Blog | Scenario

oneday SSH bruteforce

ByDetecteam 2023-07-112023-07-11

TLP

TLP CLEAR

Author

David Deflache

Summary

In this attack scenario, an individual with the IP address 192.168.0.42 and a valid username is engaging in an authentication brute force attack through SSH. Their target is a system with the IP address 192.168.0.111, using the default SSH port 22. The attacker executes a loop of 350 iterations, simulating numerous login attempts. Each attempt is marked as a failed login, triggering the action “User.LoginFailed.” A random delay between 3 to 5 minutes is introduced after each failed attempt. After the loop, there is a final pause of 3 minutes. The attacker then achieves a successful login, triggering the action “User.LoginSuccess.” This scenario illustrates an unauthorized access attempt through repeated SSH login trials. Can you detect it ?

DATA

openssh.log_Download

TIMELINE

references

MITRE ATT&CK

Blog | Scenario

Clop – Ransomware by TA505
ByDetecteam 2023-06-222023-06-23

TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…

Read More Clop – Ransomware by TA505
Blog | Scenario

Snatch Ransomware
ByDetecteam 2023-10-192023-10-19

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In a recent cyber attack, the Snatch Team used RDP brute force to infiltrate a network and rapidly executed a series of sophisticated actions within a short time frame. They gained initial access by logging into a Domain Administrator (DA) account, performed various commands, and initiated…

Read More Snatch Ransomware
Blog | Scenario

HTML Smuggling
ByDetecteam 2023-12-142023-12-14

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In early November 2022, a targeted intrusion began via email, delivering an HTML file utilizing HTML smuggling. Previously relying on Excel macros, the threat actor adapted to Microsoft’s macro control updates. Upon opening the HTML, a disguised Adobe page prompted a ZIP download with a…

Read More HTML Smuggling
Blog | Scenario

GhostEmperor
ByDetecteam 2023-11-292023-11-29

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In August 2022, analysts uncovered a cyber attack on a government-run Indonesian company by the APT group GhostEmperor. Known since 2021, GhostEmperor specializes in cyberespionage across sectors, employing tactics such as phishing, software exploits, and…

Read More GhostEmperor
Blog | Scenario

Agent Tesla RAT
ByDetecteam 2023-08-102023-08-10

TLP TLP TLP CLEAR Author Sebastien TRICAUD Summary Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information…

Read More Agent Tesla RAT
Blog | Scenario

SELECT XMRig FROM SQLServer
ByDetecteam 2023-06-092023-06-09

TLP TLP TLP CLEAR Author David Deflache Summary The attack on the Microsoft SQL Server involved a series of sophisticated techniques employed by the adversaries. It began with the initial stage of reconnaissance, where the attackers sought to identify vulnerabilities and potential entry points. They then proceeded to exploit a known vulnerability in the server…

Read More SELECT XMRig FROM SQLServer

TLP