seen any logon failure or account reset warnings on your work or personal devices? If your phone is used for MFA/2FA has it been out of your possession or exhibiting unusual activity? Is there any reason to think that your logon credentials may have been compromised? How long do you estimate since your last password reset? Could you have reused the same password somewhere else? Have you recently experienced a break-in of your home or vehicle? Do you recall opening any unusual emails, attachments, or file downloads?
Less 'we think you messed up" and more "you can help us resolve the issue that is likely not completely your fault" discussion.
@Andrew Blumhardt
Thank you!
It may not be the user.
@Andrew Blumhardt
right of course, could be another user who used the machine.
I like the survey idea. could you give examples of questions that would be meaningful to ask here?
@Andrew Blumhardt Also, what would be some recovery measures we can take? rename the tool back to NThandle?
I can't imagine a legitimate reason to rename a sysinternals file. I would at a minimum push a full AV scan. Maybe instruct the user to run an offline AV scan. Check the device history for any unusual activity. Ask the user if they have any input.
@Andrew Blumhardt
I know right, and this user isnt supposed to be technical...some of the other ttb commands reported had something to do with PPP loan pdf documents.
The thing is I'm filling out an incident report and idk if I should reach out to the user first in this case. Normally I would if its malware and tell them in the future to follow procedures and tun a full scan.
But in this case this is not malware...more like undisclosed activity/use...what if the user lies, especially since I'm kinda new? I dont really know their job function so maybe they were submitting these docs for the business since it is a small company but maybe he was submitting it for his own personal business? I dont want to make an odd encounter and he may misunderstand me thinking I'm suspicious of him considering he's senior at the org.
There is no need for this to be an accusatory conversation. This can also be a situation where a formal email template or survey form can be helpful. If you are talking about MDE there are automated and remote remediation tools at your disposal.
A user conversation might sound like 'Our security monitoring detected unusual activity on your system recently (maybe share the time). This may be an inaccurate reading. We have remotely scheduled a full antivirus scan as a precaution. If you have any feedback or additional comments please contact your IT Security rep or complete the survey form provided in the following link.'
The goal is not to accuse the user. Rather, the user might have useful information to help explain the situation (if they are open to sharing). Maybe they let someone else use the PC or were on a risky website. The few times that I have popped for security violations, I had a good idea of what happened. They may not be willing to share or tech savvy enough to recognize what happened. Can't hurt to ask.
@Andrew Blumhardt
Thank you for the tips! Btw, the only thing I could find about NThandle is it is used by windows NT admin to find which processes have files opened. Which makes me even more curious now why would this user rename such a utility...very sus!