hacktool.html

<html><head>

<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; } body { padding: 0px; margin: 0px; font-family: Arial; font-size: 12px; color: rgb(0, 0, 0); } .lrm { margin-left: 50px; margin-right: 50px; } .mep { padding-left: 50px; } .shd1 { padding-right: 30px; } .shd2 { padding-right: 40px; } a:link { color: rgb(0, 102, 255); } hr.hr_bottom { color: gray; } h3 { color: rgb(234, 189, 0); font-family: "small-caps bold"; } .Title { color: rgb(234, 189, 0); font-weight: bold; } .bold_detail { font-weight: bold; } .td_first { color: rgb(119, 119, 119); width: 3.5cm; } .ip_blue { color: blue; } .notice { font-size: x-small; } .noticeDetail { font-size: xx-small; } .hrStandard { color: rgb(255, 223, 87); } .maxTest { font-size: 10px; margin-top: 5px; } content { margin-left: 50px; margin-right: 50px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><b style="font-size: 11pt; font-family: Calibri, sans-serif;">From:</b><span style="font-size: 11pt; font-family: Calibri, sans-serif;"> Gene Shin</span><br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div>
<div style="color:rgb(33,33,33)">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Sent:</b> Sunday, August 21, 2016 4:47 AM<br>
<b>To:</b> AES US SBU ISOC Cyber Security<br>
<b>Subject:</b> FW: Critical - Hack Tool Activity - Incident 89820678</font>
<div>&nbsp;</div>
</div>
<div><strong>
<div><font face="Tahoma" color="#000000" size="2">&nbsp;</font></div>
</strong>
<hr tabindex="-1">
<font face="Tahoma" size="2"><b>From:</b> SOC Notifications<br>
<b>Sent:</b> Sunday, August 21, 2016 4:47:05 AM (UTC-05:00) Eastern Time (US &amp; Canada)<br>
<b>To:</b> Gene Shin<br>
<b>Subject:</b> Critical - Hack Tool Activity - Incident 89820678<br>
</font><br>
<div></div>
<div>
<table cellpadding="0px" cellspacing="0px" width="100%" height="40px" style="padding:0px; margin:0px">
<tbody>
<tr>
<td background="cid:pageHeaderBG.gif" height="40px">
<table cellpadding="0px" cellspacing="0px" width="686px" height="40px" style="padding:0px; margin:0px">
<tbody>
<tr>
<td background="cid:prodNameBG.gif" height="40px">
<table cellpadding="0px" cellspacing="0px" width="364px" height="27px" style="padding:0px; margin:0px">
<tbody>
<tr>
<td background="cid:HeaderLogo.gif" height="27px"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table class="lrm ">
<tbody>
<tr>
<td align="bottom">
<table>
<tbody>
<tr>
<td></td>
</tr>
</tbody>
</table>
<span class="Title">INCIDENT DETAILS</span>
<hr class="hrStandard" size="1">
<table border="0">
<tbody>
<tr>
</tr>
<tr>
<td class="td_first">Incident #: </td>
<td class="bold_detail">89820678</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Severity: </td>
<td>Critical</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Correlation: </td>
<td>No</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Status: </td>
<td>New</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">PreviousStatus: </td>
<td>-</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Reference #: </td>
<td></td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Assigned To: </td>
<td>AES Corporation</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Created: </td>
<td>8/21/2016 8:07:46 AM (GMT)</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Category: </td>
<td>Malicious Code (<b>84 incident(s) </b>in the past 30 days) </td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Classification: </td>
<td>Hack Tool Activity</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Description: </td>
<td class="Blockquote">This incident is a real-time notification for Hack tool activity observed on a monitored host. Hack tools are programs that may be used to launch attacks on computer systems and networks. Often they are executed with malicious intent
 to either breach a system or conduct additional post-compromise activity such as cracking retrieved passwords and identifying other vulnerable systems on the network.<br>
<br>
Deliberate use of a hack tool may be a direct violation of your organization’s acceptable use policy. Legitimate usage of hack tools is uncommon outside of an isolated lab environment.
<br>
<br>
The following types of tools fall under this category:<br>
<br>
? Keystroke Loggers<br>
? Password Stealers<br>
? Password Crackers<br>
? Spam Tools<br>
? Port Scanners<br>
? Vulnerability Scanners<br>
? Network Flooders<br>
<br>
For more information, please review the following references:<br>
https://www.symantec.com/security_response/writeup.jsp?docid=2001-081707-2550-99<br>
http://www.symantec.com/security_response/glossary/define.jsp?letter=h&amp;word=hack-tool</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">Analyst assessment: </td>
<td>1. Incident Overview<br>
<br>
The host at 10.249.3.164 was detected running the JSPRAT hack tool.<br>
<br>
Detecting Security Devices: <br>
aess0031 : Malicious Code Quarantined<br>
<br>
2. Affected Host Data<br>
<br>
The Source host belongs to internal network range (RFC 1918).<br>
User Name : system<br>
Host Name : sulsleds05<br>
<br>
3. Destination Host Data<br>
<br>
The SOC observed that the source host is communicating with a file that has been flagged as malicious by MSS intelligence.<br>
<br>
4. Validation Steps<br>
<br>
From the combination of logs observed along with the reputation of the file communicated with we conclude that the source host might be infected. The SOC recommends further investigation on the source host for any suspicious activity.<br>
<br>
Session data available:<br>
File Name : d:\jboss-4.2.2.ga\server\default\deploy\management\destiny.war\index.jsp<br>
File Hash : A42C6076A857B71D161332281E0B6410C70E18DD82D8F1584CC23FB25176FA72<br>
<br>
5. Remediation Recommendations<br>
<br>
At times, AV scans are insufficient to remediate malware infections. Please see Symantecs process for responding to active threats on a network:<br>
http://www.symantec.com/business/support/index?page=content&amp;id=TECH122466 <br>
<br>
Questions or requests for further assistance related to this incident can be directed to the MSS SOC. The MSS SOC can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
</td>
</tr>
<tr>
<td class="td_first" nowrap="true" valign="top">LatestActivity: </td>
<td>Winning Rule Name(Rule ID) :: Default Rule(0)</td>
</tr>
<tr>
<td colspan="2"><br>
<a href="https://mss.symantec.com/PortalNextGen/Home/IncidentsDetails?IncidentId=89820678&amp;CreatedDate=08/21/2016%2008:46:15.970">View Full Incident Details &gt;&gt;
</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<span class="Title">SOURCE DETAILS</span>
<hr class="hrStandard" size="1">
<table>
<tbody>
<tr>
<td class="td_first">Source IP: </td>
<td><a href="https://mss.symantec.com/PortalNextGen/Home/Ipdetails?ip=10.249.3.164">10.249.3.164</a> (<b>2 incident(s)
</b>in the past 30 days) </td>
</tr>
<tr>
<td class="td_first">Country: </td>
<td>Reserved</td>
</tr>
<tr>
<td class="td_first">Organization(s): </td>
<td><i>No Organizations Found.</i><br>
</td>
</tr>
<tr>
<td colspan="2"><br>
</td>
</tr>
</tbody>
</table>
<br>
<span class="Title">DESTINATION DETAILS</span>
<hr class="hrStandard" size="1">
<table>
<tbody>
<tr>
<td nowrap="true" class="td_first">Organization(s): </td>
<td><i>No Organizations Found.</i></td>
</tr>
<tr>
<td colspan="2"><br>
</td>
</tr>
</tbody>
</table>
<br>
<span class="Title">ASSETS INVOLVED</span>
<hr class="hrStandard" size="1">
<table>
<tbody>
<tr>
<td>aess0031 [AESCORP-OTH-153185] </td>
</tr>
<tr>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
<span class="Title">CORRELATED EVENTS</span>
<hr class="hrStandard" size="1">
<span class="Title">KEY EVENTS</span>
<table>
<tbody>
<tr>
<td nowrap="true" class="td_first">Event#: </td>
<td>10506711047</td>
</tr>
<tr>
<td nowrap="true" class="td_first">Event Name: </td>
<td>Hacktool.JSPRAT</td>
</tr>
<tr>
<td nowrap="true" class="td_first">Event Type: </td>
<td>Symantec AV Alert</td>
</tr>
<tr>
<td nowrap="true" class="td_first">Created: </td>
<td>8/21/2016 8:07:42 AM (GMT)</td>
</tr>
<tr>
<td nowrap="true" class="td_first">Source IP: </td>
<td class="ip_blue"><a href="https://mss.symantec.com/PortalNextGen/Home/Ipdetails?ip=10.249.3.164">10.249.3.164</a></td>
</tr>
<tr>
<td nowrap="true" class="td_first">Country: </td>
<td>Reserved</td>
</tr>
<tr>
<td nowrap="true" class="td_first">Threat Name: </td>
<td></td>
</tr>
<tr>
<td nowrap="true" class="td_first">Malware MD5 Hashes: </td>
<td></td>
</tr>
<tr>
<td nowrap="true" class="td_first">Log Count: </td>
<td>1<br>
</td>
</tr>
<tr>
<td colspan="2" height="6"></td>
</tr>
<tr>
<td colspan="2" class="mep" align="left"><span class="Title">Source Host Details</span>
<table>
<tbody>
<tr>
<th class="shd1" align="left">Host Name</th>
<th class="shd1" align="left">Domain </th>
<th class="shd2" align="left">User(s)</th>
</tr>
<tr>
<td class="shd1" align="left">sulsleds05</td>
<td class="shd1" align="left">LocalComputer</td>
<td class="shd2" align="left">system</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td height="12"></td>
</tr>
</tbody>
</table>
<br>
<span class="Title">OTHER EVENTS</span>
<table>
<tbody>
<tr>
<td><i>No Other Events found</i></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div class="lrm"><br>
<hr size="7">
<table>
<tbody>
<tr>
<td align="center" class="notice"><b>NOTICE OF CONFIDENTIALITY</b></td>
</tr>
<tr>
<td class="noticeDetail">This Email message and its attachments (if any) are intended solely for the use of the addressee hereof. In addition, this message and the attachments (if any) may contain information that is confidential, privileged and exempt from
 disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. Delivery of this message to any person other
 than the intended recipient is not intended to waive any right or privilege. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>