Blog
/

Threat Finds

RESPOND

Inside the SOC

/
June 27, 2021

Post-Mortem Analysis of a SQL Server Exploit

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
27
Jun 2021
Learn about the post-mortem analysis of a SQL Server exploit. Discover key insights and strategies to enhance your cybersecurity defenses.

While SaaS and IoT devices are increasingly popular vectors of intrusion, server-side attacks remain a serious threat to organizations worldwide. With sophisticated vulnerability scanning tools, attackers can now pinpoint security flaws in seconds, finding points of entry across the attack surface. Human security teams often struggle to keep pace with the constant wave of newly documented vulnerabilities and patches.

Darktrace recently stopped a targeted cyber-attack by an unknown attacker. After the initial entry, the attacker exploited an unpatched vulnerability (CVE-2020-0618), granting a low-privileged credential the ability to remotely execute code. This enabled the attacker to spread laterally and eventually establish a foothold in the system by creating a new user account.

The server-side attack cycle: authenticates user; scans network; infects three servers; downloads malware; c2 traffic; creates new user.

Figure 1: Overview of the server-side attack cycle.

This blog breaks down the intrusion and explores how Darktrace’s Autonomous Response technology took three surgical actions to halt the attacker’s movements.

Unknown threat actors exploit a vulnerability

Initial compromise

At a financial firm in Canada with around 3,000 devices, Cyber AI detected the use of a new credential, ‘parents’. The attacker used this credential to access the company’s internal environment through the VPN. From there, the credential authenticated to a desktop using NT LAN Manager (NTLM). No further suspicious activity was observed.

NTLM is a popular attack vector for cyber-criminals as it is vulnerable to multiple methods of compromise, including brute-force and ‘pass the hash’. The initial access to the credential could have been obtained via phishing before Darktrace had been deployed.

Figure 2: The credential was first observed on the device five days prior to reconnaissance. The attacker performed reconnaissance and lateral movement for two days, until the compromised devices were taken down.

Internal reconnaissance

Five days later, the ‘parents’ credential was seen logging onto the desktop. The desktop began scanning the network – over 80 internal IPs – on Port 443 and 445.

Shortly after the scan, the device used Nmap to attempt to establish SMBv1 sessions to 139 internal IPs, using guest / user credentials. 79 out of the 278 sessions were successful, all using the login.

Figure 3: New failed internal connections performed by an initially infected desktop, in a similar incident. The graph highlights a surge in failed internal connections and model breaches.

The network scan was the first stage after intrusion, enabling the attacker to find out which services were running, before looking for unpatched vulnerabilities.

Nmap has multiple built-in functionalities which are often exploited for reconnaissance and lateral movement. In this case, it was being used to establish the SMBv1 sessions to the domain controller, saving the attacker from having to initiate SMBv1 sessions with each destination one by one. SMBv1 has well-known vulnerabilities and best practice is to disable it where possible.

Lateral movement

The desktop began controlling services (svcctl endpoint) on a SQL server. It was observed both creating and starting services (CreateServiceW, StartServiceW).

The desktop then initiated an unencrypted HTTP connection to a SQL Reporting server. This was the first HTTP connection between the two devices and the first time the user agent had been seen on the device.

A packet capture of the connection reveals a POST that is seen in an exploit of CVE-2020-0613. This vulnerability is a deserialization issue, whereby the server mishandles carefully crafted page requests and allows low-privileged accounts to establish a reverse shell and remotely execute code on the server.

Figure 4: A partial PCAP of the HTTP connection. The traffic matches the CVE-2020-0618 exploit, which enables Remote Code Execution (RCE) in SQL Server Reporting Services (SSRS).

Most movements were seen in East-West traffic, with readily-available remote procedure call (RPC) methods. Such connections are abundant in systems. Without learning an organization’s ‘pattern of life’, it would have been near-impossible to highlight the malicious connections.

Cyber AI detected connections to the svcctl endpoint, via the DCE-RPC endpoint. This is called the 'service control' endpoint and is used to remotely control running processes on a device.

During the lateral movement from the desktop, the HTTP POST request revealed that the desktop was exploiting CVE-2020-0613. The attacker had managed to find and exploit an existing vulnerability which hadn’t been patched.

Darktrace was the only tool which alerted to the HTTP connection, revealing this underlying (and concluding) exploit. The AI determined that the user agent was unusual for the device and for the wider organization, and that the connection was highly anomalous. This connection would have gone otherwise amiss, since HTTP connections are common in most digital environments.

Because the attacker on the desktop used readily-available tools and protocols, such as Nmap, DCE-RPC, and HTTP, the device went undetected by all the other cyber defenses. However, Cyber AI noticed multiple scanning and lateral movement anomalies – triggering high-fidelity detections which would have been alerted to with Proactive Threat Notifications.

Command and control (C2) communication

The next day, the attacker connected to an SNMP server from the VPN. The connection used the ‘parents’ RDP cookie.

Immediately after the RDP connection began, the server connected to Pastebin and downloaded small amounts of encrypted data. Pastebin was likely being used as a vector to drop malicious scripts onto the device.

The SNMP server then started controlling services (svcttl) on the SQL server: again, creating and starting services.

Following this, both the SQL server and the SNMP server made a high volume of SSL connections to a rare external domain. One upload to the destination was around 21 MB, but otherwise the connections were mostly the same packet size. This, among other factors, indicated that the destination was being used as a C2 server.

Figure 5: Example Cyber AI Analyst investigation into beaconing activity by a SQL server.

With just one compromised credential, the attacker was now connecting to the VPN and infecting multiple servers on the company’s internal network.

The attacker dropped scripts onto the host using Pastebin. Darktrace alerted on this because Pastebin is highly rare for the organization. In fact, these connections were the first time it had been seen. Most security tools would miss this, as Pastebin is a legitimate site and would not be blocked by open-source intelligence (OSINT).

Even if a lesser-known Pastebin alternative had been used – say, in an environment where Pastebin was blocked on the firewall but the alternative not — Darktrace would have picked up on it in exactly the same way.

The C2 beaconing endpoint – dropbox16[.]com – has no OSINT information available online. The connections were on Port 443 and nothing about them was notable except from their rarity on the company’s system. Darktrace sent alerts because of its high rarity, rather than relying on known signatures.

Achieve persistence

After another Pastebin pull, the attacker attempted to maintain a greater foothold and escalate privileges by creating a new user using the SamrCreateUser2InDomain operation (endpoint: samr).

To establish persistence, the attacker now created a new user through a specific DCE-RPC command to the domain controller. This was highly unusual activity for the device, and was given a 100% anomaly score for ‘New or Uncommon Occurrence’.

If Darktrace had not alerted on this activity, the attacker would have continued to access files and make further inroads in the company, extracting sensitive data and potentially installing ransomware. This could have led to sensitive data loss, reputational damage, and financial losses for the company.

The value of Autonomous Response

The organization had Antigena in passive mode, so although it was not able to respond autonomously, we have visibility into the actions that it would have taken.

Antigena would have taken three actions on the initially infected desktop, as shown in the table below. The actions would have taken effect immediately in response to the first scan and the first service control requests.

During the two days of reconnaissance and lateral movement activity, these were the only steps Antigena suggested. The steps were all directly relevant to the intrusion – there was no attempt to block anything unrelated to the attack, and no other Antigena actions were triggered during this period.

By surgically blocking connections on specific ports during the scanning activity and enforcing the ‘pattern of life’ on the infected desktop, Antigena would have paralyzed the attacker’s reconnaissance efforts.

Furthermore, unusual service control attempts performed by the device would have been halted, minimizing the damage to the targeted destination.

Antigena would have delivered these blocks directly or via whatever integration was most suitable for the customer, such as firewall integrations or NAC integrations.

Lessons learned

The threat story above demonstrates the importance of controlling the access granted to low-privileged credentials, as well as remaining up-to-date with security patches. Since such attacks take advantage of existing network infrastructure, it is extremely difficult to detect these anomalous connections without the use of AI.

There was a delay of several days between the initial use of the ‘parents’ credentials and the first signs of lateral movement. This dormancy period – between compromise and the start of internal activities – is commonly seen in attacks. It likely indicates that the attacker was checking initially if their access worked, and then re-visiting the victim for further compromise once their schedule allowed for it.

Stopping a server-side attack

This compromise is reflective of many real-life intrusions: attacks cannot be easily attributed and are often conducted by sophisticated, unidentified threat actors.

Nevertheless, Darktrace managed to detect each stage of the attack cycle: initial compromise, reconnaissance, lateral movement, established foothold, and privilege escalation, and had Antigena been in active mode, it would have blocked these connections, and even prevented the initial desktop from ever exploiting the SQL vulnerability, which allowed the attacker to execute code remotely.

One day later, after seeing the power of Autonomous Response, the company decided to deploy Antigena in active mode.

Thanks to Darktrace analyst Isabel Finn for her insights on the above threat find.

Darktrace model detections:

  • Device / Anomalous Nmap SMB Activity
  • Device / Network Scan - Low Anomaly Score
  • Device / Network Scan
  • Device / ICMP Address Scan
  • Device / Suspicious Network Scan Activity
  • Anomalous Connection / New or Uncommon Service Control
  • Device / Multiple Lateral Movement Model Breaches
  • Device / New User Agent To Internal Server
  • Compliance / Pastebin
  • Device / Repeated Unknown RPC Service Bind Errors
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Unusual Connections to Rare Lets Encrypt
  • User / Anomalous Domain User Creation Or Addition To Group

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

December 19, 2024

/
No items found.

Darktrace Recognized in the Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace has been recognized in the first ever Gartner Magic Quadrant for Email Security Platforms (ESP).  As a Challenger, we have been recognized based on our Ability to Execute and Completeness of Vision.

The Gartner Magic Quadrant for Email Security is designed to help organizations evaluate which email security solutions might be the best fit for their needs by providing a visual representation of the market vendors and the strengths and cautions of different vendors. We encourage our customers to read the full report to get the complete picture.

Darktrace / EMAIL has a unique AI approach to identifying threats, including NLP and behavioral analysis, instead of traditional security measures like signatures and sandboxing – providing protection against advanced attacks like Business Email Compromise (BEC) and spear phishing. We believe our AI-first approach delivers high-quality solutions that our customers trust, allowing them to stay ahead of sophisticated threats that other tools miss.  

We’re proud of Darktrace’s rapid growth, geographic scale, and ability to execute effectively in the email security market, which reflect our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.

What do we believe makes Darktrace the fastest growing email security solution on the market?

An AI-first approach to innovation: Catching the threats others miss

As one of the founders of the ICES category, Darktrace has a long history of innovation, backed by over 200 patents. While other email security solutions are only just starting to apply machine learning (ML) techniques to outdated methods like signature analysis, reputation lists, and sandboxing, Darktrace has redefined the approach to email threat detection with its pioneering AI-driven anomaly detection engine.

Traditional ESPs often miss advanced threats because they rely on rules and signatures that focus on payloads and blindly trust known sources. This approach requires constant updates and frequently fails to detect threats like Business Email Compromise and Spear Phishing. In contrast, Darktrace / EMAIL uses advanced anomaly detection to identify the most sophisticated threats by focusing on unusual patterns and behaviors. This innovative approach has consistently delivered superior detection, stopping on average 58% of the threats that other solutions in the security stack miss.1

But our AI-first approach doesn’t stop at the inbox. At Darktrace, we transcend the limitations of traditional email security by leveraging a platform that unifies insights across multiple domains, providing robust protection against multi-domain threats. Our award-winning solutions defend the most popular attack vectors, including email, messaging, network, and identity protection. By combining signals from all domains, we establish unique behavioral profiles for each device and user, significantly enhancing detection precision.  

This pioneering approach has led to introducing industry-first advancements like QR code analysis and automated incident investigations, alongside game-changing functionality including:

  • Microsoft Teams security with advanced messaging analysis: The ability to identify critical early phishing and insider threats across both email and Microsoft Teams messaging.  
  • AI analyst narratives for improved end user reporting: that reduces phishing investigations by 60% by exposing unique narratives that provide the context of each received email and give feedback to each employee as they interact with their mail.2
  • Mailbox Security Assistant: to perform advanced behavioral browser analysis and stop malicious links within webpages, detecting and remediating 70% more malicious phishing links than traditional tools.3  
  • AI based, autonomous data loss prevention: to immediately secure your organization from misdirected emails, insider threats, and data loss—both classified and unclassified- without any administrative overhead.

Customer trust that fuels exponential growth

With almost 5,000 customers in under 5 years, we've doubled the growth rate of other vendors in the email security market. Our rapid market penetration, fueled by customer satisfaction and pioneering technology, showcases our revolutionary approach and sets new industry standards. 

Darktrace’s exceptional customer retention is fueled by an unparalleled customer experience, extensive regional support, dedicated account teams, and cutting-edge scalable technology. We pride ourselves on having a global network with local expertise, consisting of 110 worldwide offices which provide local language and technical support to offer multilingual, in-house assistance to our customer base.

Check it out – Darktrace / EMAIL has the highest percentage of 5-star ratings with a 4.8 rating on Gartner® Peer Insights™.4

Supporting every stage of your email security journey

Darktrace / EMAIL supports your security maturity journey, from first time security buyers to mature security stacks looking to augment their existing ESPs – by handling advanced threats without extensive tuning. And unlike other solutions that create a siloed and parallel solution, it works harmoniously with native email providers to create a modern email security stack. That’s why Darktrace performs well with first-time email security buyers and has strong renewal rates.

Integrating with Microsoft and Google via API, we replace traditional Secure Email Gateways (SEGs) with a modern, comprehensive email security stack. By combining approaches, our solution merges attack-centric analysis, which learns attack patterns and threat intelligence, with a business-centric approach that understands user behavior and inbox activity to deliver a unified stack that defends the entire threat spectrum – leading Darktrace to be recognized as Microsoft Partner of the year UK 2024.  

Our user-friendly, self-learning AI solution requires minimal tuning and deployment, making it perfect for customers looking for a highly usable but lightly configurable solution that will accompany them throughout their lifetime as they mature their email security stack in line with the evolving threat landscape.

Learn more

Get complimentary access to the full Gartner® Magic Quadrant™ for Email Security Platforms here.

To learn more about Darktrace / EMAIL or to get a free demo, check out the product hub.

References

1 From September 1 – December 31 2023, 58% of the phishing emails analyzed by Darktrace / EMAIL had already passed through native spam filtering and email security controls. (Darktrace End of Year Threat Report 2023)

2 When customers deployed the Darktrace / EMAIL Outlook Add-in there was a 60% decrease in incorrectly reported phishing emails. Darktrace Internal Research, 2024

3 Once a user reports phishing that contains a link, an automated second level triage engages our link analysis infrastructure expanding the signals analyzed. Darktrace Internal Research, 2024

4 Based on 252 reviews as of 19th December 2024

Continue reading
About the author
Carlos Gray
Product Manager

Blog

/

December 17, 2024

/

Inside the SOC

Cleo File Transfer Vulnerability: Patch Pitfalls and Darktrace’s Detection of Post-Exploitation Activities

Default blog imageDefault blog image

File transfer applications: A target for ransomware

File transfer applications have been a consistent target, particularly for ransomware groups, in recent years because they are key parts of business operations and have trusted access across different parts of an organization that include potentially confidential and personal information about an organization and its employees.

Recent targets of ransomware criminals includes applications like Acellion, Moveit, and GoAnywhere [1]. This seems to have been the case for Cleo’s managed file transfer (MFT) software solutions and the vulnerability CVE-2024-50623.

Threat overview: Understanding Cleo file transfer vulnerability

This vulnerability was believed to have been patched with the release of version 5.8.0.21 in late October 2024. However, open-source intelligence (OSINT) reported that the Clop ransomware group had managed to bypass the initial patch in late November, leading to the successful exploitation of the previously patched CVE.

In the last few days Cleo has published a new vulnerability, CVE-2024-55956, which is not a patch bypass of the CVE-2024-50623 but rather another vulnerability. This is also an unauthenticated file write vulnerability but while CVE-2024-50623 allows for both reading and writing arbitrary files, the CVE-2024-55956 only allows for writing arbitrary files and was addressed in version 5.8.0.24 [2].

Darktrace Threat Research analysts have already started investigating potential signs of devices running the Cleo software with network traffic supporting this initial hypothesis.

Comparison of CVE-2024-50623 and CVE-2024-55956

While CVE-2024-50623 was initially listed as a cross-site scripting issue, it was updated on December 10 to reflect unrestricted file upload and download. This vulnerability could lead to remote code execution (RCE) in versions of Cleo’s Harmony, VLTrader, and LexiCom products prior to 5.8.0.24. Attackers could leverage the fact that files are placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software [3].

CVE-2024-55956, refers to an unauthenticated user who can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory [4]. Both CVEs have occurred due to separate issues in the “/Synchronization” endpoint.

Investigating post exploitation patterns of activity on Cleo software

Proof of exploitation

Darktrace’s Threat Research analysts investigated multiple cases where devices identified as likely running Cleo software were detected engaging in unusual behavior. Analysts also attempted to identify any possible association between publicly available indicators of compromise (IoCs) and the exploitation of the vulnerability, using evidence of anomalous network traffic.

One case involved an Internet-facing device likely running Cleo VLTrader software (based on its hostname) reaching out to the 100% rare Lithuanian IP 181.214.147[.]164 · AS 15440 (UAB Baltnetos komunikacijos).

This activity occurred in the early hours of December 8 on the network of a customer in the energy sector. Darktrace detected a Cleo server transferring around over 500 MB of data over multiple SSL connections via port 443 to the Lithuanian IP. External research reported that this IP appears to be a callback IP observed in post-exploitation activity of vulnerable Cleo devices [3].

While this device was regularly observed sending data to external endpoints, this transfer represented a small increase in data sent to public IPs and coupled with the rarity of the destination, triggered a model alert as well as a Cyber AI Analyst Incident summarizing the transfer. Unfortunately, due to the encrypted connection no further analysis of the transmitted data was possible. However, due to the rarity of the activity, Darktrace’s Autonomous Response intervened and prevented any further connections to the IP.

 Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Figure 1: Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Shows connections to 181.214.147[.]164 and the amount of data transferred.
Figure 2: Shows connections to 181.214.147[.]164 and the amount of data transferred.

On the same day, external connections were observed to the external IP 45.182.189[.]225, along with inbound SSL connections from the same endpoint. OSINT has also linked this IP to the exploitation of Cleo software vulnerabilities [5].

Outgoing connections from a Cleo server to an anomalous endpoint.
Figure 3: Outgoing connections from a Cleo server to an anomalous endpoint.
 Incoming SSL connections from the external IP 45.182.189[.]225.
Figure 4: Incoming SSL connections from the external IP 45.182.189[.]225.

Hours after the last connection to 181.214.147[.]164, the integration detection tool from CrowdStrike, which the customer had integrated with Darktrace, issued an alert. This alert provided additional visibility into host-level processes and highlighted the following command executed on the Cleo server:

“D:\VLTrader\jre\bin\java.exe" -jar cleo.4889

Figure 5: The executed comand “D:\VLTrader\jre\bin\java.exe" -jar cleo.4889 and the Resource Location: \Device\HarddiskVolume3\VLTrader\jre\bin\java.exe.

Three days later, on December 11, another CrowdStrike integration alert was generated, this time following encoded PowerShell command activity on the server. This is consistent with post-exploitation activity where arbitrary PowerShell commands are executed on compromised systems leveraging the default settings of the Autorun directory, as highlighted by Cleo support [6]. According to external researchers , this process initiates connections to an external IP to retrieve JAR files with webshell-like functionality for continued post-exploitation [3]. The IP embedded in both commands observed by Darktrace was 38.180.242[.]122, hosted on ASN 58061(Scalaxy B.V.). There is no OSINT associating this IP with Cleo vulnerability exploitation at the time of writing.

Another device within the same customer network exhibited similar data transfer and command execution activity around the same time, suggesting it had also been compromised through this vulnerability. However, this second device contacted a different external IP, 5.45.74[.]137, hosted on AS 58061 (Scalaxy B.V.).

Like the first device, multiple connections to this IP were detected, with almost 600 MB of data transferred over the SSL protocol.

The Security Integration Detection Model that was triggered  and the PowerShell command observed
Figure 6: The Security Integration Detection Model that was triggered  and the PowerShell command observed
 Incoming connections from the external IP 38.180.242[.]122.
Figure 7: Incoming connections from the external IP 38.180.242[.]122.
Connections to the external IP 5.45.74[.]137.
Figure 8: Connections to the external IP 5.45.74[.]137.
Figure 9: Autonomous Response Actions triggered during the suspicious activities

While investigating potential Cleo servers involved in similar outgoing data activity, Darktrace’s Threat Research team identified two additional instances of likely Cleo vulnerability exploitation used to exfiltrate data outside the network. In those two instances, unusual outgoing data transfers were observed to the IP 176.123.4[.]22 (AS 200019, AlexHost SRL), with around 500 MB of data being exfiltrated over port 443 in one case (the exact volume could not be confirmed in the other instance). This IP was found embedded in encoded PowerShell commands examined by external researchers in the context of Cleo vulnerability exploitation investigations.

Conclusion

Overall, Cleo software represents a critical component of many business operations, being utilized by over 4,000 organizations worldwide. This renders the software an attractive target for threat actors who aim at exploiting internet-facing devices that could be used to compromise the software’s direct users but also other dependent industries resulting in supply chain attacks.

Darktrace / NETWORK was able to capture traffic linked to exploitation of CVE-2024-50623 within models that triggered such as Unusual Activity / Unusual External Data to New Endpoint while its Autonomous Response capability successfully blocked the anomalous connections and exfiltration attempts.

Information on new CVEs, how they're being exploited, and whether they've been patched can be fast-changing, sometimes limited and often confusing. Regardless, Darktrace is able to identify and alert to unusual behavior on these systems, indicating exploitation.

Credit to Maria Geronikolou, Alexandra Sentenac, Emma Fougler, Signe Zaharka and the Darktrace Threat Research team

Insights from Darktrace’s First 6: Half-year threat report for 2024

First 6: half year threat report darktrace screenshot

Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.

  • Focuses on anomaly detection and behavioral analysis to identify threats
  • Maps mitigated cases to known, publicly attributed threats for deeper context
  • Offers guidance on improving security posture to defend against persistent threats

Appendices

References

[1] https://blog.httpcs.com/en/file-sharing-and-transfer-software-the-new-target-of-hackers/

[2] https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

[3] https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

[4] https://nvd.nist.gov/vuln/detail/CVE-2024-55956

[5] https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/

[6] https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

[7] https://support.cleo.com/hc/en-us/articles/360034260293-Local-HTTP-Users-Configuration

Darktrace Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

Device / Internet Facing Device with High Priority Alert

Anomalous Server Activity / Rare External from Server

Anomalous Connection / New User Agent to IP Without Hostname

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Autonomous Response Model Detections

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Cyber AI Analyst Incidents

Unusual External Data Transfer

MITRE ATT&CK Mapping

Tactic – Technique

INITIAL ACCESS – Exploit Public-Facing Application

COMMAND AND CONTROL – Application Layer Protocol (Web Protocols)

COMMAND AND CONTROL – Encrypted Channel

PERSISTENCE – Web Shell

EXFILTRATION - Exfiltration Over C2 Channel

IoC List

IoC       Type    Description + Probability

181.214.147[.]164      IP Address       Likely C2 Infrastructure

176.123.4[.]22            IP Address       Likely C2 Infrastructure

5.45.74[.]137               IP Address           Possible C2 Infrastructure

38.180.242[.]122        IP Address       Possible C2 Infrastructure

Continue reading
About the author
Maria Geronikolou
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI