来源

关联漏洞

介绍

# SOC227 - Microsoft SharePoint Server Elevation of Privilege (CVE-2023-29357 Exploitation)

**CVE-2023-29357** is a critical privilege escalation vulnerability that, when combined with other vulnerabilities, could potentially lead to remote code execution. The CVSS score for this vulnerability is **9.8 (Critical)**.

---

## Event Information

<img src="https://i.imgur.com/91OG0jL.png" width="800">

-  **EventID**: 189

- **Event Time**: Oct 06, 2023, 08:05 PM
  
- **Rule**: SOC227 - Microsoft SharePoint Server Elevation of Privilege - Possible CVE-2023-29357 Exploitation
  
- **Level**: Security Analyst
  
- **Hostname**: MS-SharePointServer
  
- **Destination IP Address**: 172.16.17.233
  
- **Source IP Address**: 39.91.166.222
  
- **HTTP Request Method**: GET
  
- **Requested URL**: /api/web/siteusers
  
- **User-Agent**: python-requests/2.28.1
  
- **Alert Trigger Reason**: This activity may indicate an attempt to exploit CVE-2023-29357, potentially leading to unauthorized access and privilege escalation within the SharePoint server.

---

## Investigation Process

We began by focusing on the following key areas:

1. **Log Management**
2. **Endpoint Security**

### Log Management

The **source IP address** that triggered the alert was flagged by our firewall **3 times**. Upon further inspection of the logs:
- **Event 1**: The GET request returned a **HTTP 404** status (Not Found).

<img src="https://i.imgur.com/hNu7lRI.png" width="800"> 
  
- **Event 2 & 3**: Both returned **HTTP 200** statuses, indicating that the attacker successfully received the requested response.

<img src="https://i.imgur.com/2htYXj2.png" width="800">

<img src="https://i.imgur.com/71GUZbx.png" width="800">

### Endpoint Security Investigation

We connected to the **MS-SharePointServer** device and found no relevant information in the browser or terminal history. We then analyzed the system processes and identified several concerning ones.

<img src="https://i.imgur.com/uds8oKD.png" width="800">

---

## Process Analysis

### 1. **svchost.exe**

- **Command**: `C:\Windows\System32\svchost.exe -k termsvcs -s TermService`
- **Explanation**:
  - **svchost.exe** is the Service Host Process, which runs Windows services.
  - **-k termsvcs** specifies that this instance is hosting the **Terminal Services** group.
  - **-s TermService** starts the **Remote Desktop Services**.

### 2. **MpCmdRun.exe**

- **Command**: `"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate`
- **Explanation**:
  - **MpCmdRun.exe** is the Microsoft Defender Command-Line Utility used for Defender-related tasks.
  - **SignaturesUpdateService** performs a virus definition update.
  - **-ScheduleJob** schedules the update as a background task.
  - **-UnmanagedUpdate** forces the update even if the system isn't managed by Group Policy or Microsoft Endpoint Manager.

### 3. **svchost.exe**

- **Command**: `C:\Windows\system32\svchost.exe -k DcomLaunch -p`
- **Explanation**:
  - **svchost.exe** is hosting the **DcomLaunch** service group responsible for DCOM and COM+ services.
  - **-p** runs **svchost.exe** as a protected process to enhance security.

---

## Conclusion and Response

After reviewing the collected data, we followed the appropriate playbook steps and confirmed the traffic as **malicious**.

- **Attack Type**: Privilege escalation.
- **Planned Test**: No penetration testing was confirmed via email during the event timeframe.
- **Action Taken**: The affected device was quarantined. Further escalation to **T2** is required for additional investigation and response.

---

## Next Steps

- **Escalation**: The issue was escalated to the **T2** team for further investigation and remediation.
- **Continuous Monitoring**: We will continue to monitor for further exploitation attempts and ensure the integrity of the SharePoint server.

---

# Result: 

<img src="https://i.imgur.com/NrxCfBR.png" width="800">

**Note**: This post is part of a SOC case analysis demonstrating the detection and response to a privilege escalation vulnerability (CVE-2023-29357) within a SharePoint environment.

## Playbook Procedure: 

<img src="https://i.imgur.com/NsPuGFS.png" width="800">

<img src="https://i.imgur.com/U5iT3l4.png" width="800">

<img src="https://i.imgur.com/sYehNaf.png" width="800">

<img src="https://i.imgur.com/FT5W4ug.png" width="800">

<img src="https://i.imgur.com/o0UBrNE.png" width="800">

<img src="https://i.imgur.com/LQmWkuz.png" width="800">

<img src="https://i.imgur.com/K9OhifA.png" width="800">

<img src="https://i.imgur.com/C2FSPxs.png" width="800">

<img src="https://i.imgur.com/ddr63Ic.png" width="800">

<img src="https://i.imgur.com/53hg7xf.png" width="800">

<img src="https://i.imgur.com/s1KerXU.png" width="800">

文件快照

 [4.0K]  /data/pocs/8c8d470a02fdbd42725d870534683e01c17cc207
└── [4.7K]  README.md

0 directories, 1 file

备注