Defense evasion incident was detected on one endpoint

Cataster 641 Reputation points

We received an alert from Microsoft defender that there was a "defense evasion incident detected on one endpoint" and there was 2 categories:

  • Attempt to hide use of dual-purpose tool (Common signed tool with internal name: Nthandle was renamed to ttb.exe)
  • Windows Sysinternals tool renamed

There were commands like this reported in the incident:

  • ttb -a "Word"
  • ttb -a "Proposal"
  • ttb -a "Excel"

I couldnt find much info on ttb, but the little i found about it is it has something to do with taskbar operations?
If so, Im assuming there is no need for concern here? But if so, why was this flagged considering we perform lots of taskbar operations as well yet they dont get flagged?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,581 Reputation points Microsoft Employee

    Well it could be another user, malware, or a wide range of things. Look through the device history for other malware detections.

    I'm not sure how to address file renames. Might be more of a local decision there. Your options are to ignore, run a full or partial AV scan, Windows also supports a more intensive offline AV scan, and if you are really concerned you might consider reimaging the system. Maybe also check the user's local access level which may be too high or local admin.

3 additional answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,581 Reputation points Microsoft Employee

    It may not be the user.

    1 person found this answer helpful.

  2. Andrew Blumhardt 9,581 Reputation points Microsoft Employee

    I can't imagine a legitimate reason to rename a sysinternals file. I would at a minimum push a full AV scan. Maybe instruct the user to run an offline AV scan. Check the device history for any unusual activity. Ask the user if they have any input.

  3. Andrew Blumhardt 9,581 Reputation points Microsoft Employee

    There is no need for this to be an accusatory conversation. This can also be a situation where a formal email template or survey form can be helpful. If you are talking about MDE there are automated and remote remediation tools at your disposal.

    A user conversation might sound like 'Our security monitoring detected unusual activity on your system recently (maybe share the time). This may be an inaccurate reading. We have remotely scheduled a full antivirus scan as a precaution. If you have any feedback or additional comments please contact your IT Security rep or complete the survey form provided in the following link.'

    The goal is not to accuse the user. Rather, the user might have useful information to help explain the situation (if they are open to sharing). Maybe they let someone else use the PC or were on a risky website. The few times that I have popped for security violations, I had a good idea of what happened. They may not be willing to share or tech savvy enough to recognize what happened. Can't hurt to ask.