Investigating a SharePoint Compromise: IR Tales from the Field
Nov. 5, 2024, 4:32 p.m.
Tags
External References
Description
An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung Antivirus to impair defenses, using tools like Impacket and Mimikatz for lateral movement and credential harvesting, and establishing persistence through scheduled tasks. The attacker attempted to destroy backups and used various binaries for network reconnaissance and privilege escalation. The investigation revealed the importance of efficient response procedures and comprehensive security tooling to mitigate the impact of such breaches.
Date
Published: Nov. 5, 2024, 4:01 p.m.
Created: Nov. 5, 2024, 4:01 p.m.
Modified: Nov. 5, 2024, 4:32 p.m.
Indicators
f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940
acb5de5a69c06b7501f86c0522d10fefa9c34776c7535e937e946c6abfc9bbc6
e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb
95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7
6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc
1beec8cecd28fdf9f7e0fc5fb9226b360934086ded84f69e3d542d1362e3fdf3
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
d18aa84b7bf0efde9c6b5db2a38ab1ec9484c59c5284c0bd080f5197bf9388b0
Attack Patterns
Fast Reverse Proxy (FRP)
Horoung Antivirus
Mimikatz
Impacket
T1135
T1087
T1083
T1053
T1562
T1190
T1090
T1003