Command Zero
Narration by Agent Zero
Highrun-8697ea81-0d86-499f-8146-62f3511e1c2c
Malicious
High confidence
  • malware
  • endpoint-compromise
  • privilege-escalation
  • persistence
  • multi-endpoint

Trojan:BAT/Starter.G!lnk Malware Detected Across 9 Endpoints with Domain Admin Access

Microsoft Defender detected Trojan:BAT/Starter.G!lnk malware on endpoint ws-001 with suspicious domain administrator remote access preceding detection. The malware appeared on 9 organizational endpoints with polymorphic naming patterns and low global prevalence, indicating a targeted attack.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
3m 1s
INVESTIGATION TIME
Autonomous
9
QUESTIONS ASKED
MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT DEFENDER FOR ENDPOINT, MICROSOFT ENTRA
74
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$129
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On March 20, 2026, Microsoft Defender for Endpoint detected Trojan:BAT/Starter.G!lnk malware on endpoint ws-001.[INTERNAL_DOMAIN_1].local ([MDE_MACHINE_ID_1]), mapping to MITRE technique T1547.001 (Registry Run Keys / Startup Folder). The alert fired on the file `[CUSTOM_FILE_1].bat` located in the non-standard directory `C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2]` — a path with no legitimate business purpose. What made this signal stand out was not just the malware classification itself, but the temporal sequence: domain administrator account [INTERNAL_DOMAIN_1]\\user_3 accessed the machine via RemoteInteractive logon at 06:59:57Z, and malware detection occurred at 07:07:27Z, only 7 minutes later. The file also exhibited polymorphic naming across 9 organizational endpoints, suggesting deliberate obfuscation rather than a one-off incident. The investigation correlated Microsoft Defender for Endpoint alerts, logon events, and file prevalence data across 9 invocations and 74 records in 3 minutes 1 second of autonomous analysis, revealing a pattern consistent with either a compromised privileged account or an authorized administrator who inadvertently introduced malware into the environment.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be a false positive?

Ruled out
Supporting Evidence
File classified as Trojan:BAT/Starter.G!lnk with 'Malicious' verdict
Moderate
Supporting Evidence
Low global prevalence of 89 instances
Moderate
Supporting Evidence
Presence on 9 organizational endpoints with polymorphic naming
Moderate
Dismissed:The evidence conclusively rules out a false positive. Microsoft Defender identified the file as Trojan:BAT/Starter.G!lnk with high confidence. The file has low global prevalence (89 instances), appeared on 9 organizational endpoints with polymorphic naming patterns, and was found in a non-standard directory path. These characteristics are inconsistent with legitimate software and strongly indicate malicious intent.·High confidence
H2

Could this be a true positive that was blocked?

Ruled out
Supporting Evidence
Microsoft Defender prevention status: 'Prevented'
Moderate
Supporting Evidence
Alert severity marked as 'Informational'
Moderate
Supporting Evidence
No evidence of successful execution on the analyzed endpoint
Moderate
Dismissed:While Microsoft Defender did successfully prevent execution of the malware on this specific endpoint, the broader context indicates a more severe incident than a simple blocked malware attempt. The presence of domain administrator remote access shortly before malware detection, the file's appearance on 9 organizational endpoints, and the polymorphic naming patterns suggest a sophisticated attack rather than an isolated blocked malware event. The successful prevention on this endpoint does not mitigate the broader organizational impact.·Medium confidence
H3

Could this be an account compromise?

Ruled out
Supporting Evidence
Domain administrator remote access via RemoteInteractive logon
Moderate
Supporting Evidence
Temporal correlation between admin access and malware detection
Moderate
Supporting Evidence
Sequence of user logins culminating in admin access
Moderate
Dismissed:While the login sequence and domain administrator access are highly suspicious, there is insufficient evidence to conclusively determine that the domain administrator account ([INTERNAL_DOMAIN_1]\user_3) was compromised rather than being used by an authorized administrator who inadvertently introduced malware. The evidence strongly suggests malicious activity but doesn't definitively prove unauthorized use of the domain administrator account versus an authorized administrator making a security error. The malware detection and domain administrator access are temporally correlated but causation cannot be conclusively established from the available evidence.·Medium confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

malware detection
Microsoft Defender detected and prevented Trojan:BAT/Starter.G!lnk malware ([CUSTOM_FILE_1].bat) in non-standard directory C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2]
Microsoft Defender for Endpoint Alert
file prevalence
File hash 00ae146acabcffc9c304aa1e0f12330a04db4b2e has low global prevalence (89 instances) and appeared on 9 distinct endpoints in the organization
Microsoft Defender for Endpoint File Prevalence
file characteristics
The malicious file exhibited polymorphic naming with 5 different filenames including both .bat and .exe extensions
Microsoft Defender for Endpoint File Prevalence
authentication log
Domain administrator account [INTERNAL_DOMAIN_1]\user_3 accessed the machine via RemoteInteractive and Network logon types at 06:59:52Z-06:59:57Z on 2026-03-20
Microsoft Defender for Endpoint Logon Events
authentication log
Brief user session from account [INTERNAL_DOMAIN_1]\user_2 at 06:50:31Z preceded the domain administrator access
Microsoft Defender for Endpoint Logon Events
authentication log
Standard user account [INTERNAL_DOMAIN_1]\user_1 was active on the system from 2026-02-20 through 2026-03-20 06:43:03Z
Microsoft Defender for Endpoint Logon Events
file metadata
The malicious file is unsigned with no publisher information and was classified as non-PE (likely script)
Microsoft Defender for Endpoint File Information
risk assessment
The device had both 'High' risk score and 'High' exposure level in Microsoft Defender for Endpoint
Microsoft Defender for Endpoint Device Properties
temporal correlation
The malware detection occurred at 07:07:27Z on 2026-03-20, approximately 7 minutes after domain administrator access
Microsoft Defender for Endpoint Alert Evidence
system activity
The device experienced multiple system reboots on March 18 and March 20, 2026
Microsoft Defender XDR Login Events

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the file is genuinely malicious based on Microsoft Defender classification
    Pass
  2. fp2
    Analyzed file prevalence and naming patterns within the organization
    Pass
  3. fp3
    Examined temporal correlation with user login activity
    Pass
  4. fp4
    Evaluated whether the file could be a legitimate security tool
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Trojan:BAT/Starter.G!lnkSuspicious Logon Pattern
TechniqueTacticContext
T1547.001
Registry Run Keys / Startup Folder
PersistenceFlag unsigned .bat and .exe files in non-standard directories such as C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2] that attempt to modify HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or similar persistence registry paths. Alert on polymorphic file naming patterns where the same file hash appears under 5 or more different filenames within a short timeframe, especially when combined with low global prevalence (under 100 instances). Monitor for domain administrator accounts executing or accessing these files via RemoteInteractive logon within 10 minutes of file creation or first detection.
T1078.002
Valid Accounts - Domain Accounts
Lateral MovementAlert on sequences where a standard user account is followed by brief access from a second account, then domain administrator remote access via RemoteInteractive logon within 20 minutes. Flag domain administrator accounts accessing machines outside normal business hours or from unusual IP addresses. Correlate RemoteInteractive and Network logon types for the same privileged account within a 10-minute window, as this pattern suggests lateral movement or credential misuse.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Microsoft Defender classified the file as Trojan:BAT/Starter.G!lnk with high confidence, and the file is unsigned with no publisher information, ruling out legitimate software

2. The file exhibited polymorphic naming (5 different filenames including .bat and .exe variants) across 9 organizational endpoints, a pattern inconsistent with false positives or benign tools

3. Global prevalence of only 89 instances combined with presence on 9 organizational endpoints (approximately 10% of the organization) indicates targeted malicious activity rather than widespread commodity malware

4. The temporal correlation between domain administrator remote access at 06:59:57Z and malware detection at 07:07:27Z (7 minutes later) suggests either account compromise or an authorized administrator inadvertently introducing malware

5. The file's location in non-standard directory C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2] with no legitimate business purpose further supports malicious intent. Confidence is High rather than Confirmed because the available telemetry does not definitively establish whether the domain administrator account was compromised or whether an authorized user made a security error; the evidence strongly indicates malicious activity but stops short of conclusively proving unauthorized account use."

Lessons

  1. 01
    Polymorphic naming is a strong signal of deliberate obfuscation. In this investigation, the same file hash appeared under 5 different filenames across 9 endpoints. This polymorphic behavior is not typical of legitimate software updates or patches, which use consistent naming conventions. When you see the same hash with multiple names, especially .bat and .exe variants in non-standard directories, escalate immediately. The naming variation is the attacker's attempt to evade signature-based detection and suggests intentional malicious activity, not a false positive or benign tool.
  2. 02
    Temporal proximity between privileged access and malware detection is a pivot point. Domain administrator [INTERNAL_DOMAIN_1]\user_3 accessed the endpoint 7 minutes before malware detection. This tight correlation is not coincidental. Always cross-reference login events with alert timestamps, especially for privileged accounts. If a domain admin accesses a machine and malware appears within 15 minutes, investigate whether the account was compromised, whether the admin inadvertently introduced the malware, or whether the malware was already present and the admin access triggered detection. This temporal signal should trigger credential reset and account audit procedures.
  3. 03
    Prevention on one endpoint does not mean containment across the organization. Microsoft Defender blocked execution on ws-001, which looked like a win. But the malware was already present on 9 endpoints. The blocked count is a distraction from the real scope. Always ask: if this file is on 9 machines, how many executed successfully before we detected it? How many are still undetected? The prevention status on a single endpoint should trigger an immediate organization-wide hunt for the same file hash, not closure of the incident.
  4. 04
    Low global prevalence combined with organizational spread indicates targeted activity. This file had only 89 instances globally but appeared on 9 of your endpoints. That's a 10% organizational infection rate for a file almost nobody else has seen. This ratio is the signature of a targeted attack, not a commodity malware or false positive. When you see low global prevalence paired with high organizational prevalence, assume the attacker selected your organization deliberately and escalate to threat hunting and incident response teams immediately.
  5. 05
    Unsigned files in non-standard paths warrant immediate isolation. The file [CUSTOM_FILE_1].bat was unsigned, non-PE (likely a script), and located in C:\[CUSTOM_DIR_1]\[CUSTOM_DIR_2] — a path with no legitimate business purpose. Unsigned scripts in non-standard directories are a classic persistence mechanism. Before waiting for additional evidence, isolate affected endpoints from the network and preserve forensic images. The combination of unsigned status, non-standard path, and malware classification is sufficient to justify immediate containment actions.