tag:blogger.com,1999:blog-23673486892426338272024-03-13T06:41:34.013-07:00My Random Thoughts on InfoSecUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-2367348689242633827.post-2749736766378157332016-01-11T17:51:00.004-08:002016-01-11T18:04:50.450-08:00DFIR Research Ideas<div dir="ltr" style="text-align: left;" trbidi="on">
I'm enrolled in Champlain College's M.S. in Digital Forensic Science program, and I'm coming up on my capstone research thesis and project, which I'll begin in the Summer of 2016. The intent is to conduct original research, or expand on existing research, into a problem related to the digital forensics or incident response fields.<br />
<br />
I'd like to tackle a useful, immediately practical research topic rather than something more academic or theoretical. So, with that, I'm soliciting research ideas from the DFIR community. What problems have you experienced in your work where you thought more research was needed? Have you ever encountered a situation that you wish you had a better understanding of? Are there any emerging technologies or issues you regularly encounter but for which limited research or understanding exists? Ideas might be related to an operating system, and OS artifact, an application, a forensic technique, etc.<br />
<br />
I'm aware of the ForensicWiki <a href="http://www.forensicswiki.org/wiki/Research_Topics" target="_blank">research topics</a> and Forensic Focus <a href="http://www.forensicfocus.com/project-ideas" target="_blank">project ideas</a> pages. I'm considering some of those, although they are of varying ages and some may be of lesser relevance than when they were originally proposed.<br />
<br />
Please feel free to leave your comments below. There's no reason to be overly detailed; I'm not asking you to do the research for me! Just a brief statement of what you are interested in will suffice. If I use anyone's idea, or a variation thereof, I'll be sure to provide appropriate attribution.</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2367348689242633827.post-32958157655370928502015-11-28T13:27:00.000-08:002015-11-29T06:11:56.710-08:00<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Write-Up of JIIR "<span style="background-color: white;">Triage Practical – Malware Event – Prefetch $MFT IDS"</span></span></h2>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="background-color: white;"><br /></span></span></div>
<h3 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Introduction</span></span></h3>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Corey Harrell (@corey_harrell) recently tweeted about a malware triage challenge he posted on his Journey Into Incident Response (jIIr) blog:</span></span></div>
<blockquote class="twitter-tweet" lang="en">
<div dir="ltr" lang="en">
new jIIr post: Triage Practical – Malware Event – Prefetch <a href="https://twitter.com/search?q=%24MFT&src=ctag">$MFT</a> IDS <a href="https://t.co/2WB8owCw5M">https://t.co/2WB8owCw5M</a> <- scenario to practice triaging <a href="https://twitter.com/hashtag/DFIR?src=hash">#DFIR</a></div>
— Corey Harrell (@corey_harrell) <a href="https://twitter.com/corey_harrell/status/668620942017433601">November 23, 2015</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
<br />
<div>
<br /></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">In this blog post, Corey provided some context to the scenario and also posed the following questions:</span><br />
<ul style="text-align: left;">
<li><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">Is this a confirmed malware security event or was the junior analyst mistaken?</span></li>
<li><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">What type of malware is involved?</span></li>
<li><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">What potential risk does the malware pose to your organization?</span></li>
<li><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">Based on the available information, what do you think occurred on the system to cause the malware event in the first place?</span></li>
</ul>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">This write-up outlines my analysis of the provided evidence files and answers to Corey's questions. All timestamps are shown in GMT time zone.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Analysis</span></h3>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<h4 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Processing evidence files</span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Before getting started, I converted the $MFT to a comma-separated values (CSV) file so that I could view the file in Microsoft Excel and also manipulate it using text parsing tools. First I created a bodyfile from the MFT using analyzeMFT:</span><br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>$ analyzeMFT.py -f \$MFT -b MFT.body --bodyfull
</code></pre>
<span style="font-family: "arial" , "helvetica" , sans-serif;">where '-f' designates the file to read from (the '$' must be escaped so that bash shell does not interpret '$MFT' as a variable name), '-b' specifies output in bodyfile format with the output file name, and '--bodyfull' specifies to include full file paths.</span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">I then converted the bodyfile to a CSV using mactime from The Sleuth Kit:</span><br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>$ mactime -d -b MFT.body -m > MFT.timeline
</code></pre>
<span style="font-family: "arial" , "helvetica" , sans-serif;">where '-d' specifies comma-delimited format, '-b' specifies the bodyfile to read from, '-m' designates months in the timestamps as numbers instead of letters and '>' redirects standard output to a file.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">All of the other evidence files provided were already in a useable form, so I did not have to process them before using them in my analysis, other than to replay the PCAP through Snort (using Security Onion) to see any generated alerts.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<h4 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Is this a confirmed malware security event?</span></h4>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;">In a word, yes. The malware was executed, which installed a keylogger and exfiltrated data to an external FTP server.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Before analyzing the full scope of activity, I wanted to quickly identify any malicious indicator that would suggest further investigation was warranted and to serve as an anchor point from which to pivot for additional analysis. I started with the prefetch files, since if this were really a malware infection, the malware would have executed and I might find this in the prefetch. Additionally, I had a general time frame to look ("early...on August 15, 2015"). I mounted the </span><span style="font-family: "courier new" , "courier" , monospace;">Prefetch.ad1</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> file with AccessData's FTK Imager, opened the prefetch with NirSoft's WinPrefetchView utility, then sorted on the "Created Time" column. I quickly found a suspicious looking executable named </span><span style="font-family: "courier new" , "courier" , monospace;">Overdue Invoice Documents for Payment 082015.exe</span><span style="font-family: "arial" , "helvetica" , sans-serif;">, shown in Figure 1:</span></div>
<div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXVsQlqaeZ4WC3wC-zK8GDxPUkFOtWacCf16PDMsIoFyoWfNAGv6hqupjCo9SoEyv50ipunpJpV5___wJZ4vwoaE3Fq5RHLL2D1s-cEnPLtKyjmfqfGyVBGgT0P96UM2LY_5rGIi9z76g/s1600/Screen+Shot+2015-11-28+at+9.45.11+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXVsQlqaeZ4WC3wC-zK8GDxPUkFOtWacCf16PDMsIoFyoWfNAGv6hqupjCo9SoEyv50ipunpJpV5___wJZ4vwoaE3Fq5RHLL2D1s-cEnPLtKyjmfqfGyVBGgT0P96UM2LY_5rGIi9z76g/s400/Screen+Shot+2015-11-28+at+9.45.11+AM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Figure 1: Prefetch file for "Overdue Invoice Documents for Payment 082015.exe".</span></td></tr>
</tbody></table>
<br /></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The following lists the full prefetch file details for this executable:</span></div>
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>Process EXE: OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE
File Size: 56,400
Created Time (PF file): 8/15/2015 5:33:58 AM
Modified Time (PF file): 8/15/2015 5:33:58 AM
Last Run Time (EXE file): 8/15/2015 5:33:55 AM
Process Path: C:\USERS\LAB\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TSFMVXQM\OVERDUE%20INVOICE%20DOCUMENTS%20FOR%20PAYMENT%20082015[1].EXE
Run Count: 1
Missing Process: Yes
Prefetch Filename: OVERDUE%20INVOICE%20DOCUMENTS-BB3C03FD.pf
</code></pre>
<span style="font-family: "arial" , "helvetica" , sans-serif;">This file caught my eye for two reasons. First, the file name suggests it is some sort of document (e.g., a word processing document, spreadsheet, etc.), yet it has an executable file extension. Second, I've seen many phish with "overdue invoice" themes to increase the urgency to open them. In order to confirm what this file was, I searched for the file name in the file hash list provided with the evidence files, and found the following:</span><br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>MD5: ea0995d9e52a436e80b9ad341ff4ee62
SHA1: 0601740b14494a983ed0281f34443b439855724c
FileName: win7x32.vmdk\Partition 1 [8190MB]\NONAME [NTFS]\[root]\Users\lab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TSFMVXQM\Overdue%20Invoice%20Documents%20for%20payment%20082015[1].exe
</code></pre>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Searching for this MD5 hash on VirusTotal returned a 44/56 anti-virus detection ratio, a very strong indication that this file is malicious (VirusTotal, 2015). Now, just because a malicious file was downloaded does not mean it was executed or the host was actually compromised. In this case, however, the prefetch for this file shows it was executed on 8/15/2015 at 5:33:55 AM, so we can assume for now the host was probably compromised. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h4 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">What type of malware is involved?</span></h4>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Most of the VirusTotal detections refer to this file as a generic Trojan, backdoor, or password stealer. Based on the PCAP provided, however, the malware appears to be the HawkEye Keylogger program, as shown in Figures 2 - 4.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPxPipKqa6jo3-ThzzeXAHwTvWHBA0_jmn1eb7L9i_4NIjt2toq_2TORpwOK9KHVOUlZxtR5gd4eNnfI-_ZRzyro12tCTbvnQWMNhFglX5LU9FjvAQeg5le5ayaBYLd6ncNbxKDlKJTpU/s1600/Screen+Shot+2015-11-28+at+3.05.50+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPxPipKqa6jo3-ThzzeXAHwTvWHBA0_jmn1eb7L9i_4NIjt2toq_2TORpwOK9KHVOUlZxtR5gd4eNnfI-_ZRzyro12tCTbvnQWMNhFglX5LU9FjvAQeg5le5ayaBYLd6ncNbxKDlKJTpU/s400/Screen+Shot+2015-11-28+at+3.05.50+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Figure 2: "ET TROJAN HawkEye Keylogger FTP" Snort alert.</span></td></tr>
</tbody></table>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYrau0PenN_do_lMQMQwNZ5DAoOse4cB3Ue-Gen1_H5ca9rHcoJY_uujgSW_SqSbjKjbasJ7ijudmKAuSWiPZoGaLp8iV2T1BMQ4lE7R6ydkgDoPzK95RRMg1XPkT3sHXzK5QaIrU-CRs/s1600/Screen+Shot+2015-11-28+at+3.18.17+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYrau0PenN_do_lMQMQwNZ5DAoOse4cB3Ue-Gen1_H5ca9rHcoJY_uujgSW_SqSbjKjbasJ7ijudmKAuSWiPZoGaLp8iV2T1BMQ4lE7R6ydkgDoPzK95RRMg1XPkT3sHXzK5QaIrU-CRs/s400/Screen+Shot+2015-11-28+at+3.18.17+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Figure 3: HawkEye Keylogger exfiltrating log file via FTP.</span></td></tr>
</tbody></table>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigoh8AMMRrcWhk8u4FhpgStOcrhLb4fjdfuWIMa0MbRKL7VVkGGw3pNSsj_wQWQ1ucOQoYySEVb9ZSWU61L53i1DPyiN_pd0ZnDZYcYolpcolm6MbSt1a1TeF9NDJt7cxYgrgKQqMasPY/s1600/Screen+Shot+2015-11-28+at+3.18.21+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigoh8AMMRrcWhk8u4FhpgStOcrhLb4fjdfuWIMa0MbRKL7VVkGGw3pNSsj_wQWQ1ucOQoYySEVb9ZSWU61L53i1DPyiN_pd0ZnDZYcYolpcolm6MbSt1a1TeF9NDJt7cxYgrgKQqMasPY/s400/Screen+Shot+2015-11-28+at+3.18.21+PM.png" width="380" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 12.8px;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Figure 4: Contents of HawkEye Keylogger log file exfiltrated via FTP.</span></span></td></tr>
</tbody></table>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Note that the local system time stamp in the exfiltrated file in Figure 4 is 1:34:15 AM (Local) or 5:34:15 AM GMT, which is only 20 seconds after the malware was executed. I did not find the filename </span><span style="font-family: "courier new" , "courier" , monospace;">HawkEye_Keylogger_Stealer_Records_WIN-DBO1FC9QSDG 8.15.2015 1:34:20 AM.txt</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> in either the $MFT or file hash list.</span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Malwr.com (2015) has a sandbox analysis of this specific malware sample (by MD5 hash). I wasn't able to locate any artifacts in the MFT timeline of file hash list similar to those in the Mawlr.com analysis, so the malware may have had some type of cleanup routine. I also did not download the sample from Malwr.com for further static or dynamic analysis since this is just a triage scenario, and I wanted to limit my findings based on the provided evidence files and what I could quickly find through Google searches.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<h4 style="text-align: left;">
<span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">What potential risk does the malware pose to your organization?</span></h4>
<div>
<span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">This malware poses a very high risk to the organization due to its ability to steal a variety of credentials, which could in turn be used to steal additional data, access other systems, facilitate lateral movement, launch more credible phishing or spear phishing campaigns through compromised email accounts, and a plethora of other possibilities. iSIGHT Partners reported previously on the Hawkeye Keylogger's capabilities (Eitzman, 2015).</span><br />
<span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;"><br /></span></div>
<h4 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;">What do you think occurred on the system to cause the malware event in the first place?</span></span></h4>
</div>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><span style="font-family: "arial" , "helvetica" , sans-serif;">There is no way to determine with certainty how the malware got on the machine in the first place based on just the information provided. However, I think a reasonable hypothesis is that it was delivered via a phishing email, either as an embedded link or a file attachment</span><span style="font-family: "arial" , "helvetica" , sans-serif;">. There are at least two reasons that suggest this was a phish: 1) the malware file name is a common them in phishing emails, and 2) the MFT timeline indicates a user on the computer was logged into the Yahoo! Mail web mail service at least three minutes prior to the malware being created on the system. Figure 4 depicts some relevant portions of the MFT timeline showing Yahoo! and Yahoo! Mail artifacts that suggest the user may have been logged into his or her web mail account:</span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQxQA0jW7BbjsbV8EEEbOmY9DrVw-ELkd7DprN03umlti8wN-HJ2XC9Ldagjw6L_c0cJ7zFoHRDTuokZVcnbKIHjPl2u-jui5Mcl2UJyL8yYU0cXoqGn874e4X0hk5Fnnbq8WCy75sUBo/s1600/Screen+Shot+2015-11-28+at+2.46.29+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQxQA0jW7BbjsbV8EEEbOmY9DrVw-ELkd7DprN03umlti8wN-HJ2XC9Ldagjw6L_c0cJ7zFoHRDTuokZVcnbKIHjPl2u-jui5Mcl2UJyL8yYU0cXoqGn874e4X0hk5Fnnbq8WCy75sUBo/s400/Screen+Shot+2015-11-28+at+2.46.29+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4: Yahoo! activity in MFT timeline.</td></tr>
</tbody></table>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;">The previously mentioned iSIGHT Partners report discusses confirmed Hawkeye Keylogger campaigns that use phish emails with "payment" or "invoice" themes that supports this hypothesis. With that said, it would be necessary to examine this machine's web browsing history and web browsing cache files, and possibly speak to the user to confirm or deny this hypothesis.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;">I couldn't tell whether any exploits were involved, although this seems like it was a standalone executable, as I did not find any related prefetch information or any other potentially malicious files in the MFT timeline or file hash list (I admit I didn't review the file hash list on its own very thoroughly). Based on the MFT timeline, there was some Java and Adobe application activity before and after the malware was executed that could be related, and </span></span><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">the machine was running vulnerable Java version 1.7.0_10 per the Snort alert in Figure 2 and the corresponding transcript in Figure 5. However, </span><span style="background-color: white; font-family: "arial" , "helvetica" , sans-serif; line-height: 20.592px;">it looks like this might just be normal Java/Adobe operation. Additional file system analysis would be required to confirm this.</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXewXijtQEHpX6d2UK5zTSogolKo4OSR9MLPZIhsnw7zPS8YQbiq3dAdPKBR8scVkroIAW0i7BEI7MUXo0wyLWcEA9Fn3loPsybC3N8vHwD-savRDtjD-lKZO4FiCowq7JI4J1RNpzX60/s1600/Screen+Shot+2015-11-28+at+4.03.56+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXewXijtQEHpX6d2UK5zTSogolKo4OSR9MLPZIhsnw7zPS8YQbiq3dAdPKBR8scVkroIAW0i7BEI7MUXo0wyLWcEA9Fn3loPsybC3N8vHwD-savRDtjD-lKZO4FiCowq7JI4J1RNpzX60/s400/Screen+Shot+2015-11-28+at+4.03.56+PM.png" width="363" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Figure 5: Transcript showing vulnerable Java version.</span></td></tr>
</tbody></table>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; line-height: 20.592px;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Another hypothesis is that the user was redirected during normal web browsing to a site hosting this file. I think this is less likely, as the file name seemed intended for a user to see and manually open it rather than through automated means (redirects, exploit kit, etc.).</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">References</span></h3>
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;">Eitzman, R. (2015). Hawkeye keylogger campaigns affect multiple industries. Retrieved from http://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multiple-industries/.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Malwr.com. (2015). Analysis of file with MD5 hash ea0995d9e52a436e80b9ad341ff4ee62</span><span style="font-family: "arial" , "helvetica" , sans-serif;">. Retrieved from https://malwr.com/analysis/ZWU0ZmJmOWE4OGFhNDlhN2EwZmZmM2UyZTc0ODk3MjQ/.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">VirusTotal. (2015). Analysis of file with MD5 hash <span style="background-color: white; color: #333333; line-height: 20px;">ea0995d9e52a436e80b9ad341ff4ee62. Retrieved from </span></span><span style="color: #333333; font-family: "arial" , "helvetica" , sans-serif;"><span style="line-height: 20px;">https://www.virustotal.com/en/file/96716cf198502bdeeb0c0fccd8d01e46bccb2d03eaf0537d16f51851333d5247/analysis/.</span></span></div>
<ol style="text-align: left;">
</ol>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2367348689242633827.post-1919616155482175222015-10-18T11:01:00.001-07:002015-10-18T11:17:06.449-07:00Solution to Jack Crook's Memory Analysis Challenge<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
</div>
<br />
<span style="font-family: inherit;">Jack Crook tweeted last month about a memory analysis challenge he put together:</span><br />
<blockquote class="twitter-tweet" lang="en">
<div dir="ltr" lang="en">
Here's a memory dump related to a webserver compromise I put together a few months ago. Enjoy. <a href="https://twitter.com/hashtag/DFIR?src=hash">#DFIR</a> <a href="https://t.co/EfwTiJriLT">https://t.co/EfwTiJriLT</a></div>
— Jack Crook (@jackcr) <a href="https://twitter.com/jackcr/status/647768212772364289">September 26, 2015</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
I had prior access to this image and originally put all my analysis findings in a Word document. I finally got around to transferring it to my blog. I apologize for any formatting errors - it's a pain to transfer well-formatted word processing documents to a blog post.<br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="380">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 9"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<h2 style="margin-top: 0in; text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Introduction</span></h2>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The investigation of this host was initiated based on a Windows
batch file being created in the </span><span style="font-family: 'Courier New';">C:\Windows</span><span style="font-family: 'Times New Roman';"> directory. This host was at IP address </span><span style="font-family: 'Courier New';">192.168.56.30</span><span style="font-family: 'Times New Roman';">; any IP addresses not on the </span><span style="font-family: 'Courier New';">192.168.56.x</span><span style="font-family: 'Times New Roman';">
network are considered external to this host.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<h2 style="margin-top: 0in; text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Summary</span><span style="font-family: 'Times New Roman'; font-size: 10pt;"> </span></h2>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">On 6/11/2015, an attacker at IP address </span><span style="font-family: 'Courier New';">58.64.141.245 </span><span style="font-family: 'Times New Roman';">connected to the Apache Tomcat server on this host and logged in
with default Tomcat credentials. The attacker then uploaded a web shell to the
server that gave him the ability to execute system commands and upload
additional files with Tomcat’s SYSTEM level access. The attacker uploaded the Windows Credential
Editor (WCE) tool and a Windows batch file, then created a Windows scheduled
task to execute the batch file, which in turn executed WCE. Credentials for a
single administrator account were dumped to a file on the server in a web-accessible
directory, and the attacker retrieved this file via an HTTP GET request. No
lateral movement to other internal machines was identified, so it is believed
this web server was the only machine compromised in this attack. All attacker
activity took place on 6/11/2015.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<h2 style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: 'Times New Roman';">Technical
Details</span></h2>
<div>
<span style="font-family: 'Times New Roman';"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Image
md5 hash</span><b><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";"><o:p> </o:p></span></b></h3>
<div>
<b><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";"><o:p><br /></o:p></span></b></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ md5sum
WIN-CEKM08E74HR-20150611-222930.raw <o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New";"><span style="font-size: x-small;">17754bc58dffa7d2887af8ddfae40698</span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div style="text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><br /></span></div>
<h3 style="text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Volatility
imageinfo output</span></h3>
<div>
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ vol.py –f WIN-CEKM08E74HR-20150611-222930.raw
imaginfo<b style="mso-bidi-font-weight: normal;"><o:p></o:p></b></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;">Determining profile based on
KDBG search...<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>Suggested Profile(s) : VistaSP1x86,
Win2008SP1x86, Win2008SP2x86, VistaSP2x86<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>AS Layer1 :
IA32PagedMemory (Kernel AS)<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>AS Layer2 :
FileAddressSpace (/lr/users/mgregory/WIN-CEKM08E74HR-20150611-222930.raw)<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>PAE type : No PAE<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>DTB : 0x122000L<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>KDBG : 0x8190ac98<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>Number of Processors : 1<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>Image Type (Service Pack) : 2<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>KPCR for CPU 0 : 0x8190b800<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>KUSER_SHARED_DATA : 0xffdf0000<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New"; font-size: x-small;"><span style="mso-spacerun: yes;"> </span>Image date and time : 2015-06-11
22:29:32 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: "Courier New";"><span style="font-size: x-small;"><span style="mso-spacerun: yes;"> </span>Image local date and time : 2015-06-11
18:29:32 -0400</span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="380">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 9"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--></div>
<h3 style="text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><br /></span></h3>
<h3 style="text-align: left;">
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Attacker
Activity</span></h3>
<div>
<span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><br /></span></div>
<div>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="380">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 9"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Initial access</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">. <o:p></o:p></span></h4>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Based on Apache access logs found in memory strings, the
attacker first accessed the web server on June 8th at 18:08:45 and last
accessed it on June 11<sup>th</sup> at 18:27:51:</span><span style="font-family: 'Courier New';"> </span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ grep -C10
"58\.64\.141\.245" strings<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">346077722 58.64.141.245 - - [<span style="background: yellow; mso-highlight: yellow;">08/Jun/2015:19:38:12 -0400</span>]
"GET /webfiles/ HTTP/1.1" 404 969<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">210019860 58.64.141.245 - - [<span style="background: yellow; mso-highlight: yellow;">11/Jun/2015:18:27:51 -0400</span>]
"GET /webfiles/?sort=1&downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif
HTTP/1.1" 200 97<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New";"><span style="font-size: x-small;"><…snip…></span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">However, the attacker still may have accessed the web server
before or after these times since these logs were resident in memory and may
not reflect all logs or system activity.</span><span style="font-family: 'Courier New';"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">It appears the attacker obtained initial access by logging into
a web-facing Apache Tomcat portal with default Tomcat credentials:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525512804 Accept: */*<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525512817 Referer:
http://192.168.56.30:8080/webfiles/?sort=1&dir=C%3A%5C<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525512882 Accept-Language:
en-us<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525512906 User-Agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525512983 Accept-Encoding:
gzip, deflate<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525513015 Host:
192.168.56.30:8080<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525513041 Connection:
Keep-Alive<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525513065 Cookie:
JSESSIONID=D4BB0A17D08FE321DF87835231D79824<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525513123 \nection:
Keep-Alive<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">525513145 Cookie:
JSESSIONID=9E2D9B938AD0C27816C03A5CA54F9515<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New";"><span style="font-size: x-small;">525513198 Authorization:
Basic <span style="background: yellow; mso-highlight: yellow;">dG9tY2F0OnRvbWNhdA==</span></span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The highlighted base64 encoded data in the above HTTP header
decodes to the default Tomcat credentials of </span><span style="font-family: 'Courier New';">tomcat:tomcat</span><span style="font-family: 'Times New Roman';">:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ echo
"dG9tY2F0OnRvbWNhdA==" | base64 -d<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">tomcat:tomcat</span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Web shell uploaded</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">.</span></h4>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: 'Times New Roman';">Next, the
attacker uploaded a web shell called “jsp File Browser version 1.2”, likely via
the Tomcat interface. Fragments of the web shell are resident in memory as seen
below, where you can identify specific commands being executed, such as "dir" and "sort":</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ egrep -i -C20 "jsp
file browser" strings.sorted<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196513988 out.write("\t\t<input
type=\"hidden\" name=\"sort\" value=\"");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196514130 out.print(sortMode);<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196514186 out.write("\">\n");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196514240 out.write("\t\t<input
type=\"hidden\" name=\"command\"
value=\"\">\n");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">196514398
out.write("\t\t<input title=\"Launch command in current
directory\" type=\"Submit\" class=\"button\"
id=\"but_Lau\" name=\"Submit\" value=\"");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">196514700
out.print(LAUNCH_COMMAND);</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">196515250
out.write("\t\t<small>jsp File Browser version ");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">196515366 out.print(
VERSION_NR);<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">196515428 out.write("
by <a
href=\"http://www.vonloesch.de\">www.vonloesch.de</a></small>\n");</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196515612
out.write("\t</center>\n");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196515682 out.write("</body>\n");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">196515744 out.write("</html>");<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">--<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517899879
<body><center><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517899894 <h2>(L)aunch external program</h2><br /><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">517899935 <form action="/webfiles/"
method="Post"></span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517899976 <textarea
name="text" wrap="off" cols="85"
rows="30" readonly><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900040 06:25 PM<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900052 </textarea><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">517900064 <input
type="hidden" name="dir"
value="C:\inetpub\wwwroot"></span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900125 <br /><br /><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900139 <table class="formular"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">517900165 <tr><td
title="Enter your command"></span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900202 Command: <input size="80"
type="text" name="command" value=""><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900266 </td></tr><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900278 <tr><td><input
class="button" type="Submit" name="Submit"
value="Launch"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900353 <input type="hidden"
name="sort" value="1"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900398 <input type="Submit"
class="button" name="Submit"
value="Cancel"></td></tr><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900475 </table><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900485 </form><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900494 <br /><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900502 <hr><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900508 <center><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">517900518 <small>jsp
File Browser version 1.2 by <a
href="http://www.vonloesch.de">www.vonloesch.de</a></small></span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900622 </center><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900633 </center><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900644 </body><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900652 </html><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517900660 /html><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517900670 <input
type="file" class="textfield"
onKeypress="event.cancelBubble=true;" name="myFile"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517900762 <input
title="Upload selected file to the current working directory"
type="Submit" class="button" name="Submit"
value="Upload"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517900891 onClick="javascript:popUp('/webfiles/')"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517900935 </form><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517900948 <form
class="formular2" action="/webfiles/"
method="POST"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517901011 <input
type="hidden" name="dir" value="C:\Windows"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517901065 <input
type="hidden" name="sort" value="1"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517901111 <input
type="hidden" name="command" value=""><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">517901159 <input
title="Launch command in current directory" type="Submit"
class="button" id="but_Lau" name="Submit"
value="(L)aunch external program"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">517901303 </form></span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">517901312 </div> </span><span class="Heading3Char"><span style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: 'Times New Roman';">This web shell is available at </span><span style="font-family: 'Times New Roman';">http://www.vonloesch.de/node/31</span><span style="font-family: 'Times New Roman';"> and has a default file name of
“Browser.jsp”; however, the Volatility filescan plugin did not detect this
file, and it was not located in the MFT. As seen below, this file name was
resident in memory as a string that is also found in the web shell downloaded
from the above link, but only in reference to code within the JSP file itself
and not actually designating a file:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">$ grep –i
“browser\.jsp” strings.sorted<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">61628190 *
@param browserLink web-path to <span style="background: yellow; mso-highlight: yellow;">Browser.jsp</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">63058164 //If this dir
also do also not exist, go back to <span style="background: yellow; mso-highlight: yellow;">browser.jsp</span> root path<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New';"><span style="font-size: x-small;"><…snip…></span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Strings output and the MFT listing show a number of other JSP files in
the </span><span style="font-family: 'Courier New';">Program Files\Apache Software Foundation\Tomcat
7.0\webapps\webfiles\</span><span style="font-family: 'Times New Roman';"> directory; however, none of these files were
resident in memory so they could not be dumped to see if the attacker simply
renamed the web shell. Later HTTP access from the attacker’s IP address to the </span><span style="font-family: 'Courier New';">webfiles</span><span style="font-family: 'Times New Roman';"> directory further indicates this is the
location of his web shell. Pivoting off this directory in strings output and
the MFT identified a Java Web Application Archive (</span><span style="font-family: 'Courier New';">.war</span><span style="font-family: 'Times New Roman';">) being deployed on the server at
approximately 18:07 (22:07 UTC):<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">$ grep -i "webfiles" strings.sorted<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">99623387 INFO: Deploying web application archive C:\Program Files\Apache
Software Foundation\Tomcat 7.0\webapps\webfiles.war<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">99623578 INFO: Deployment of web application archive C:\Program
Files\Apache Software Foundation\Tomcat 7.0\webapps\webfiles.war has finished
in 190 ms<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">$ grep -i "webfiles" mactimeline.csv<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">Thu Jun 11 2015 22:07:04,368,macb,---a-----------,0,0,48015,"[MFT
FILE_NAME] Program Files\Apache Software Foundation\Tomcat
7.0\webapps\webfiles.war (Offset: 0x286c00)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New'; font-size: x-small;">Thu Jun 11 2015 22:07:04,368,macb,---a-----------,0,0,48015,"[MFT
STD_INFO] Program Files\Apache Software Foundation\Tomcat
7.0\webapps\webfiles.war (Offset: 0x286c00)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: 'Courier New';"><span style="font-size: x-small;"><…snip…></span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Based on this information, it is possible, if not likely, the attacker
deployed the web shell via </span><span style="font-family: 'Courier New';">webfiles.war</span><span style="font-family: 'Times New Roman';">, which in turn was probably uploaded via the Apache Tomcat interface.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Batch file created</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">.</span></h4>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">A file
named </span><span style="font-family: 'Courier New';">12.bat</span><span style="font-family: 'Times New Roman';"> was created in </span><span style="font-family: 'Courier New';">C:\Windows</span><span style="font-family: 'Times New Roman';"> on 20150611 at 18:12 (22:12 UTC):<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ grep "12.bat"
mactimeline.csv<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">Thu Jun 11 2015
22:12:16,288,macb,---a-----------,0,0,47995,"[MFT FILE_NAME]
Windows\12.bat (Offset: 0x11089650)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">Thu Jun 11 2015
22:12:16,360,macb,---a-----------,0,0,47995,"[MFT FILE_NAME]
Windows\12.bat (Offset: 0x11d06c00)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">Thu Jun 11 2015
22:12:16,288,macb,---a-----------,0,0,47995,"[MFT STD_INFO] Windows\12.bat
(Offset: 0x11089650)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New";"><span style="font-size: x-small;">Thu Jun 11 2015
22:12:16,360,macb,---a-----------,0,0,47995,"[MFT STD_INFO] Windows\12.bat
(Offset: 0x11d06c00)"</span><span style="font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The file </span><span style="font-family: 'Courier New';">12.bat</span><span style="font-family: 'Times New Roman';"> was located in memory and executes a command line utility when
executed:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># Find 12.bat physical offset
with filescan plugin<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py –f WIN-CEKM08E74HR-20150611-222930.raw
filescan | grep "12.bat"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">0x1ee373f8</span> 8
0 -W-rw- \Device\HarddiskVolume1\Windows\12.bat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># Dump 12.bat with dumpfiles
plugin using physical offset<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw dumpfiles -Q <span style="background: yellow; mso-highlight: yellow;">0x1ee373f8</span> -D .<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DataSectionObject
0x1ee373f8 None \Device\HarddiskVolume1\Windows\12.bat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># get 12.bat hash<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ md5sum
file.None.0x8362e730.dat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">38f76497a613a14a7600695300e12ce1 file.None.0x8362e730.dat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># View contents of 12.bat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ cat
file.None.0x8362e730.dat <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">@echo off <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">c:\inetpub\wwwroot\bg.jpg -e
-o c:\inetpub\wwwroot\sm.gif</span><span style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">As seen above, the </span><span style="font-family: 'Courier New';">12.bat</span><span style="font-family: 'Times New Roman';"> batch file
executes a file located in the web server’s web-accessible directory named </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';">, followed by command line parameters </span><span style="font-family: 'Courier New';">–e</span><span style="font-family: 'Times New Roman';"> and </span><span style="font-family: 'Courier New';">–o</span><span style="font-family: 'Times New Roman';">, and finally a path to a file named sm.gif in the same
directory. At one point it looks like the attacker checked for the presence of
this file before later possibly uploading it via a POST:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ egrep -i -C20
"12\.bat" strings.sorted<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">9901378 58.64.141.245 - -
[11/Jun/2015:18:12:16 -0400] "GET
/webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 865</span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Scheduled task created</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">.</span></h4>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The fact
that </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> was launched as a scheduled task is further indicated by the
fact </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> is a child process of </span><span style="font-family: 'Courier New';">cmd.exe</span><span style="font-family: 'Times New Roman';">, which in
turn is a child process of </span><span style="font-family: 'Courier New';">taskeng.exe</span><span style="font-family: 'Times New Roman';"> (see pstree output
above). The scheduled task (At job) was resident in memory:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># the highlighted “0” exit
code indicates the command was successful<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw filescan | grep -i "At1.job"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x1f297ad8 8
<span style="background: yellow; mso-highlight: yellow;">0</span> -W-r-d
\Device\HarddiskVolume1\Windows\Tasks\At1.job<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw dumpfiles -Q 0x1f297ad8 -D .<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DataSectionObject
0x1f297ad8 None
\Device\HarddiskVolume1\Windows\Tasks\At1.job<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ strings -el
file.None.0x8363fd10.dat <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">c:\windows\12.bat<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">SYSTEM<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">Created by NetScheduleJobAdd.</span><span style="font-family: "Courier New"; font-size: 8.0pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Strings ouput of </span><span style="font-family: 'Courier New';">At1.job</span><span style="font-family: 'Times New Roman';"> (</span><span style="font-family: 'Courier New';">file.None.0x8363fd10.dat</span><span style="font-family: 'Times New Roman';">) shows that this scheduled task is set to execute the </span><span style="font-family: 'Courier New';">12.bat</span><span style="font-family: 'Times New Roman';"> file with SYSTEM credentials, which in turn executes </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> (WCE). Windows Task Scheduler errored out when trying to open
this At job to view the actual time the job was scheduled to run, although
further metadata could possibly be parsed with a script written to interpret
the file format (I tried Harlan Carvey’s </span><span style="font-family: 'Courier New';">jobparse.pl</span><span style="font-family: 'Times New Roman';"> script, but
that too had errors and was unsuccessful). This shows how the attacker was able
to execute </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';">. It’s not entirely clear how the attacker was able to run
tasking.exe or at.exe to create the At job in the first place, but it was likely
via system command execution either via the Tomcat interface or the attacker’s
web shell. There were no </span><span style="font-family: 'Courier New';">at.exe</span><span style="font-family: 'Times New Roman';"> command line arguments found.</span><span style="font-family: 'Courier New';"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: 'Times New Roman'; line-height: 115%;">The Windows Task Scheduler log (</span><span style="font-family: 'Courier New'; line-height: 115%;">Schedlgu.txt</span><span style="font-family: 'Times New Roman'; line-height: 115%;">) was also resident in memory; however, it
contained no record of executing </span><span style="font-family: 'Courier New'; line-height: 115%;">12.bat</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> or </span><span style="font-family: 'Courier New'; line-height: 115%;">bg.jpg</span><span style="font-family: 'Times New Roman'; line-height: 115%;">:<span style="font-size: 10pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw filescan | grep -i "schedlgu.txt"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x1f22da78 10
1 RW-r-- \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw dumpfiles -Q 0x1f22da78 -D .<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DataSectionObject
0x1f22da78 None \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">SharedCacheMap
0x1f22da78 None
\Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ cat
file.None.0x8322d7e0.dat | grep -i "bg\.jpg|12\.bat"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><no_output></span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Credentials dumped</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">.</span></h4>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The file </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> is a running process based on </span><span style="font-family: 'Courier New';">pstree</span><span style="font-family: 'Times New Roman';"> output. It
was executed with the same command line arguments found in </span><span style="font-family: 'Courier New';">12.bat</span><span style="font-family: 'Times New Roman';">:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw pstree -v | grep -C10 bg\.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"><---snip---><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">..... 0x8362fca0:bg.jpg 3580 3572
1 61 2015-06-11 22:25:00
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"> audit:
\Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"> <span style="background: yellow; mso-highlight: yellow;">cmd: c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;"> path: c:\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> was also located in memory and is actually the Windows
Credential Editor (WCE) tool:<span style="font-size: 10pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># find bg.jpg physical offset<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw filescan | grep "bg.jpg"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x1ede1ba0 8
0 -W-rw- \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">0x1f2dc170</span> 7
0 R--r-d \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># dump bg.jpg using physical
offset<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw dumpfiles -Q 0x1f2dc170 -D .<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Volatility Foundation
Volatility Framework 2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ImageSectionObject
0x1f2dc170 None
\Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">DataSectionObject
0x1f2dc170 None
\Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># verify file type<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ file file.None.0x8362fb20.img
<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">file.None.0x8362fb20.img:
PE32 executable (console) Intel 80386, for MS Windows<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># get md5 hash of file<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ md5sum
file.None.0x8362fb20.img <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0bfb070177356c0905f013416aba1af1 file.None.0x8362fb20.img<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"># strings in file indicate
this is the WCE tool<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ strings file.None.0x8362fb20.img<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">%.2X<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">something terrible happened!
could not allocate memory for new list!<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia
Security - by Hernan Ochoa (hernan@ampliasecurity.com)</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Use -h for help.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Options: <o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span style="background: yellow; mso-highlight: yellow;">-l
List logon sessions and NTLM credentials (default).</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Optional: -r<refresh
interval>.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> -s Changes NTLM credentials of
current logon session.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Parameters:
<UserName>:<DomainName>:<LMHash>:<NTHash>.<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> <span style="background: yellow; mso-highlight: yellow;">-o
saves all output to a file.</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> can also be seen in the running processes:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py –f WIN-CEKM08E74HR-20150611-222930.raw
pstree<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.
0x83139650:services.exe
596 520
6 234 2015-06-11 22:05:29
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><---snip---><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">..
0x831bb8b8:svchost.exe 876 596
7 244 2015-06-11 22:05:39 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">..
0x831e5820:svchost.exe 1012 596
30 781 2015-06-11 22:05:40
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">...
0x82a3f530:taskeng.exe
2448 1012 9
226 2015-06-11 22:27:17 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">...
0x83116ad8:wuauclt.exe
3360 1012 2
142 2015-06-11 22:27:32 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">... 0x835913b8:taskeng.exe 2032 1012
6 141 2015-06-11 22:05:59
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">.... 0x830e9d90:cmd.exe 3572 2032
1 17 2015-06-11 22:25:00 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; mso-highlight: yellow;">..... 0x8362fca0:bg.jpg 3580
3572 1 61 2015-06-11 22:25:00 UTC+0000</span><span style="font-family: "Courier New"; font-size: 8.0pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Although it is apparent based on strings and command line
parameters that the file </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> is the WCE tool, the file’s md5 hash was not found in
VirusTotal or via a Google search. Based on the WCE documentation, the command
line options used to execute </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> were to continuously dump NTLM credentials
(</span><span style="font-family: 'Courier New';">-e</span><span style="font-family: 'Times New Roman';"> option) and to save the dump file to </span><span style="font-family: 'Courier New';">c:\inetpub\wwwroot\sm.gif</span><span style="font-family: 'Times New Roman';"> (</span><span style="font-family: 'Courier New';">-o</span><span style="font-family: 'Times New Roman';"> option).</span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Dumped credentials retrieved</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; mso-bidi-font-family: "Courier New";">.</span></h4>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">The
attacker connected to the web server from IP address </span><span style="font-family: 'Courier New';">58.64.141.245 </span><span style="font-family: 'Times New Roman';">and retrieved the dumped credentials (</span><span style="font-family: 'Courier New';">sm.gif</span><span style="font-family: 'Times New Roman';">) via a GET request, as shown in the below Apache log:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: "Courier New"; font-size: x-small;">210018644 58.64.141.245 - -
[11/Jun/2015:18:27:51 -0400] "GET /webfiles/?sort=1&<span style="background: yellow; mso-highlight: yellow;">downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif</span>
HTTP/1.1" 200<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">Based on the MFT, the first and only access of the file </span><span style="font-family: 'Courier New';">bg.jpg</span><span style="font-family: 'Times New Roman';"> occurred on 20150611 at 18:09 (22:09 UTC):<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ vol.py egrep -i -C10
"bg.jpg" mactimeline.csv<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Thu Jun 11 2015
22:09:26,360,macb,---a-----------,0,0,48038,"[MFT FILE_NAME]
inetpub\wwwroot\bg.jpg (Offset: 0x136fa800)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Thu Jun 11 2015
22:09:26,360,macb,---a-----------,0,0,48038,"[MFT FILE_NAME]
inetpub\wwwroot\bg.jpg (Offset: 0x1ef2d800)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Thu Jun 11 2015
22:09:26,360,macb,---a-----------,0,0,48038,"[MFT STD_INFO]
inetpub\wwwroot\bg.jpg (Offset: 0x136fa800)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">Thu Jun 11 2015 22:09:26,360,macb,---a-----------,0,0,48038,"[MFT
STD_INFO] inetpub\wwwroot\bg.jpg (Offset: 0x1ef2d800)"</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Thu Jun 11 2015
22:09:55,344,m.c.,---a-----------,0,0,30461,"[MFT STD_INFO]
Windows\System32\spool\spooler.xml (Offset: 0x2d66400)"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…></span><span style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: 'Times New Roman';">This correlates to Apache logs showing this file being accessed at
18:09, which appears to be the file being uploaded via a POST request to </span><span style="font-family: 'Courier New';">/webfiles</span><span style="font-family: 'Times New Roman';"> followed by an immediate download via a GET request, likely to
verify the upload was successful, which it was as indicated by the 200 response
code:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<br /></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">$ egrep -i -C20
"GET|POST" strings.sorted | egrep -i -C10 "bg.jpg"<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900047 58.64.141.245 - -
[11/Jun/2015:18:08:41 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900141 58.64.141.245 - -
[11/Jun/2015:18:08:45 -0400] "GET /webfiles/?sort=1&dir=C%3A%5Cinetpub
HTTP/1.1" 200 8270<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900250 58.64.141.245 - -
[11/Jun/2015:18:08:45 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900344 58.64.141.245 - -
[11/Jun/2015:18:08:50 -0400] "GET
/webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroot HTTP/1.1" 200 8098<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900463 58.64.141.245 - -
[11/Jun/2015:18:08:50 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">9900681 58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "POST
/webfiles/ HTTP/1.1" 200 8973</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; mso-highlight: yellow;">9900557 58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "GET
/webfiles/?first&uplMonitor=C%3A%5Cfakepath%5Cbg.jpg HTTP/1.1" 200 865</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900681 58.64.141.245 - -
[11/Jun/2015:18:09:26 -0400] "POST /webfiles/ HTTP/1.1" 200 8973<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900765 58.64.141.245 - -
[11/Jun/2015:18:09:26 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900859 58.64.141.245 - -
[11/Jun/2015:18:09:28 -0400] "GET
/webfiles/?uplMonitor=C%3A%5Cfakepath%5Cbg.jpg HTTP/1.1" 200 574<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9900977 58.64.141.245 - -
[11/Jun/2015:18:11:59 -0400] "GET /webfiles/?sort=1&dir=C%3A%5C
HTTP/1.1" 200 13384<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901080 58.64.141.245 - -
[11/Jun/2015:18:11:59 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901174 58.64.141.245 - -
[11/Jun/2015:18:12:01 -0400] "GET /webfiles/?sort=1&dir=C%3A%5CWindows
HTTP/1.1" 200 48086<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901284 58.64.141.245 - -
[11/Jun/2015:18:12:01 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901378 58.64.141.245 - -
[11/Jun/2015:18:12:16 -0400] "GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat
HTTP/1.1" 200 865<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901502 58.64.141.245 - -
[11/Jun/2015:18:12:16 -0400] "POST /webfiles/ HTTP/1.1" 200 48896<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901587 58.64.141.245 - -
[11/Jun/2015:18:12:16 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200
3714<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901681 58.64.141.245 - -
[11/Jun/2015:18:12:18 -0400] "GET
/webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901799 58.64.141.245 - -
[11/Jun/2015:18:12:42 -0400] "POST /webfiles/ HTTP/1.1" 200 2245<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">9901883 58.64.141.245 - -
[11/Jun/2015:18:13:16 -0400] "POST /webfiles/ HTTP/1.1" 200 2278</span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Courier New";"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Courier New";"><b>Windows event logs</b></span></span>.</h4>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: 'Times New Roman'; line-height: 115%;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: 'Times New Roman'; line-height: 115%;">I was able to extract and open the Windows
Security event log (*.evtx) from the memory image, but analysis of this log is
not included here. The Windows Application and System event logs extracted from
the memory image were corrupted, and Windows Event Viewer could not open them (I didn't attempt to parse them with any other tools, such as log2timeline).</span></div>
<div style="text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Lateral movement</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi;">.</span></h4>
<div class="MsoNormal">
<span style="font-family: 'Times New Roman'; line-height: 115%;">There were no other internal or external
connections identified; therefore, no lateral movement is believed to have
occurred. The following is the complete Volatility </span><span style="font-family: 'Courier New'; line-height: 115%;">netscan</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> plugin
output showing only the connection from the attacker’s external IP address:<span style="font-size: 10pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw netscan<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">Volatility Foundation Volatility Framework
2.3.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">Offset(P) Proto
Local Address
Foreign Address State Pid Owner Created<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ed95048 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ed95048 TCPv6 :::445 :::0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edd4848 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 596
services.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edd4848 TCPv6 :::49157
:::0 LISTENING 596
services.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edd7498 TCPv4 0.0.0.0:49157 0.0.0.0:0 LISTENING 596
services.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ede2638 TCPv4 0.0.0.0:8009 0.0.0.0:0 LISTENING 1728
Tomcat7.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ede2638 TCPv6 :::8009 :::0 LISTENING 1728
Tomcat7.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ede2f60 TCPv4 0.0.0.0:8080 0.0.0.0:0 LISTENING 1728
Tomcat7.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ede2f60 TCPv6 :::8080 :::0 LISTENING 1728
Tomcat7.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edf2f60 TCPv4 127.0.0.1:8005 0.0.0.0:0 LISTENING 1728
Tomcat7.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f0db3d0 TCPv4 192.168.56.30:139 0.0.0.0:0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c0158 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 876
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c0158 TCPv6 :::135
:::0 LISTENING 876
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c0e70 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 876
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c43a0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 520
wininit.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c43a0 TCPv6 :::49152 :::0 LISTENING 520
wininit.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1c5008 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 520
wininit.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1df188 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 968
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1e2eb8 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 968
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f1e2eb8 TCPv6 :::49153 :::0 LISTENING 968
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f22d738 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1012
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f22e470 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 1012
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f22e470 TCPv6 :::49154 :::0 LISTENING 1012
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2905b0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 608
lsass.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f291f60 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 608
lsass.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f291f60 TCPv6 :::49155 :::0 LISTENING 608
lsass.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2c6758 TCPv4 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2c6758 TCPv6 :::5357 :::0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2cea58 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 1596
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2cea58 TCPv6 :::49156 :::0 LISTENING 1596
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2d6a48 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 1596
svchost.exe <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f30a4f8 TCPv4 0.0.0.0:80 0.0.0.0:0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f30a4f8 TCPv6 :::80 :::0 LISTENING 4
System <o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; line-height: 115%; mso-highlight: yellow;">0x1eda4db0 TCPv4 -:8080
58.64.141.245:1057 CLOSED 1728 Tomcat7.exe</span><span style="line-height: 115%;"> <o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edd0cb0 UDPv4 0.0.0.0:3702 *:* 1080
svchost.exe 2015-06-11 22:06:12
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edde570 UDPv4 0.0.0.0:3702 *:* 1080 svchost.exe 2015-06-11 22:06:12 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1edde570 UDPv6 :::3702 *:* 1080 svchost.exe 2015-06-11 22:06:12 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ee01f58 UDPv4 0.0.0.0:0 *:* 820 VBoxService.exe 2015-06-11 22:29:05
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ee3bf58 UDPv4 0.0.0.0:0 *:* 820 VBoxService.exe 2015-06-11 22:30:30
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ee8dd88 UDPv6 fe80::dd13:57ed:2d56:5b23:546 *:* 968 svchost.exe 2015-06-11 22:27:10 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1ee93ae8 UDPv4 0.0.0.0:0 *:* 1160 svchost.exe 2015-06-11 22:26:21 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f0d1150 UDPv4 192.168.56.30:138 *:* 4 System 2015-06-11 22:05:25 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f21c3a8 UDPv4 0.0.0.0:0 *:* 1184 svchost.exe 2015-06-11 22:05:44 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f21c3a8 UDPv6 :::0 *:* 1184
svchost.exe 2015-06-11 22:05:44
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f21d510 UDPv4 0.0.0.0:5355 *:* 1184 svchost.exe 2015-06-11 22:05:44 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f21e008 UDPv4 0.0.0.0:5355 *:* 1184 svchost.exe 2015-06-11 22:05:44 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f21e008 UDPv6 :::5355 *:* 1184 svchost.exe 2015-06-11 22:05:44 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f25d608 UDPv4 0.0.0.0:3702 *:* 1080 svchost.exe 2015-06-11 22:06:12 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f25d608 UDPv6 :::3702 *:* 1080 svchost.exe 2015-06-11 22:06:12 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2a5518 UDPv4 0.0.0.0:500 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2a5518 UDPv6 :::500 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2ab5f0 UDPv4 0.0.0.0:500 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2af8c0 UDPv4 0.0.0.0:4500 *:* 1012
svchost.exe 2015-06-11 22:05:54
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2b1290 UDPv4 0.0.0.0:0 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2b1290 UDPv6 :::0 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2b1f58 UDPv4 0.0.0.0:0 *:* 1012 svchost.exe 2015-06-11 22:05:54 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2d72b8 UDPv4 0.0.0.0:0 *:* 1596 svchost.exe 2015-06-11 22:05:55 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2daf58 UDPv4 0.0.0.0:0 *:* 1596 svchost.exe 2015-06-11 22:05:55 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2daf58 UDPv6 :::0 *:* 1596 svchost.exe 2015-06-11 22:05:55 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2deaf8 UDPv4 0.0.0.0:3702 *:* 1080 svchost.exe 2015-06-11 22:06:12 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2dfbb8 UDPv4 0.0.0.0:55678 *:* 1080 svchost.exe 2015-06-11 22:05:56 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2e0b50 UDPv4 0.0.0.0:55679 *:* 1080
svchost.exe 2015-06-11 22:05:56
UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2e0b50 UDPv6 :::55679 *:* 1080 svchost.exe 2015-06-11 22:05:56 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2e9160 UDPv4 0.0.0.0:0 *:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2e9160 UDPv6 :::0 *:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2ea008 UDPv4 0.0.0.0:0
*:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2f9008 UDPv4 0.0.0.0:123 *:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2f9008 UDPv6 :::123 *:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1f2f9228 UDPv4 0.0.0.0:123 *:* 1080 svchost.exe 2015-06-11 22:05:57 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">0x1fa2fb40 UDPv4 192.168.56.30:137 *:* 4 System 2015-06-11 22:05:25 UTC+0000</span></div>
<div style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b><br /></b></span></span></div>
<h4 style="margin-bottom: 0.0001pt; text-align: left;">
<span class="Heading3Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"><b>Other
attacker activity</b></span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-family: "Courier New";">.</span></h4>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "Times New Roman"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-family: "Courier New";"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: 'Times New Roman'; line-height: 115%;">The following activity attributable to
the attacker was also noted:<span style="font-size: 10pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<i><span class="Heading4Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Courier New";">Executing the Windows </span></span><span class="Heading4Char"><span style="font-family: "Courier New";">time</span></span><span class="Heading4Char"><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Courier New";">
command via the web shell</span></span><span style="font-family: "Times New Roman"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-family: "Courier New";"><o:p></o:p></span></i></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527519808 POST /webfiles/ HTTP/1.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527519834 Accept: image/gif,
image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527519927 Referer:
http://192.168.56.30:8080/webfiles/<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527519973 Accept-Language: en-us<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527519997 User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520074 Content-Type:
application/x-www-form-urlencoded<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520123 Accept-Encoding: gzip,
deflate<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520155 Host: 192.168.56.30:8080<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520181 Content-Length: 95<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520201 Connection: Keep-Alive<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520225 Cache-Control: no-cache<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">527520250 Cookie:
JSESSIONID=D4BB0A17D08FE321DF87835231D79824<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="line-height: 115%;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">527520305
text=06%3A24+PM%0D%0A%0D%0A&dir=C%3A%5Cinetpub%5Cwwwroot&<span style="background: yellow; mso-highlight: yellow;">command=time+%2Ft</span>&Submit=Launch&sort=1X</span><span style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: 'Courier New'; line-height: 115%;">time+%2Ft</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> is the URL-encoded version of </span><span style="font-family: 'Courier New'; line-height: 115%;">time /t</span><span style="font-family: 'Times New Roman'; line-height: 115%;">, which returns system time in the </span><span style="font-family: 'Courier New'; line-height: 115%;">HH:MM AM|PM</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> format.<span style="font-size: 10pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div style="margin-top: 0in; text-align: left;">
<span style="font-weight: normal;"><i><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;">Executing
the Windows </span><span style="font-family: "Courier New";">tasklist</span><span style="font-family: "Times New Roman"; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: major-bidi;"> command via the web shell</span><span style="font-family: 'Times New Roman'; font-size: 10pt; line-height: 115%;"> </span></i></span></div>
<div style="margin-top: 0in; text-align: left;">
<span style="font-weight: normal;"><i><span style="font-family: 'Times New Roman'; font-size: 10pt; line-height: 115%;"><br /></span></i></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526843968 POST /webfiles/ HTTP/1.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526843994 Accept: image/gif,
image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844087 Referer:
http://192.168.56.30:8080/webfiles/<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844133 Accept-Language: en-us<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844157 User-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844234 Content-Type: application/x-www-form-urlencoded<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844283 Accept-Encoding: gzip,
deflate<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844315 Host: 192.168.56.30:8080<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844341 Content-Length: 78<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844361 Connection: Keep-Alive<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844385 Cache-Control: no-cache<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">526844410 Cookie:
JSESSIONID=D4BB0A17D08FE321DF87835231D79824<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="line-height: 115%;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">526844465
text=%0D%0A&dir=C%3A%5Cinetpub%5Cwwwroot&<span style="background: yellow; mso-highlight: yellow;">command=tasklist</span>&Submit=Launch&sort=1H</span><span style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: 'Times New Roman'; line-height: 115%;">This finding is supported by Volatility </span><span style="font-family: 'Courier New'; line-height: 115%;">pstree</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> output, which shows </span><span style="font-family: 'Courier New'; line-height: 115%;">tasklist.exe</span><span style="font-family: 'Times New Roman'; line-height: 115%;"> running as a child process of </span><span style="font-family: 'Courier New'; line-height: 115%;">cmd.exe</span><span style="font-family: 'Times New Roman'; line-height: 115%;">, which in turn is a child process of </span><span style="font-family: 'Courier New'; line-height: 115%;">Tomcat7.exe</span><span style="font-family: 'Times New Roman'; line-height: 115%;">:</span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">$ vol.py -f
WIN-CEKM08E74HR-20150611-222930.raw pstree<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;"><…snip…><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">. 0x83139650:services.exe 596 520
6 234 2015-06-11 22:05:29 UTC+0000<span style="background: yellow; mso-highlight: yellow;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; line-height: 115%; mso-highlight: yellow;">.. 0x832dc560:Tomcat7.exe 1728 596
28 360 2015-06-11 22:05:56 UTC+0000</span><span style="line-height: 115%;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">... 0x835eba10:cmd.exe 3604 1728
0 ------ 2015-06-11 22:25:15 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">... 0x836407b0:cmd.exe 3612 1728
0 ------ 2015-06-11 22:25:24 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 115%;">.... 0x830e2d90:tasklist.exe 3620 3612
0 ------ 2015-06-11 22:25:24 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="background: yellow; font-family: Courier New, Courier, monospace; font-size: xx-small; line-height: 115%; mso-highlight: yellow;">... 0x831f3d90:cmd.exe 3248 1728
0 ------ 2015-06-11 22:21:49 UTC+0000<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="background: yellow; font-family: "Courier New"; font-size: 8.0pt; line-height: 115%; mso-highlight: yellow;">.... 0x8363c7f0:tasklist.exe
3256 3248
0 ------ 2015-06-11 22:21:49 UTC+0000</span><span style="line-height: 115%;"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in;">
<span style="line-height: 115%;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><…snip…></span><a href="https://www.blogger.com/null" style="font-family: 'Courier New'; font-size: 8pt;"><o:p></o:p></a></span></div>
<a href="https://www.blogger.com/null">
<!--EndFragment--></a></div>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script></div>
Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-2367348689242633827.post-55429530544449978792013-10-20T17:20:00.002-07:002013-10-23T17:46:30.635-07:00Network Topology Configurations for Security Onion<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Occasionally questions are asked on the <a href="http://securityonion.blogspot.com/" target="_blank">Security Onion</a> (SO) mailing list
about physical and virtual network configurations for getting network
traffic into SO. These questions often have nothing to do with SO
itself and everything to do with network architecture issues, such as
sensor and tap placement, switch configuration, and virtualization
software configuration.<br />
<br />
Here is a <a href="https://drive.google.com/file/d/0B8XyWOXyN7KLVFpxX09MMWhmQ28/edit?usp=sharing" target="_blank">paper</a> I originally wrote back in April for the Security Onion mailing list to address these issues. It would probably be better as a blog post, but it's a little long for that and transferring the graphics from Word to the blog is a bit of a pain, so I'm leaving it PDF format for now. If anyone spots any errors or finds anything that isn't clear, let me know and I will update the document.<br />
<br />
<a href="https://drive.google.com/file/d/0B8XyWOXyN7KLVFpxX09MMWhmQ28/edit?usp=sharing" target="_blank">Network Topology Configurations for Security Onion</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2367348689242633827.post-28386641322678894682013-10-13T14:44:00.000-07:002013-10-23T17:47:17.200-07:00Admissibility of Digital Evidence in Virginia<div dir="ltr" style="text-align: left;" trbidi="on">
Here is a <a href="https://drive.google.com/file/d/0B8XyWOXyN7KLbVlzbG9kUVBJXzQ/edit?usp=sharing" target="_blank">paper</a> I wrote for Champlain College's "Practice of Digital Investigations" course as a part of the M.S. in Digital Forensic Science curriculum. The assignment was as follows:<br />
<blockquote class="tr_bq">
<i>Prepare a report identifying the requirements for having digital evidence accepted in a criminal or civil court within your jurisdiction. You should identify relevant state and federal legislation, and court rules or instructions. Your report should include the requirements for presenting expert evidence, this includes any federal or state rules of evidence that apply to expert testimony. </i></blockquote>
<blockquote class="tr_bq">
<i>Your answer should be approximately 2500 words. You may choose to focus on civil or criminal cases.</i></blockquote>
This was quite a learning experience for me since I have no background in court proceedings or law enforcement. Before researching this topic, I assumed there were specific rules governing digital evidence as opposed to physical evidence, which I found was quite a faulty assumption.<br />
<br />
<a href="https://drive.google.com/file/d/0B8XyWOXyN7KLbVlzbG9kUVBJXzQ/edit?usp=sharing" target="_blank">Admissibility of Digital Evidence in Courts of the Commonwealth of Virginia</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2367348689242633827.post-17208340621983104112013-07-22T14:59:00.000-07:002013-07-22T14:59:27.634-07:00OSINT...Oh What?<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Introduction</h2>
I recently participated in a brief Twitter conversation that started with a statement that the terms "OSINT" (<i>Open Source INTelligence</i>) and "OPSEC" (<i>OPerational SECurity</i>) are too military-sounding (they are military terms after all) and thus might turn some audiences off from understanding the underlying concepts, particularly those audiences who really ought to understand and apply them. I wanted to comment more on these concepts, but 140 characters makes it tough to do. Hence, I decided to write a couple of blog posts to discuss what these terms specifically mean, why they are applicable in the private sector, and some potential alternative terms that might be more widely accepted outside the government.<br />
<br />
In this first of two posts, I discuss OSINT. In a follow-on post I will discuss OPSEC.<br />
<br />
<h2 style="text-align: left;">
What is OSINT?</h2>
<h3 style="text-align: left;">
Intelligence</h3>
<div>
To understand <i>open source intelligence</i>, you first must understand the <i>intelligence</i> part of the term. <a href="http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf" target="_blank">Joint Publication 1-02</a> (JP 1-02), "Department of Defense Dictionary of Military and Associated Terms", defines <i>intelligence</i> as:</div>
<blockquote class="tr_bq">
<span style="font-family: TimesNewRoman; font-size: 12pt;">"</span><span style="font-family: TimesNewRoman; font-size: 12pt;"><i>The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations..."</i></span></blockquote>
That's a mouthful, but in layman's terms <i>intelligence</i> is the final product of the analysis of (potentially) disparate pieces of information into a coherent meaning. The "<i>interpretation of...information</i>" is the key element in this definition, as intelligence is the outcome of human judgement that gives <i>meaning</i> and <i>application</i> to raw information. Even before you have information to analyze, you have raw data that may have even less apparent value or meaning. The following graphic illustrates the relationship among data, information, and intelligence:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4xILTsWo-lgXEW2pzG6TcoRUiyCp0xugJ74Ds9pKD3caeqIeRLtxE-Ml2NYG8cGR8YAltTURYPExZPMidMoDYfF2o2S1tavorrjWGklkBruEe-Nq5idcMgdVAummZd56zjO1vV_ihjIE/s1600/data_info_intel.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4xILTsWo-lgXEW2pzG6TcoRUiyCp0xugJ74Ds9pKD3caeqIeRLtxE-Ml2NYG8cGR8YAltTURYPExZPMidMoDYfF2o2S1tavorrjWGklkBruEe-Nq5idcMgdVAummZd56zjO1vV_ihjIE/s640/data_info_intel.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: rgb(13.700000%, 12.200000%, 12.500000%); font-family: 'Arial,Bold'; font-size: 10.000000pt;">Source: Joint Publication 2-0, "Joint Intelligence", June 22, 2007<br />Retrieved July 21, 2013, from http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf</span></td></tr>
</tbody></table>
<br />
Here's a very simplistic example of this relationship in information security terms:<br />
<br />
<ul style="text-align: left;">
<li><i><u>Data</u></i>: Raw log files collected from disparate network nodes.</li>
<li><i><u>Information</u></i>: A timeline of network activity derived from processing the log files.</li>
<li><i><u>Intelligence</u></i>: An assessment of an attacker's tactics based on what activity took place on the network derived from analysis of the timeline. This is probably combined with other data and information sources and might also include an estimate of future attacker actions or even attribution to a specific threat group based on observed tactics.</li>
</ul>
<br />
A key philosophy usually followed in military operations is that of <i>intelligence-driven operations</i>. That is, operations must be informed, directed, and focused by intelligence. For example, a military commander's mission may be to defeat an insurgency. To do this, the commander must understand the local culture and power structures, identify key community leaders and insurgent personalities, and myriad other details. These things require the collection of relevant information and analysis of that information to guide the commander's actions to reach his goals. The alternative is to play "whack-a-mole", constantly chasing the latest problems without really solving the underlying issues.<br />
<br />
<i>Intelligence-driven operations</i> in information security might mean understanding the specific threats against your company or industry, including their tactics and capabilities, and organizing your defenses to counter those specific threats instead of deploying broad, generalized defenses that may not stop the threats you actually face. Threats must also be taken into context with your specific vulnerabilities and the threat's ability and intent to exploit those vulnerabilities, which equals your risk (the risk equation includes other factors, such as asset criticality, but calculating risk a whole other discussion).<br />
<br />
<h3 style="text-align: left;">
Open Source</h3>
<div style="text-align: left;">
<span style="font-family: TimesNewRoman; font-size: 12pt;">Now let's address the <i>open source</i> in <i>open source intelligence</i>. JP 1-02 defines </span><i style="font-family: TimesNewRoman; font-size: 12pt;">open source intelligence</i><span style="font-family: TimesNewRoman; font-size: 12pt;"> as:</span></div>
<blockquote class="tr_bq">
"<span style="font-family: TimesNewRoman; font-size: 12pt;"><i>Information of potential intelligence value that is available to the general public</i>."</span></blockquote>
<div>
<span style="font-family: TimesNewRoman; font-size: 12pt;">This definition is contradictory to the definition of <i>intelligence</i> since we've already established that <i>information</i> and <i>intelligence</i> are not synonymous </span><span style="font-family: TimesNewRoman; font-size: 16px;">(amazing, two government documents contradicting one another!)</span><span style="font-family: TimesNewRoman; font-size: 12pt;">. I'd say this is really a definition of open source <i>information</i> rather than open source <i>intelligence</i>. </span><i style="font-family: TimesNewRoman; font-size: 12pt;">Intelligence information</i><span style="font-family: TimesNewRoman; font-size: 12pt;"> is information "of potential intelligence value", but information is </span><i style="font-family: TimesNewRoman; font-size: 12pt;">not</i><span style="font-family: TimesNewRoman; font-size: 12pt;"> intelligence. A more accurate definition of </span><i style="font-family: TimesNewRoman; font-size: 12pt;">open source intelligence</i><span style="font-family: TimesNewRoman; font-size: 12pt;">, using the definition of </span><i style="font-family: TimesNewRoman; font-size: 12pt;">intelligence</i><span style="font-family: TimesNewRoman; font-size: 12pt;"> as the root</span><span style="font-family: TimesNewRoman; font-size: 12pt;">, is:</span><br />
<blockquote class="tr_bq">
<span style="font-family: TimesNewRoman; font-size: 12pt;">"</span><span style="font-family: TimesNewRoman; font-size: 12pt;"><i>The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of <b>information available to the general public</b>..."</i></span></blockquote>
Whether or not information is available to the general public, i.e., "open source", is in the eye of the beholder. So far I've discussed information and intelligence from the government's point of view. In that context, <i>open source</i> means information that the government does not keep to itself. In other words, the average private citizen can access open source information without government clearance or authorization.<br />
<br />
Now, just because open source <i>information</i>, and the derived open source <i>intelligence</i>, is not obtained through sensitive government methods doesn't mean it isn't useful. In fact, the government has organizations devoted to the collection and analysis of open source information. From the Director of National Intelligence's <a href="https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/open-source-intelligence.html" target="_blank">Open Source Center</a>:<br />
<blockquote class="tr_bq">
<span style="font-family: inherit;"><i><span style="font-family: inherit;">"Information does not have to be secret to be valuable. Whether in the blogs we browse, the broadcasts we watch, or the specialized journals we read, there is an endless supply of information that contributes to our understanding of the world. The Intelligence Community generally refers to this information as Open Source Intelligence (OSINT). OSINT plays an essential role in giving the national security community as a whole insight and context at a relatively low cost.</span><br /><br />OSINT is drawn from publicly available material, including:</i></span><br />
<ul style="text-align: left;">
<li><span style="font-family: inherit;"><i>The Internet</i></span></li>
<li><span style="font-family: inherit;"><i>Traditional mass media (e.g. television, radio, newspapers, magazines)</i></span></li>
<li><span style="font-family: inherit;"><i>Specialized journals, conference proceedings, and think tank studies</i></span></li>
<li><span style="font-family: inherit;"><i>Photos</i></span></li>
<li><span style="font-family: inherit;"><i>Geospatial information (e.g. maps and commercial imagery products)"</i></span></li>
</ul>
</blockquote>
<br />
<h2 style="text-align: left;">
OSINT in the Private Sector</h2>
</div>
<div>
"Open source" information in the context of a private business has essentially the same meaning as it does in a government context: information openly available to people and organizations outside the company. A simplification would be to say open source information is <i>non-proprietary</i> and closed source information is <i>proprietary</i>, which is the point I put forward in the conversation that sparked this post. However, a corporation might make certain proprietary information publicly available, either for free or for a fee, so proprietary information might also be open source.</div>
<div>
<br /></div>
<div>
With that said, I propose two simple replacement terms for OSINT in the private sector: <i>openly available</i> (thanks, @kylemaxwell) and <i>publicly available</i> (with the understanding that <i>public</i> means outside the company) intelligence. "Publicly available" might be slightly more accurate because it connotes any information available in any manner outside a company, including information available for a fee or based on some organizational membership. It is also the term used in the Open Source Center quotation above. <i>Openly available</i> might cause some people to associate the term only with information available with no restrictions whatsoever, although that distinction might be splitting hairs.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
Conclusion</h2>
<div>
It is important to understand the value of publicly-available information to prevent one from dismissing certain sources of information as being unreliable or not useful simply because the information is easily obtained. Any information, regardless of the source, has potential value. I think <i>intelligence</i>, however, is a more important concept to grasp than whether or not the intelligence is derived from public (open source) or non-public (closed source) information. The value of information in practice is based on the application of human analysis and judgement to draw conclusions, make connections between seemingly unrelated or disparate pieces of information, and drive decisions and actions that make the best use of available resources.<br />
<i><br /></i>
<i>That</i> is intelligence.</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2367348689242633827.post-56515078458034134092013-04-20T12:59:00.000-07:002013-05-03T13:51:31.981-07:00My Home Security Lab (Part I)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
Like many folks interested in information security, I have a home lab environment. I thought I'd share my setup just to provide another option for anyone who might be looking for examples of how to create their own lab. In this first post, I'll go over my requirements and hardware choices. In subsequent posts, I'll talk about my physical and virtual network topology and configuration.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Many different configurations and combinations of virtual and physical infrastructure could be used depending on what your ultimate goal (and budget) is. I primarily wanted a network security monitoring (NSM) lab, so I had the following requirements:</div>
<ul style="text-align: left;">
<li>Capability to run several (3-4 or more) machines (physical and/or virtual) at the same time</li>
<li>Capability to monitor all of those machines via a physical tap, a switch mirror/SPAN port, or a virtual configuration</li>
<li>Expandable storage for saving full-content packet captures, creating a large number of VMs and snapshots, and whatever other needs arise over time</li>
<li>Ability to segregate the lab traffic from the rest of my home network</li>
<li>CPU support for virtualization extensions (VT-x and VT-d)</li>
<li>Flexibility for additional future uses, such as password cracking, malware analysis, or other uses I may not have considered</li>
<li>Spend as little money and reuse as much existing hardware as possible</li>
</ul>
<div>
<div style="text-align: justify;">
With those requirements, I decided a virtualization server was the only way to go in terms of flexibility. That meant the first decision was to select a virtualization platform. I settled pretty quickly on VMware's vSphere Hypervisor since it's free, has a very small footprint (144MB), and is packed with features. There are other options such as Proxmox VE, Xen Hypervisor, or running VirtualBox or VMware Workstation in a host operating system, but I never seriously considered those. That doesn't mean, however, that these options aren't viable - Richard Bejtlich runs a <a href="http://taosecurity.blogspot.com/2013/02/practical-network-security-monitoring.html" target="_blank">such a setup</a> running VMware Workstation as a "server" that seems to work great for his requirements, and there are many examples out there if you look. It boils down to your personal preferences and what meets your needs.</div>
<div style="text-align: justify;">
<span style="text-align: left;"><br /></span></div>
<div style="text-align: justify;">
<span style="text-align: left;">I looked at several new and refurbished machines, but never found quite the specifications I was looking for within an acceptable price range, so </span>I decided to build my own "white box" VMware ESXi server. It can be tricky finding consumer grade hardware that is compatible with VMware's enterprise hypervisor, and one of the most difficult items to find is a compatible motherboard that still has the features you want. I narrowed my choices down to ASRock boards primarily based on information I found at <a href="http://www.tinkertry.com/" target="_blank">Paul Braren's TinkerTry blog</a> and specifically his <a href="http://www.tinkertry.com/vzilla/" target="_blank">vZilla</a> build.</div>
<br />
Ultimately I settled on the following build:<br />
<br /></div>
<div>
<center>
<table border="1">
<tbody>
<tr>
<th>Component</th>
<th>Make/Model</th>
<th>Price</th>
<th>Vendor</th>
</tr>
<tr>
<td>CPU</td>
<td>Intel Core i7 3770 3.4GHz LGA 1155 (Ivy Bridge)</td>
<td>$279.99</td>
<td>MicroCenter.com</td>
</tr>
<tr>
<td>Motherboard</td>
<td>ASRock Z77 Fatal1ty Professional</td>
<td>$238.49</td>
<td>NewEgg.com</td>
</tr>
<tr>
<td>Case</td>
<td>Cooler Master CM 690 II Advanced</td>
<td>$79.99</td>
<td>Amazon.com</td>
</tr>
<tr>
<td>Power Supply</td>
<td>Cooler Master Silent Pro M 600W</td>
<td>$45.07</td>
<td>Amazon.com</td>
</tr>
<tr>
<td>Memory</td>
<td>32GB G.Skill Ripjaws X Series</td>
<td>$174.24</td>
<td>NewEgg.com</td>
</tr>
<tr>
<td>Graphics Card</td>
<td>Nvidia Quatro</td>
<td>$0.00</td>
<td>On-hand</td>
</tr>
<tr>
<td>Hard Drive</td>
<td>250GB 3.5" SATA III</td>
<td>$0.00</td>
<td>On-hand</td>
</tr>
<tr>
<td>Optical Drive</td>
<td>No-name SATA DVD-ROM</td>
<td>$0.00</td>
<td>On-hand</td>
</tr>
<tr>
<td>Network Adapters</td>
<td>x2 Realtek 10/100/1000MB</td>
<td>$0.00</td>
<td>On-board motherboard</td>
</tr>
<tr>
<td></td>
<td>Total:</td>
<td>$817.78</td>
<td></td>
</tr>
</tbody>
</table>
</center>
<br /></div>
<div>
A few notes about these choices:<br />
<br />
<ul style="text-align: left;">
<li>All prices are from about six months ago, and some reflect sale prices or promo codes available at the time, so your mileage may vary. More recently I added two Seagate Barracuda 2TB 6GBs drives for more storage and to reduce the higher disk I/O I would have running everything off one hard drive - these ran about $70.00 and $80.00 on sale.</li>
<li>The motherboard was chosen for its VMware compatibility; considerable number of PCI slots that will allow me to add additional network adapters as needed for various configurations; more than enough SATA ports; and VT-d passthrough support, which allows you to directly connect hardware to a VM without it running through the virtualization platform. My board has on-board Realtek NICs, but I think the latest version of this same board has Broadcom NICs, so you need to make sure VMware drivers are available.</li>
<li>I went with an Intel CPU simply for the quality and performance. I briefly considered AMD's six and eight core FX CPUs since they were comparably cheaper and I thought the extra cores might be useful for virtualization. However, I couldn't find any definitive information regarding their performance over Intel's hyper-threaded quad-core i7 and did find some anecdotal evidence that they would not perform as well, so I just stuck to the known quantity.</li>
<li>I could probably get by with a lower powered power supply, but I wanted room for expansion.</li>
<li>At some point I would like to fill up my drive bays with four more 2TB drives and add a hardware RAID controller, but right now those features are more "wants" than "needs", so I'll save my money for other things.</li>
</ul>
<div>
So, that's my hardware. In coming posts I'll discuss my vSphere configuration, as well as a little about my physical infrastructure.</div>
<div>
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2367348689242633827.post-66634025746969749432013-04-15T15:15:00.000-07:002013-04-15T15:15:14.912-07:00From paid to free...<div dir="ltr" style="text-align: left;" trbidi="on">
So, this is my first post on a blog I'm not sure how often I will even use. For a while I was paying for a web hosting account and a domain name, mostly to share family photos and do a little blogging specifically for friends and family. It wasn't too long before I realized that no one would take the time to log into my web site to view my photos and blog posts since everyone is already on Facebook and other social media sites, which I still haven't fully embraced (I don't even have a Facebook account although I've gotten addicted to Twitter in the past few months!).<br />
<br />
I also intended to setup a sub-domain to start yet another information security blog, but never got around too it. In the end I kept the domain name and hosting account just to use it as an SSH proxy for browsing the web on untrusted networks. Finally I got around to setting up a VPN server at home and no longer had any use for the web site, so I closed it down and saved some money. Recently I got another inkling to start an infosec blog, so I thought I'd setup this one and see where it goes.<br />
<br />
Rather than trying write content to attempt to draw readers (although that would be nice), I'll probably use it as more of a personal note-taking device, a place holder for things I don't want to search for, or random topics that interest me. After all, if I'm not interested in what I'm writing about, I don't expect anyone else will be either!<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0