Command Zero
Narration by Agent Zero
Mediumrun-4ba16fb2-1e7a-4724-a667-b8f59b2b8576
Malicious
High confidence
  • malware
  • windows-server
  • management-server
  • microsoft-defender
  • turtleloader
  • leivion

Multiple Malware Variants Detected on Server Management System

Microsoft Defender XDR identified three distinct malware families (TurtleLoader, Leivion, Obfuscator) on Windows Server 2019 system 'ws-001.[INTERNAL_DOMAIN_1].local' in cache directories. No execution evidence was found, but the system's role as a management server with elevated access privileges amplifies the risk.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
3m 44s
INVESTIGATION TIME
Autonomous
10
QUESTIONS ASKED
MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT DEFENDER FOR ENDPOINT, MICROSOFT ENTRA
2.3K
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$151
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

Microsoft Defender XDR flagged three distinct malware families on the Windows Server 2019 system `ws-001.[INTERNAL_DOMAIN_1].local` between December 21-23, 2025. The detections included TurtleLoader, Leivion (Trojan:Win32/Leivion.K), and Obfuscator (VirTool:SWF/Obfuscator.C), each with unique SHA256 hashes. What made this alert noteworthy was the location pattern: all three malware files were found in `[CUSTOM_DIR_1]` directories with nearly identical path structures (`E:\[CUSTOM_DIR_1]\[GUID]\{GUID}\[GUID]\diffsync\[GUID]`), suggesting they may be related to a differential synchronization process rather than random infections. The consistent naming convention (`pre_completed_ediffcompleted_diff_[FILE_ID].dat`) across all three detections pointed to a systematic infection vector. The investigation correlated data from Microsoft Defender XDR, Microsoft Defender for Endpoint, and Microsoft Entra ID across 10 invocations spanning 2,267 logon events and 2,279 total records. The analysis took 3 minutes 44 seconds to complete, revealing that while the malware was detected, no evidence of execution or post-infection activity appeared in the available telemetry.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
Multiple malware detections on the system (TurtleLoader, Leivion, Obfuscator)
Moderate
Supporting Evidence
Files detected in [CUSTOM_DIR_1] directories suggesting potential system infection
Moderate
Supporting Evidence
Server has domain-joined status and network connectivity
Moderate
Dismissed:While there are malware detections on the system, there is no evidence of successful unauthorized access to any user accounts. The malware detections are for files in cache directories that appear to have been detected before execution, with no indication of successful compromise of user credentials or account access.·High confidence
H2

Could this be a system compromise?

Ruled out
Supporting Evidence
Multiple malware detections (TurtleLoader, Leivion, Obfuscator) on the system
Moderate
Supporting Evidence
Files located in [CUSTOM_DIR_1] directories suggesting potential system infection
Moderate
Supporting Evidence
Server has external connectivity that could enable command and control
Moderate
Dismissed:Although malware was detected on the system, there is no evidence of successful execution or system compromise. The malware was detected in cache directories rather than in execution paths, and all detections were classified with 'Informational' severity by Microsoft Defender. There are no indicators of post-compromise activity such as lateral movement, privilege escalation, or data exfiltration.·Medium confidence
H3

Could this be normal activity?

Ruled out
Supporting Evidence
Regular service account authentication patterns suggest normal operations
Moderate
Supporting Evidence
No evidence of system performance degradation or unusual behavior
Moderate
Supporting Evidence
Files detected in cache directories rather than execution paths
Moderate
Dismissed:The presence of multiple malware detections on the system cannot be classified as normal activity. While the system appears to be functioning normally with regular service account access patterns, the detection of TurtleLoader, Leivion, and Obfuscator malware in cache directories represents anomalous activity that requires investigation.·High confidence
H4

Could this be a false positive?

Ruled out
Supporting Evidence
Multiple distinct malware families identified (TurtleLoader, Leivion, Obfuscator)
Moderate
Supporting Evidence
Specific threat classifications with known malware family names
Moderate
Supporting Evidence
Files located in cache directories rather than execution paths
Moderate
Dismissed:While the malware detections are in cache directories and classified as 'Informational' severity, the consistent identification of three different malware families (TurtleLoader, Leivion, Obfuscator) by Microsoft Defender makes a false positive determination unlikely. The specific threat family identifications and file hashes suggest these are genuine malware detections rather than benign files incorrectly flagged.·Medium confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

malware detection
Microsoft Defender XDR detected 'TurtleLoader' malware in file 'pre_completed_ediffcompleted_diff_[FILE_ID_1].dat' with SHA256 hash 'd4b9700b98afae89f9dbfcf3da0f6114cb7213c8419f8bf920107ac11d66da40'
Microsoft Defender XDR Alert
malware detection
Microsoft Defender XDR detected 'Leivion' malware (Trojan:Win32/Leivion.K) in file 'pre_completed_ediffcompleted_diff_[FILE_ID_2].dat' with SHA256 hash '4889b03334951485ad49aefa32c2b5f5442513083cf9e73be3d051bbcde98a0c'
Microsoft Defender XDR Alert
malware detection
Microsoft Defender XDR detected 'Obfuscator' malware (VirTool:SWF/Obfuscator.C) in file 'pre_completed_ediffcompleted_diff_[FILE_ID_3].dat' with SHA256 hash '0ee1b1a637e627eeb0cf92e1b21866f4d47fb3114cfab31f4a822df72d46ea99'
Microsoft Defender XDR Alert
file location analysis
All malware detections occurred in [CUSTOM_DIR_1] directories with similar path structures (E:\[CUSTOM_DIR_1]\[GUID]\{GUID}\[GUID]\diffsync\[GUID])
Microsoft Defender XDR Alert
system information
The affected system is identified as 'ws-001.[INTERNAL_DOMAIN_1].local' running Windows Server 2019 (build 17763)
Microsoft Defender for Endpoint Machine Data
network configuration
The system has both internal (10.1.1.1) and external ([EXTERNAL_IP_1]) IP addresses, with the external IP belonging to [ORGANIZATION_1]
Microsoft Defender for Endpoint Machine Data and IP Enrichment
account access
The system is accessed by multiple service accounts including SolarWinds, ForeScout, Commvault, Thycotic, and others, with some having domain administrator privileges
Microsoft Defender for Endpoint User Logon Data

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Analyzed malware detection specificity and consistency
    Pass
  2. fp2
    Evaluated file locations and naming patterns
    Pass
  3. fp3
    Assessed likelihood of legitimate files triggering false positives
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Malware DetectionSuspicious File LocationManagement Server Compromise Risk
TechniqueTacticContext
T1566.001
Phishing - Spearphishing Attachment
Initial AccessMonitor for files with naming patterns matching differential synchronization processes (e.g., `pre_completed_ediffcompleted_diff_*.dat`) in cache directories. Flag detections of TurtleLoader, Leivion, and Obfuscator malware families regardless of severity classification. Alert on multiple distinct malware families detected in the same directory structure within a short timeframe, as this pattern suggests systematic infection rather than isolated incidents.
T1036.005
Masquerading - Match Legitimate Name or Location
Defense EvasionFlag malware detections in cache directories with paths containing multiple nested GUIDs and `diffsync` subdirectories, as this structure is atypical for standard Windows operations. Monitor for files in `[CUSTOM_DIR_1]` paths that match known malware signatures, particularly when multiple files with similar naming conventions appear in the same directory tree.
T1547.001
Registry Run Keys / Startup Folder
PersistencePrioritize investigation of malware detections on systems with elevated access privileges and external connectivity. For servers accessed by domain administrator accounts (SolarWinds, ForeScout, Commvault, Thycotic), treat any malware detection as high-priority even if classified as 'Informational' severity. Correlate malware detections with logon events from service accounts to establish timeline and access context.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Three distinct malware families identified with specific threat classifications and unique SHA256 hashes by Microsoft Defender XDR, indicating genuine detections rather than signature misidentification

2. Consistent detection pattern across multiple files with similar naming conventions and identical directory structures, suggesting systematic infection rather than isolated false positives

3. All malware families (TurtleLoader, Leivion, Obfuscator) are known threats with established signatures in threat intelligence databases, not benign files commonly flagged as false positives

4. The system's role as a central management server accessed by multiple service accounts with elevated privileges (SolarWinds, ForeScout, Commvault, Thycotic) amplifies the risk profile, as compromise could enable lateral movement

5. Confidence is rated High rather than Confirmed because the absence of execution evidence and 'Informational' severity classification by Microsoft Defender leave open the possibility that detection and containment occurred before the malware could run, though the presence of the files themselves is unambiguous

Lessons

  1. 01
    Severity classification is not a containment guarantee. In this investigation, Microsoft Defender classified all three malware detections as 'Informational' severity, which might suggest low risk. However, the presence of TurtleLoader, Leivion, and Obfuscator on a management server with domain administrator access is a critical finding regardless of severity label. Always investigate the actual threat family and system context, not just the severity score. A low-severity rating on a high-value target (like a management server) requires the same urgency as a high-severity alert on a workstation.
  2. 02
    Cache directories are staging grounds, not safe zones. The malware files were found in `[CUSTOM_DIR_1]` cache directories with differential synchronization paths, which might appear benign at first glance. However, cache locations are common staging areas for malware delivery and execution. The fact that files were detected before execution does not mean the infection vector is contained. Investigate how the files arrived in the cache and whether the synchronization process itself is compromised.
  3. 03
    Multiple malware families in one location signals coordinated attack. Finding three distinct malware families (TurtleLoader, Leivion, Obfuscator) with identical naming patterns and directory structures is not coincidence. This pattern indicates either a coordinated multi-stage attack or a compromised supply chain feeding malware through the synchronization process. Treat this as evidence of deliberate targeting, not random infection, and escalate to threat hunting on related systems and accounts.
  4. 04
    Service account privilege is the real risk multiplier. The system is accessed by SolarWinds, ForeScout, Commvault, and Thycotic service accounts, some with domain administrator privileges. If any of these accounts were used to execute the malware (even if logs don't show it yet), the blast radius extends across the entire infrastructure these tools manage. Audit the service account activity during the detection window and verify that no lateral movement occurred through these privileged accounts.
  5. 05
    Absence of execution evidence is not absence of threat. The investigation found no evidence of malware execution in available logs, which might suggest the threat was contained. However, this absence could reflect gaps in telemetry coverage, log retention, or detection capabilities rather than actual containment. Conduct a full forensic examination of the affected system's file system and registry to confirm the malware was not executed, and verify that Microsoft Defender's detection actually prevented execution rather than simply flagging files that were already running.