An external attacker brute-forced SSH from 138.199.22.105, spraying multiple usernames (including United and 1907) before successfully authenticating as user analyst at 09:25 AM on Aug 23, 2024. Post-login, the attacker confirmed sudo group membership and escalated to root via sudo su. They performed OS and network recon, verified connectivity to the malicious domain sketchanalyticsvault.com, generated a rogue CA certificate for that domain using openssl, and installed it into the system trust store via sudo update-ca-certificates. Installing the CA establishes system-level trust for the attacker’s C2 certificate — future outbound callbacks to sketchanalyticsvault.com will complete cleanly without certificate validation errors, avoiding the noisy failed-connection logs that would otherwise alert defenders. The system was being staged for stage 2 C2 callback; no outbound C2 traffic was captured before containment.
| Timestamp | Activity |
|---|---|
| Aug 23, 2024 09:25 AM | Successful brute-force login to user analyst |
| Aug 23, 2024 09:27:26 | Post-exploitation recon — groups, whoami |
| Aug 23, 2024 09:28:05 | cat /etc/os-release — OS fingerprinting |
| Aug 23, 2024 09:28:17 | ping sketchanalyticsvault.com — C2 connectivity check |
| Aug 23, 2024 09:28:47 | openssl genrsa — rogue CA key generation |
| Aug 23, 2024 09:28:50 | openssl req -x509 — rogue CA cert generation |
| Aug 23, 2024 09:29:03 | mv rootCA.crt /usr/local/share/ca-certificates |
| Aug 23, 2024 09:29:04 | sudo update-ca-certificates — cert installed into trust store |
| Aug 23, 2024 09:29:26 | ls -l rootCA.key rootCA.crt — artifact verification |
| Aug 23, 2024 09:29:48 | netstat -tuln — network state recon |
| Post 09:29 AM | Machine contained |
External threat actor operating from 138.199.22.105. Conducted a credential spray across multiple usernames via SSH before gaining access as analyst. Domain sketchanalyticsvault.com confirmed malicious via VirusTotal.
The attacker installed a rogue root CA into the system trust store to establish system-level trust for their C2 certificate. Without this step, any tool on the victim host connecting to sketchanalyticsvault.com would generate certificate validation errors — failing connections or producing alert-worthy logs. With the CA trusted, future callbacks complete silently, improving both operational reliability and evasion. The system was being staged; no outbound C2 traffic was observed before containment.
| Technique ID | Tactic | Technique |
|---|---|---|
| T1110.001 | Credential Access | Brute Force - Password Guessing |
| T1059.004 | Execution | Command and Scripting Interpreter - Unix Shell |
| T1069.001 | Discovery | Permission Groups Discovery - Local Groups |
| T1548.003 | Privilege Escalation | Abuse Elevation Control Mechanism - Sudo |
| T1553.004 | Defense Evasion | Subvert Trust Controls - Install Root Certificate |
| T1071.001 | Command and Control | Application Layer Protocol - Web Protocols |
| Type | Value | Note |
|---|---|---|
| IP Address | 138.199.22.105 | Attacker source IP — SSH brute force |
| Internal IP | 172.16.17.116 | Victim host (Sharla) |
| Domain | sketchanalyticsvault.com | C2 domain — VirusTotal confirmed malicious |
| File | rootCA.key | Attacker-generated CA private key |
| File | rootCA.crt | Attacker-generated rogue root certificate |