SIEM (Sentinel) alerts this week

Anyone else’s SIEM tool of choice throwing alerts this week:

Immybot.Agent.Service.exe

“cmd.exe” /c echo https://immystrg00882.blob.core.windows.net/public-binaries/Immybot.Agent.Ephemeral.exe.zip 47083C02C0C9F884EF1D19745B7E5E842AC6DBBD918F5F6A6DDEAD67E55C45FF %ProgramData%\ImmyBot\Scripts\2d3e399931ed44bfa352b76b5f0f4000 wss://wilsonco.immy.bot/ e6043844-3e8a-136c-70f1-8fa5b0c35449 | powershell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand

                          powershell  -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand 

                                         Immybot.Agent.Ephemeral.exe
           
                                                        powershell.exe ran the Powershell Function 'Get-NetAdapter'

                                                                       ARP.EXE
                                                                       -a 10.0.0.1

C:\WINDOWS\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -File C:\ProgramData\ImmyBot\Scripts\2d3e399931ed44bfa352b76b5f0f4000\Invoke-PSPipeHost.ps1 -AgentPID 11904 -PipeName 1ba742208f4a4aa69a62340a8d14c88e -InstanceName 2d3e399931ed44bfa352b76b5f0f4000

                                                                                                     C:\Windows\System32\whoami.exe

Not just this week, but all the time for pretty much every agent (ImmyBot, CyberCNS, etc) that we use.

Also not “alerts” as such, more like “detections”, so they are recorded but don’t generate any alert on their own, but if there were enough detections of suspicious behaviour then they might add up to an alert.

Also maybe review your post and redact some of the info like your immybot instance name, script id folder, and there is a guid in there that i don’t know if it’s important or not.