Today > 1 Critical | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Investigating a SharePoint Compromise: IR Tales from the Field

Nov. 5, 2024, 4:32 p.m.

Description

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung Antivirus to impair defenses, using tools like Impacket and Mimikatz for lateral movement and credential harvesting, and establishing persistence through scheduled tasks. The attacker attempted to destroy backups and used various binaries for network reconnaissance and privilege escalation. The investigation revealed the importance of efficient response procedures and comprehensive security tooling to mitigate the impact of such breaches.

Date

Published: Nov. 5, 2024, 4:01 p.m.

Created: Nov. 5, 2024, 4:01 p.m.

Modified: Nov. 5, 2024, 4:32 p.m.

Indicators

f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940

acb5de5a69c06b7501f86c0522d10fefa9c34776c7535e937e946c6abfc9bbc6

e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb

95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7

6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc

1beec8cecd28fdf9f7e0fc5fb9226b360934086ded84f69e3d542d1362e3fdf3

61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

d18aa84b7bf0efde9c6b5db2a38ab1ec9484c59c5284c0bd080f5197bf9388b0

Attack Patterns

Fast Reverse Proxy (FRP)

Horoung Antivirus

Mimikatz

Impacket

T1135

T1087

T1083

T1053

T1562

T1190

T1090

T1003