Press ESC to close

Investigating a SharePoint Compromise: IR Tales from the Field

CategoryDetails
Threat ActorsUnnamed attacker exploiting SharePoint CVE-2024-38094.
Campaign OverviewExploited SharePoint vulnerability (CVE-2024-38094) for initial access; compromised Exchange server account; moved laterally, targeting Active Directory.
Target RegionsNot specified.
Methodology– Initial access via CVE-2024-38094 (SharePoint).
– Disabled security tools (e.g., Windows Defender).
– Used Fast Reverse Proxy (FRP) for persistence.
Product TargetedMicrosoft SharePoint, Microsoft Exchange, Active Directory.
Malware Reference– Mimikatz (renamed to 66.exe).
– Certify.exe.
– FRP tool (msvrp.exe).
Tools Used– Impacket.
– ADExplorer64.exe.
– Kerbrute.
– Nxc.exe.
– Everything.exe.
– Huorong Antivirus (to impair defenses).
Vulnerabilities ExploitedCVE-2024-38094 (SharePoint Remote Code Execution).
TTPs– Impairing Defenses (T1562).
– Exploit Public-Facing Application (T1190).
– OS Credential Dumping (T1003).
– Use of Scheduled Tasks (T1053).
AttributionNot explicitly attributed.
Recommendations– Apply patches for SharePoint (CVE-2024-38094).
– Use endpoint monitoring tools (e.g., InsightIDR).
– Monitor suspicious commands via logs.
SourceRAPID7

Read full article: https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/

Disclaimer: The above summary has been generated by an AI language model.

Leave a Reply

Your email address will not be published. Required fields are marked *