Category | Details |
---|---|
Threat Actors | Unnamed attacker exploiting SharePoint CVE-2024-38094. |
Campaign Overview | Exploited SharePoint vulnerability (CVE-2024-38094) for initial access; compromised Exchange server account; moved laterally, targeting Active Directory. |
Target Regions | Not specified. |
Methodology | – Initial access via CVE-2024-38094 (SharePoint). – Disabled security tools (e.g., Windows Defender). – Used Fast Reverse Proxy (FRP) for persistence. |
Product Targeted | Microsoft SharePoint, Microsoft Exchange, Active Directory. |
Malware Reference | – Mimikatz (renamed to 66.exe). – Certify.exe. – FRP tool (msvrp.exe). |
Tools Used | – Impacket. – ADExplorer64.exe. – Kerbrute. – Nxc.exe. – Everything.exe. – Huorong Antivirus (to impair defenses). |
Vulnerabilities Exploited | CVE-2024-38094 (SharePoint Remote Code Execution). |
TTPs | – Impairing Defenses (T1562). – Exploit Public-Facing Application (T1190). – OS Credential Dumping (T1003). – Use of Scheduled Tasks (T1053). |
Attribution | Not explicitly attributed. |
Recommendations | – Apply patches for SharePoint (CVE-2024-38094). – Use endpoint monitoring tools (e.g., InsightIDR). – Monitor suspicious commands via logs. |
Source | RAPID7 |
Read full article: https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply