Agent logs — WS-ACME-01 | Cyberion EDR Console

process_start high

09/06/2026 21:56:55 · source=agent

proc: powershell.exe cmd: powershell -enc JABj...

{
  "process_name": "powershell.exe",
  "cmdline": "powershell -enc JABj...",
  "user": "CORP\\jsmith"
}

network_connect critical

09/06/2026 21:56:55 · source=agent

ip: 185.220.101.45 port: 4444

{
  "remote_ip": "185.220.101.45",
  "remote_port": 4444,
  "protocol": "tcp"
}

process_start medium

09/06/2026 21:56:55 · source=agent

proc: cmd.exe cmd: cmd /c whoami

{
  "process_name": "cmd.exe",
  "cmdline": "cmd /c whoami",
  "user": "CORP\\admin"
}

network_connect low

09/06/2026 21:56:55 · source=agent

ip: 8.8.8.8 port: 53

{
  "remote_ip": "8.8.8.8",
  "remote_port": 53,
  "protocol": "udp"
}

agent_status low

09/06/2026 21:56:55 · source=agent

msg: heartbeat ok status: ok

{
  "status": "ok",
  "message": "heartbeat ok",
  "version": "1.2.0"
}

network_threat high

09/06/2026 21:56:55 · source=agent

ip: 45.33.32.156

{
  "remote_ip": "45.33.32.156",
  "reason": "known_c2",
  "action": "blocked"
}

process_start critical

09/06/2026 21:56:55 · source=agent

proc: mimikatz.exe cmd: mimikatz privilege::debug

{
  "process_name": "mimikatz.exe",
  "cmdline": "mimikatz privilege::debug",
  "user": "SYSTEM"
}

inventory_scan low

09/06/2026 21:56:55 · source=agent

{
  "packages_scanned": 847,
  "duration_ms": 12400
}

action_result low

09/06/2026 21:56:55 · source=agent

status: completed action: full_scan

{
  "action_type": "full_scan",
  "status": "completed",
  "findings": 0
}

network_delta medium

09/06/2026 21:56:55 · source=agent

{
  "new_connections": 3,
  "closed_connections": 12
}