Investigating a SharePoint Compromise: IR Tales from the Field

Nov. 5, 2024, 4:32 p.m.

Description

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung Antivirus to impair defenses, using tools like Impacket and Mimikatz for lateral movement and credential harvesting, and establishing persistence through scheduled tasks. The attacker attempted to destroy backups and used various binaries for network reconnaissance and privilege escalation. The investigation revealed the importance of efficient response procedures and comprehensive security tooling to mitigate the impact of such breaches.

External References

https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/
https://otx.alienvault.com/pulse/672a413c49b172b973c06a9e
Tags
credential harvesting
lateral movement
mimikatz
impacket
CVE-2024-38094
2024-11-05
domain compromise
sharepoint
fast reverse proxy (frp)

Date

  • Created: Nov. 5, 2024, 4:01 p.m.
  • Published: Nov. 5, 2024, 4:01 p.m.
  • Modified: Nov. 5, 2024, 4:32 p.m.

Indicators

  • f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940
  • acb5de5a69c06b7501f86c0522d10fefa9c34776c7535e937e946c6abfc9bbc6
  • e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb
  • 95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7
  • 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc
  • 1beec8cecd28fdf9f7e0fc5fb9226b360934086ded84f69e3d542d1362e3fdf3
  • 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
  • d18aa84b7bf0efde9c6b5db2a38ab1ec9484c59c5284c0bd080f5197bf9388b0
Download all indicators here!

Attack Patterns

  • Fast Reverse Proxy (FRP)
  • Horoung Antivirus
  • Mimikatz
  • Impacket