POC详情: acd3d5016c8d5b8a75c2a7ed85f582486cf10ca6

来源
https://github.com/CyprianAtsyor/letsdefend-cve-2024-49138-investigation
关联漏洞
标题: Microsoft Windows Common Log File System Driver 安全漏洞 (CVE-2024-49138)
描述:Microsoft Windows Common Log File System Driver是美国微软(Microsoft)公司的通用日志文件系统 (CLFS) API 提供了一个高性能、通用的日志文件子系统,专用客户端应用程序可以使用该子系统并且多个客户端可以共享以优化日志访问。 Microsoft Windows Common Log File System Driver存在安全漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows Server 2008 R2 for x64-
描述
Hands-on SOC investigation of CVE-2024-49138 using LetsDefend, VirusTotal, Hybrid Analysis, TrueFort, and ChatGPT.
介绍
# LetsDefend Investigation: CVE-2024-49138

## 🔍 Overview

Hands-on SOC investigation and incident response simulation using [LetsDefend](https://letsdefend.io/), focused on a real-world exploitation of **CVE-2024-49138** — a privilege escalation vulnerability in Windows CLFS driver.

## 📅 Event Details

- **Event ID**: 313
- **Incident Type**: Privilege Escalation
- **Event Time**: Jan 22, 2025
- **Hostname**: Victor
- **IP Address**: 172.16.17.207
- **Malicious Binary**: `svohost.exe`
- **Parent Process**: `powershell.exe`
- **Suspicious Command**: `\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1`

## 🛠️ Tools Used

- [VirusTotal](https://virustotal.com)
- [Hybrid Analysis](https://www.hybrid-analysis.com)
- [TrueFort](https://www.truefort.com)
- [ChatGPT](https://chat.openai.com) — For decoding PowerShell commands and analyzing behavior
- LetsDefend Lab Environment

## 🧠 Indicators of Compromise

- **Hash**: `b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`
- **Malicious URL**: `https://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip`
- **Malicious IP**: `185.107.56.141`

## 🧩 Key Takeaways

- Identified fake system binary (`svohost.exe`) used for privilege escalation.
- Mapped activity to MITRE ATT&CK techniques.
- Used a layered toolset for full visibility (EDR, sandboxing, static/dynamic analysis, AI).
- Gained insight into PowerShell-based malware delivery methods.

## 🏁 Outcome

Successfully triaged, investigated, and documented the attack chain leveraging CVE-2024-49138. This lab helped reinforce my skills in incident response, behavioral analysis, and threat detection.

## 🔎 Investigation Screenshots

### Alert Triggered in LetsDefend
![Alert Screenshot](/Alert-Panel.png)

### VirusTotal Result for Malicious Hash
![VirusTotal](/VirusTotal.png)

### 🔬 Process Tree Analysis
![Process Analysis](/Process.png)

### 🧪 PowerShell & AbuseIPDB Usage
![AbuseIPDB](/AbuseIPDB.png)

### 📋 Incident Notes
![Notes](/Note.png)

### 🪟 Windows Artifacts
![Microsoft Artifact](/Microsoft.png)

### ✅ Final Wrap-up / Task Marked
![Final](/Mark.png)


---

> “Getting 1% better every day.”
文件快照

 [4.0K]  /data/pocs/acd3d5016c8d5b8a75c2a7ed85f582486cf10ca6
├── [123K]  AbuseIPDB.png
├── [ 33K]  Alert-Panel.png
├── [129K]  Mark.png
├── [ 80K]  Microsoft.png
├── [200K]  Note.png
├── [105K]  Process.png
├── [2.1K]  README.md
└── [134K]  VirusTotal.png

0 directories, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。