SOC306 // Critical System File Deletion // inksec.io

// soc investigation 2026-05-08

SOC306 Critical System File Deletion

letsdefend Medium closed ✓ true positive

mitre/T1110-001 mitre/T1078 mitre/T1033 mitre/T1069 mitre/T1083 mitre/T1548-003 mitre/T1070-002

analyst verdict TRUE POSITIVE

✓

🔍 What

An external attacker brute-forced SSH credentials for the analyst account on host Dominic. After gaining access, the attacker performed system reconnaissance, escalated privileges to root via unrestricted sudo rights, created a backdoor local account (lettsdefend), and deleted auth.log and audit.rules to destroy forensic evidence.

🕐 When

Event	Timestamp
Brute-force activity (pre-login)	Prior to Jul 31, 2024, 03:10 PM
Successful SSH login (analyst)	Jul 31, 2024, 03:10 PM
audit.rules deleted (alert trigger)	Jul 31, 2024, 03:14 PM

📍 Where

Host: Dominic
Internal IP: 172[.]16[.]17[.]107
Attacker IP: 87[.]249[.]134[.]136
Key paths: /var/log/auth.log, /etc/audit/rules.d/audit.rules

👤 Who

Threat actor: External, originating from 87[.]249[.]134[.]136 — flagged malicious by AbuseIPDB (brute force / SSH category)
Compromised account: analyst (full sudo rights)
Backdoor account created: lettsdefend

❓ Why

The analyst account held unrestricted sudo rights, giving the attacker a direct path to root-level access without needing to exploit a vulnerability. This privilege level allowed the creation of a new local persistence account and the removal of both authentication and audit logs to hinder investigation.

Attacker command sequence (bash_history):

whoami
groups
cat /etc/group
find / -type f -name '*password*'
sudo useradd -m lettsdefend
sudo passwd lettsdefend
cd /var/log
cat auth.log | grep "87.249.134.136"
rm -r auth.log
cd /etc/audit/rules.d/
ls
cat audit.rules
rm -r audit.rules

🎯 MITRE ATT&CK

Technique ID	Tactic	Technique
T1110.001	Credential Access	Brute Force - Password Guessing
T1078	Initial Access	Valid Accounts
T1033	Discovery	System Owner/User Discovery
T1069	Discovery	Permission Groups Discovery
T1083	Discovery	File and Directory Discovery
T1548.003	Privilege Escalation	Abuse Elevation Control Mechanism - Sudo
T1136.001	Persistence	Create Account - Local Account
T1070.002	Defense Evasion	Indicator Removal - Clear Linux or Mac System Logs

🧩 IOCs

Type	Value	Notes
IP Address	87[.]249[.]134[.]136	Attacker — AbuseIPDB: malicious, brute force/SSH
IP Address	172[.]16[.]17[.]107	Victim host — Dominic
Username	analyst	Compromised account
Username	lettsdefend	Backdoor account created by attacker
File	/var/log/auth[.]log	Deleted by attacker
File	/etc/audit/rules[.]d/audit[.]rules	Deleted by attacker (alert trigger)

🔗 Analysis Reports

AbuseIPDB — 87[.]249[.]134[.]136: [flagged malicious — brute force / SSH]