Back to list

Critical CINC-20251220-69E8E6EF new

Aggregate ID: aggind:d403078a73c1471f9199f846a04a1b58:4295473740

Incident Overview

Incident ID CINC-20251220-69E8E6EF
Severity Critical (90)
Status new
Alert Count 4
Host Count 1

Timeline

First Seen 2025-12-15 02:48:48
Last Seen 2025-12-15 03:09:00
Duration 0d 0h 20m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Credential Access Defense Evasion Execution
Techniques:
OS Credential Dumping Process Injection User Execution

Affected Hosts (1)

DESKTOP-0TNTPTE

Related Alerts (4)

Severity Status Hostname Description Tactic Command Line Time
High new DESKTOP-0TNTPTE A PowerShell script appears to be launching mimikatz, a password dumping utility. This is often launched as part of a PowerShell exploit kit. Decode and review the script. Credential Access "powershell.exe" -c vault::cred 12-15 03:09
Critical new DESKTOP-0TNTPTE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access "reg.exe" save HKLM\SYSTEM C:\Windows\Temp\system.hiv 12-15 03:08
Medium new DESKTOP-0TNTPTE A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee. Defense Evasion "mavinject.exe" 13844 /INJECTRUNNING C:\Windows\Temp\test.dll 12-15 03:08
Informational new DESKTOP-0TNTPTE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "C:\Users\dsst\cortex-xdr-siem-test\xdr_tools\UltimateXdrGenerator\publish\UltimateXdrGenerator.exe" 12-15 02:48