An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung Antivirus to impair defenses, using tools like Impacket and Mimikatz for lateral movement and credential harvesting, and establishing persistence through scheduled tasks. The attacker attempted to destroy backups and used various binaries for network reconnaissance and privilege escalation. The investigation revealed the importance of efficient response procedures and comprehensive security tooling to mitigate the impact of such breaches. Author: AlienVault
Related Tags:
domain compromise
Fast Reverse Proxy (FRP)
Horoung Antivirus
Credential Harvesting
lateral movement
SharePoint
T1135
Impacket
T1083
Associated Indicators:
D18AA84B7BF0EFDE9C6B5DB2A38AB1EC9484C59C5284C0BD080F5197BF9388B0
F618B09C0908119399D14F80FC868B002B987006F7C76ADBCEC1AC11B9208940
ACB5DE5A69C06B7501F86C0522D10FEFA9C34776C7535E937E946C6ABFC9BBC6
8E55377990128A9C3BA61A663A8540A8C56F8A54
137E200D56E5B6E1705D4AE524946148