来源

关联漏洞

介绍

### 	Privilege Escalation Case - SOC335-CVE-2024-49138-Exploitation-Detected


## Alert Overview

### Affected Hostname:
- **Victor**

### Triggering Process:
- **scohost.exe**

### Parent Process:
- **`C:\Windows\System32\WINDOWSPOWERSHELL\V1.0\powershell.exe`**

### File Hash:
- **`b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`**

### Trigger Reason:
- Unusual or suspicious patterns of behavior linked to the hash have been identified, indicating potential exploitation of **CVE-2024-49138**.

---

We start with investigating the alert we received and proceed to check Log Management and Endpoint Security.

<img src="https://i.imgur.com/J6jEzDr.png" width="500">


There is multiple OS types with either Admin or Guest showing Error Code: **0xC000006D**
<img src="https://i.imgur.com/vyq4J4o.png" width="500">

<img src="https://i.imgur.com/t6fX5rO.png" width="500">

### Error Code: **0xC000006D**
### Translation:
- **STATUS_LOGON_FAILURE**: Indicates a logon attempt failed, usually due to incorrect credentials.

### We then look into the Hash we had provided to us in the Alert. 

<img src="https://i.imgur.com/JZY3ovS.png" width="500">

We see it is confirmed Malicious, we also confirm MITRE ATT&CK & Malware Behaviour.

<img src="https://i.imgur.com/voXLdWH.png" width="500">



### We proceed to move to Terminal History and see suspicious activity.

<img src="https://i.imgur.com/LRT5LZ1.png" width="500">

We also spot $url which retrieves the URL we see there.

### We collected the information we need, we proceed with our Playbook for this case.

<img src="https://i.imgur.com/5pYW4ql.png" width="500">

### We confirmed through our Log management and Endpoint Security that the Malware has not been contained as of this moment.

<img src="https://i.imgur.com/YRnxmbf.png" width="500">

### Malware has been analyzed and confirmed Malicous

### On the next step we want to find the C2 address.

<img src="https://i.imgur.com/o6hbi8p.png" width="500">

We proceeded to check the malware behaviour through AnyRun and confirmed the C2 Address as we show in the below image.

<img src="https://i.imgur.com/aSVWPhe.png" width="500">





## Command Analysis

### **Command 1**: `C:\Windows\System32\svchost.exe -k termsvcs -s TermService`

#### Explanation

1. **`C:\Windows\System32\svchost.exe`**:
   - **Service Host Process**: A core Windows system process used to host multiple Windows services implemented as dynamic-link libraries (DLLs).
   - Legitimately located in **`C:\Windows\System32\`**.

2. **`-k termsvcs`**:
   - Specifies the **service group** (`termsvcs`) for this instance of `svchost.exe`.
   - The `termsvcs` group is specifically related to Terminal Services.

3. **`-s TermService`**:
   - Specifies the exact service to start: **Remote Desktop Services (TermService)**.
   - This service allows remote connections to the computer, enabling the Remote Desktop Protocol (RDP).

#### Purpose of `TermService`

- **Remote Desktop Services**:
  - Manages remote desktop connections, including user sessions over RDP.
  - Essential for enabling remote administration or remote desktop features.

---

### **Command 2**: `C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule`

#### Explanation

1. **`C:\Windows\system32\svchost.exe`**:
   - **Service Host Process**: A critical Windows system process used to host services implemented as dynamic-link libraries (DLLs).
   - Always ensure this file is located in **`C:\Windows\system32\`**.

2. **`-k netsvcs`**:
   - Specifies the **service group** (`netsvcs`) that this instance of `svchost.exe` is hosting.
   - The `netsvcs` group typically includes networking-related and other essential services.

3. **`-p`**:
   - Indicates the service should run in **persistent mode**, ensuring it stays active and is automatically restarted if needed.

4. **`-s Schedule`**:
   - Specifies a specific service within the group to load: **Task Scheduler** (`Schedule`).
   - The Task Scheduler service manages tasks that run at specific times or in response to certain triggers.

5. **Process ID**:
   - **1996** is the **Process ID (PID)** for the instance of `svchost.exe` managing the Task Scheduler service.

---

### **Command 3**: `C:\Windows\system32\svchost.exe -k DcomLaunch -p`

#### Explanation

1. **`C:\Windows\system32\svchost.exe`**:
   - **Service Host Process**: A core Windows system process that acts as a host for running multiple services from dynamic-link libraries (DLLs).

2. **`-k DcomLaunch`**:
   - Specifies the **service group** the process is hosting.
   - **DcomLaunch**: Refers to the **DCOM Server Process Launcher**, responsible for launching Distributed Component Object Model (DCOM) services.

3. **`-p`**:
   - Indicates that the process should be **persistent** and restarted if terminated unexpectedly.

#### Purpose of `DcomLaunch`

- **System Component**: Vital for many Windows operations, such as enabling communication between applications, activating processes, and handling system-level RPC requests.
- **Dependencies**: Many core services, including Windows Update and COM-related applications, rely on this process.

---

## Taskhostw.exe and Key Roaming

### **`taskhostw.exe`**
- **Task Host Window**: A generic host process for Windows tasks.
- **Location**: The legitimate executable is located in **`C:\Windows\System32\`**.

### **Key Roaming**
- A Windows feature enabling **credential roaming** for certificates and private keys across devices in an Active Directory environment.

### Connection:
- If **`taskhostw.exe`** interacts with **Key Roaming**, it may indicate background tasks syncing credentials in an Active Directory environment.

文件快照

 [4.0K]  /data/pocs/4b87775349108600732a37f72003b6e3507e8f8a
└── [5.6K]  README.md

0 directories, 1 file

备注