Security Tools Are Being Used in Environments They Weren't Assigned To
Once attackers have admin rights, they will try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IObit Uninstaller, GMER, and PC Hunter. These types of tools are legitimate, but if a specific tool is showing up on a system for which it's not assigned, then something is wrong.
Any detection of Mimikatz (used in NotPetya) should get investigated, Sophos' Mackenzie adds. If no one on your security team confirms using it, that's a red flag because Mimikatz has become one of the most commonly used hacking tools for credential theft.
Image Source: Adobe Stock: Maksim Kabakov