Cyber Incident Threat Response Intelligence Report Prepared for AR Billing Company LLC By Anthony Sullivan 5/13/2018 FOR OFFICIAL USE ONLY Page 1 of 152 This page intentionally blank Page 2 of 152 Cyber Incident Threat Response Intelligence Report ........................................................................... 1 Executive Summary ............................................................................................................................... 7 The Combatant’s Actions and Tactics .................................................................................................. 8 Postgres user file and folder analysis ................................................................................................... 11 Sentry MBA 1.4.2 ............................................................................................................................... 13 Small sample of key captures on APOLLO.INTERGY.LOCAL ................................................... 14 SQLiDumper v.8.0 ............................................................................................................................ 15 SQLiDumper v.8.0 has many features including: ....................................................................... 16 The SQL Injection Methods that are supported include: ........................................................... 17 Targets of Interest (TOI’s) .................................................................................................................. 24 Mostafa Abdullhuq .......................................................................................................................... 24 Ahmed Swailm ................................................................................................................................. 27 Juraj Sipos ........................................................................................................................................ 28 Jose M Barrios .................................................................................................................................. 30 The Combatant’s Tactics ...................................................................................................................... 31 Initial Access ..................................................................................................................................... 31 Exploit Public-Facing Application Hardware Trusted Relationship Valid Accounts ............... 34 Exploitation for Defense Evasion Technique ................................................................................. 34 Software: XTunnel, X-Tunnel, XAPS .............................................................................................. 35 Standard Cryptographic Protocol ................................................................................................... 35 Credentials in Files – ....................................................................................................................... 36 Remote File Copy – ....................................................................................................................... 37 Network Service Scanning – ......................................................................................................... 38 Command-Line Interface ............................................................................................................. 38 Connection Proxy ......................................................................................................................... 39 FortiNet Security Log excerpts ........................................................................................................ 41 www.eicat.com ...................................................................................................................................... 44 Video references .................................................................................................................................. 44 SLINGSHOT Stage 2 attack ................................................................................................................ 48 Defending against this threat ......................................................................................................... 48 The first incident: ........................................................................................................................ 50 TOI Tactics ........................................................................................................................................... 51 Page 3 of 152 Adversarial Tactics, Techniques & Common Knowledge ............................................................... 51 Execution .......................................................................................................................................... 51 Persistence ........................................................................................................................................ 51 Privilege Escalation ......................................................................................................................... 52 Discovery ......................................................................................................................................... 52 Defense Evasion ............................................................................................................................... 52 Lateral Movement ........................................................................................................................... 53 Collection ......................................................................................................................................... 53 Exfiltration ....................................................................................................................................... 53 Command and Control ................................................................................................................... 53 Credential Access ............................................................................................................................ 53 The Combatant’s Capabilities ............................................................................................................. 54 Tactics .............................................................................................................................................. 54 AppleScript .................................................................................................................................. 54 Application Deployment Software .............................................................................................. 55 Distributed Component Object Model ....................................................................................... 55 Exploitation of Remote Services ................................................................................................. 55 Logon Scripts ............................................................................................................................... 56 Pass the Hash ............................................................................................................................... 56 Pass the Ticket ............................................................................................................................. 56 Remote Desktop Protocol ........................................................................................................... 57 Remote File Copy ......................................................................................................................... 57 Remote Services ........................................................................................................................... 58 Replication Through Removable Media ..................................................................................... 58 SSH Hijacking .............................................................................................................................. 58 Shared Webroot ........................................................................................................................... 58 Taint Shared Content .................................................................................................................. 59 Third-party Software ................................................................................................................... 59 Windows Admin Shares .............................................................................................................. 59 Windows Remote Management .................................................................................................. 60 Reconnaissance................................................................................................................................ 60 Weaponization ................................................................................................................................. 61 Delivery ............................................................................................................................................. 61 Page 4 of 152 Exploitation ...................................................................................................................................... 61 Installation ......................................................................................................................................