So a customer has been breachified, we got to watch it through CrowdStrike in real-time. They just closed out all our notes and investigations as false positives, but yo something is taking screenshots on all your hosts and has access to your domain controller. Maaaaaybe take a looksie.