Yeah, this guy is getting LSASS shutdowns on all servers at about an hour exactly. LP's look clean but I was able to brute force submit a few susp files out of System32. I've already told him to quarantine machines, but he says they're serving 10,000 seats. I let him know he'd have 10,000 infected if we're looking at a net-aware. He's set up with mitigation strategies, which he can ignore at his peril. Frankly, he's spybotted himself and since term accounts are being renamed, rooted as well. Seen anything new on the horizon for LSASS killers?
Wouldn't this be easier over IM?
What? You meant the other posters? OHHHHH! Yeah, that does make more sense.
(Not just a fun inside joke, but also a reminder, our illustrious first poster is the man to see for this kind of thing)