来源

关联漏洞

描述

In this lab I walked through an end-to-end intrusion that began with an external RDP break-in, used a brand-new CLFS privilege-escalation exploit (CVE-2024–49138), and ended with SYSTEM-level cloud credential harvesting. Below is the story, the evidence, and the lessons I drew from it.

介绍

# SOC335-Event-ID-313-CVE-2024-49138-Exploitation-Detected--Lest-Defend-Writeup
# Intro

In this lab I walked through an end-to-end intrusion that began with an external RDP break-in, used a brand-new CLFS privilege-escalation exploit (CVE-2024–49138), and ended with SYSTEM-level cloud credential harvesting. Below is the story, the evidence, and the lessons I drew from it.

## Alert

**EventID:** `313`

**Event Time:** `Jan, 22, 2025, 02:37 AM`

**Rule:** `SOC335 — CVE-2024–49138 Exploitation Detected`

**Level:** `Security Analyst`

**Hostname:** `Victor`

**IP Address:** `172\[.\]16.17.207`

**Process Name:** `svohost.exe`

**Process Path:** `"C:\\temp\\service\_installer\\svohost.exe"`

**Process ID:** 7640

**Parent Process:** `C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\ powershell.exe`

**Command Line:** `\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1`

**File Hash:** `b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`

**Process User:** `EC2AMAZ-ILGVOIN\\LetsDefend`

**Trigger Reason:** `Unusual or suspicious patterns of behaviour linked to the hash have been identified, indicating potential exploitation of CVE–2024–49138.`

## 1\. Seeing the Alert

![image](https://github.com/user-attachments/assets/d2bf87d6-0a3a-4f62-8866-58f715f08912)

At 02:37 AM the platform popped a "CVE-2024–49138 Exploitation Detected" (rule SOC335). The host name was Victor and the suspicious binary was svohost.exe sitting in `C:\\temp\\service\_installer.`

## 2\. Reconstructing the Timeline

**14:32–14:35 AEST** — multiple failed RDP log-ons from 185.107.56.141 followed by a successful one as user Victor.

![image](https://github.com/user-attachments/assets/5ff7d661-8882-42a6-ad26-936bd80cceba)<br>
_RDP log-ons from 185.107.56.141_

**14:36** — attacker launches PowerShell → downloads service-installer.zip (password infected) from a public S3 bucket.

![image](https://github.com/user-attachments/assets/ba6a7a74-529b-4c4f-9ce0-a4a6c013074b)<br>
_Staging URL — hxxps://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip_

**14:37** — extracted svohost.exe executes, immediately spawns PowerShell running as `NT AUTHORITY\\SYSTEM` → privilege escalation achieved.

![image](https://github.com/user-attachments/assets/6fe17832-34b3-46b4-8ea3-99dc22bedaa6)

**14:37–14:38** — Repeated calls to 169\[.\]254.169.254 (AWS IMDS) is likely to retrieve instance credentials/metadata.

**14:38+** — Outbound traffic to content-delivery network IPs (23\[.\]62.141.251, 146\[.\]75.78.172) suggest command-and-control or payload staging. Windows Defender activity indicates a scheduled scan, but no blockage of the rogue binary.

## 3\. Diving into the Evidence

### a) Malicious Binary

![image](https://github.com/user-attachments/assets/87d6d06d-329b-480b-866a-f3fb64a7e6e2)

-   **Hash:** `b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`
-   **VT verdict:** `49 engines yelled Trojan/Backdoor.`
-   **Behaviour:** `exploits the CLFS driver heap overflow patched in December 2024.`

### b) RDP Source IP

![image](https://github.com/user-attachments/assets/b876a797-a817-439a-9ea5-cb2014044e03)<br>
_Login was successful with Victor's account from 185\[.\]107.56.141_

Host is a Dutch VPS provider that frequently appears in brute-force reports. Perfect launchpad for hit-and-run RDP attacks.

## 4\. Artifacts

### Malicious binary

-   **svohost.exe** `C:\\temp\\service\_installer\\svohost.exe`
-   **SHA-256** `b432dcf4a0f0…0122db9`
-   weaponises CVE-2024-49138 for SYSTEM-level privilege escalation.

### Payload archive

-   **service-installer.zip**
-   Downloaded to `C:\\temp\\service-installer.zip` (password infected)
-   hosted at [hxxps://files-ld.s3.us-east-2.amazonaws.com/](hxxps://files-ld[.]s3[.]us-east-2[.]amazonaws.com/)...

### External IPs

-   **185\[.\]107.56.141** — RDP brute-force & log-in source
-   **52\[.\]219.102.138** — Amazon S3 payload host
-   **34\[.\]104.35.123 / 40\[.\]83.50.87 / 52\[.\]165\[.\]164.15 / 23\[.\]62.141.251 / 146\[.\]75.78.172** — outbound C2 / CDN traffic

### Internal / AWS IPs

-   **169\[.\]254.169.254** — EC2 Instance-Metadata Service queried post-escalation
-   **127\[.\]0.0.1, 172\[\].31.4.60** — local / VPC traffic

### Key processes (parent → child)

`explorer.exe` → `powershell.exe` (user "Victor") → `svohost.exe` → `powershell.exe` (NT AUTHORITY\\SYSTEM) → `whoami.exe`, IMDS requests

### Suspicious commands

-   PowerShell download & unzip script (starts `$url = '[hxxps://files-ld[.]s3…](hxxps://files-ld[.]s3%E2%80%A6)') whoami.exe /priv & whoami.exe`.

### Authentication events

Multiple 4625 failures (admin, guest) then 4624 success (RemoteInteractive Logon Type 10) as Victor from 185\[.\]107.56.141.

## 5\. Analyst Note

Investigation confirms an external threat actor (185\[.\]107.56.141) brute-forced RDP, logged in as user Victor, and downloaded a password-protected archive from an Amazon S3 bucket. The extracted binary svohost.exe (hash `b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`; 49/70 AV detections) executed and exploited CLFS vulnerability CVE-2024–49138 to spawn PowerShell under NT AUTHORITY\\SYSTEM. SYSTEM-level PowerShell then queried the EC2 instance-metadata endpoint (169\[.\]254.169.254) and issued repeated whoami /priv, confirming successful privilege escalation and credential-harvesting intent. Outbound beacons to multiple CDN/Microsoft IPs followed. No business-justified tasks match this sequence; activity constitutes an active compromise requiring immediate containment.

### Reasoning for "True Positive" classification

-   **Malicious binary evidence** — VirusTotal shows high consensus (49/70) that svohost.exe is a backdoor; file path is a user temp staging area, not a signed vendor package.
-   **Confirmed exploit behaviour** — Child process chain proves the binary ran the publicly documented CLFS heap-overflow exploit, resulting in SYSTEM-level PowerShell.
-   **Credential-harvest indicators** — Unauthorised access to AWS IMDS (169\[.\]254.169.254) is a hallmark of post-exploitation cloud-credential theft.
-   **Attack sequence coherence** — Brute-force RDP → payload download → privilege escalation → reconnaissance is a classic intrusion progression, not a false alarm triggered by routine admin actions.
-   **No legitimate change window/ticket** — Change-control review shows no scheduled maintenance on Victor at the time, and the source IP belongs to a known abuse-hosting provider, not an approved remote-access range.

## 6\. Conclusion

An external attacker brute-forced RDP into host Victor, dropped svohost.exe, and used the unpatched CLFS vulnerability CVE-2024–49138 to jump from user to SYSTEM. They immediately queried the AWS metadata endpoint, signalling credential-theft intent. The alert is a true positive; isolate the host, patch, remove the payload, rotate credentials, and tighten RDP access moving forward.

文件快照

 [4.0K]  /data/pocs/a319a2a413d11a4edfe2e2873d1132d1b17d933d
└── [6.9K]  README.md

0 directories, 1 file

备注