IP Address: 113.81.143.108Previously Malicious
IP Address: 113.81.143.108Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL |
Tags |
IDS - Successful Administrator Privilege Gain DNS Query Execute MsSql Shell Command MSSQL Brute Force Service Stop Create MsSql Table Persistency - Logon MSSQL Successful MSSQL Login Service Configuration Drop MsSql Table User Created Executable File Modification File Operation By CMD Create MsSql Procedure User Added to Group CMD Persistency - Mime Filter Scheduled Task Creation Access Suspicious Domain |
Associated Attack Servers |
IP Address |
113.81.143.108 |
|
Domain |
- |
|
ISP |
China Telecom Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-04-02 |
Last seen in Akamai Guardicore Segmentation |
2020-04-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using MSSQL with the following credentials: admin / ******* - Authentication policy: White List (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: test / ******* - Authentication policy: White List (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: user / ******* - Authentication policy: White List (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
MSSQL executed 79 shell commands |
Execute MsSql Shell Command |
Process c:\windows\system32\cscript.exe attempted to access suspicious domains: g.nxxxn.ga 2 times |
Access Suspicious Domain DNS Query |
MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc |
Create MsSql Procedure |
IDS detected Successful Administrator Privilege Gain : Microsoft CScript Banner Outbound |
IDS - Successful Administrator Privilege Gain |
Process NetworkService Service Group attempted to access suspicious domains: g.nxxxn.ga |
Access Suspicious Domain DNS Query |
Executable file C:\ProgramData\SQLAGENTVDC.exe was modified |
Executable File Modification |
A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\ProgramData\SQLAGENTVDC.exe to run using Persistency - Logon |
Persistency - Logon |
c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\RECYCLER\SQLAGENTVDC.exe to run using Persistency - Logon |
Persistency - Logon |
Service CryptSvc was stopped |
Service Stop |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\apppatch\apppatch64\aclayers.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\apppatch\apppatch64\aclayers.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry 3 times |
Persistency - Mime Filter |
c:\windows\system32\vbscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\vbscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry 2 times |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\jscript.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 6 times |
Persistency - Mime Filter |
MSSQL tables were dropped: #A1E878D0 and #A3D0C142 |
Drop MsSql Table |
MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000002 |
Create MsSql Table |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: g.nxxxn.ga 4 times |
Access Suspicious Domain DNS Query |
The command line C:\ProgramData\SQLAGENTVDC.exe was scheduled to run by modifying C:\Windows\System32\Tasks\SQL Server IO Simulators |
|
The command line C:\RECYCLER\SQLAGENTVDC.exe was scheduled to run by modifying C:\Windows\System32\Tasks\SQL Server IO Simulator |
|
User IUER_SERVER was created with the password ********* and added to groups: Administrators |
User Created User Added to Group |
Connection was closed due to timeout |
|