Press ESC to close

Investigating a SharePoint Compromise: IR Tales from the Field

CategoryDetails
Threat ActorsUnnamed attacker exploiting SharePoint CVE-2024-38094.
Campaign OverviewExploited SharePoint vulnerability (CVE-2024-38094) for initial access; compromised Exchange server account; moved laterally, targeting Active Directory.
Target RegionsNot specified.
Methodology- Initial access via CVE-2024-38094 (SharePoint).
- Disabled security tools (e.g., Windows Defender).
- Used Fast Reverse Proxy (FRP) for persistence.
Product TargetedMicrosoft SharePoint, Microsoft Exchange, Active Directory.
Malware Reference- Mimikatz (renamed to 66.exe).
- Certify.exe.
- FRP tool (msvrp.exe).
Tools Used- Impacket.
- ADExplorer64.exe.
- Kerbrute.
- Nxc.exe.
- Everything.exe.
- Huorong Antivirus (to impair defenses).
Vulnerabilities ExploitedCVE-2024-38094 (SharePoint Remote Code Execution).
TTPs- Impairing Defenses (T1562).
- Exploit Public-Facing Application (T1190).
- OS Credential Dumping (T1003).
- Use of Scheduled Tasks (T1053).
AttributionNot explicitly attributed.
Recommendations- Apply patches for SharePoint (CVE-2024-38094).
- Use endpoint monitoring tools (e.g., InsightIDR).
- Monitor suspicious commands via logs.
SourceRAPID7

Read full article: https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/

Disclaimer: The above summary has been generated by an AI language model.

Related posts:

LightSpy Malware Variant Targeting macOS | Huntress Default ThumbnailNew PXA Stealer targets government and education sectors for sensitive information Five alleged members of Scattered Spider cybercrime group charged for breaches, theft of $11 million CVE-2024-9264: A Critical Vulnerability in Grafana : Vulnerability Analysis and Exploitation

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Updated with Our Newsletter

Filter Posts by Date

Explore Topics