Full Report
Researchers observed an attacker exploiting CVE-2024-38094—a vulnerability in Microsoft SharePoint. The attacker gained unauthorized access, escalated privileges, and moved laterally across the network to gain control over the entire domain. Through various techniques, includi...
Analysis Summary
# Incident Report: SharePoint RCE Leading to Domain Compromise (CVE-2024-38094)
## Executive Summary
An attacker successfully exploited the high-severity SharePoint vulnerability, CVE-2024-38094, to gain initial access via remote code execution. The compromise rapidly escalated to full domain control through privilege escalation, lateral movement, and systematic disabling of security tooling (including Windows Defender). The primary impact involved credential theft and setting up persistent remote access, although attempts to destroy backups were noted.
## Incident Details
- Discovery Date: Not explicitly stated, but activity observed leading up to Oct 30, 2024.
- Incident Date: The attack spanned a period, with the attacker remaining undetected for two weeks prior to broader analysis.
- Affected Organization: Unspecified (Mentioned generally as an organization using SharePoint).
- Sector: Unspecified.
- Geography: Unspecified.
## Timeline of Events
### Initial Access
- **Date/Time:** Occurred over a period leading up to detection.
- **Vector:** Exploitation of CVE-2024-38094 (SharePoint Remote Code Execution vulnerability, CVSS 7.2).
- **Details:** Attacker used GET and POST requests from external IPs to exploit the vulnerability and deploy the `ghostfile93.aspx` webshell onto the SharePoint server.
### Lateral Movement
- **Date/Time:** Following initial access and privilege escalation.
- **Vector:** Compromise of a Microsoft Exchange service account provided initial foothold for domain movement.
- **Details:** Utilized Impacket tools and compromised credentials to move laterally, scanning tools like `everything.exe` and brute-forcing tools like `kerbrute`.
### Data Exfiltration/Impact
- **Date/Time:** During the two-week dwell time.
- **Impact:** Successful credential theft (via Mimikatz), establishment of remote access (FRP), disabling of security defenses, and evasion of detection by tampering with system logs. Attempts were made to destroy third-party backups.
### Detection & Response
- **Date/Time:** Publicly reported around October 30, 2024.
- **Response actions taken:** Not explicitly detailed, but analysis included investigation of the RCE and subsequent post-exploitation activities.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2024-38094 (RCE in SharePoint) leading to webshell deployment (`ghostfile93.aspx`).
- **Persistence:** Deployment of a webshell and installation of Fast Reverse Proxy (FRP) for external access.
- **Privilege Escalation:** Compromise of a Microsoft Exchange service account.
- **Defense Evasion:** Deployment of **Horoung Antivirus** to conflict with and disable legitimate security software (including Windows Defender); tampering with system logs.
- **Credential Access:** Use of **Mimikatz**.
- **Discovery:** Use of **everything.exe** for network scanning.
- **Lateral Movement:** Use of **Impacket** capabilities leveraging compromised service account permissions.
- **Collection:** Credential harvesting.
- **Exfiltration:** Not explicitly detailed, but implied via established remote access.
- **Impact:** Domain-wide control achieved; security controls disabled.
## Impact Assessment
- **Financial:** Unknown.
- **Data Breach:** High severity due to domain compromise and credential theft, although specific data types are not detailed.
- **Operational:** Significant disruption due to system compromise and security control disabling.
- **Reputational:** Potential impact due to the nature of the vulnerability and domain-wide compromise.
## Indicators of Compromise (Defanged)
- **Network Indicators:** External GET/POST requests targeting SharePoint; FRP communication channels.
- **File Indicators:** `ghostfile93.aspx` webshell; Horoung Antivirus binaries; `Certify.exe` artifacts.
- **Behavioral Indicators:** Abnormal service account activity; disabling of Windows Defender; log tampering; use of Impacket functionality for movement.
## Response Actions
- **Containment Measures:** Likely involved patching CVE-2024-38094, isolating affected servers, and revoking compromised credentials (Inferred).
- **Eradication Steps:** Removal of webshells, Horoung Antivirus, and FRP components (Inferred).
- **Recovery Actions:** Restoration of security tooling integrity and verification of Active Directory state (Inferred).
## Lessons Learned
- Unpatched, high-severity vulnerabilities (like CVE-2024-38094) provide a direct path for initial access leading to catastrophic domain compromise.
- Attackers are actively employing tools designed specifically to disable endpoint security solutions (e.g., Horoung Antivirus).
- The dwell time (two weeks) highlights significant gaps in continuous monitoring and anomaly detection, especially concerning security tool tampering.
## Recommendations
- Immediately apply patches for CVE-2024-38094 across all SharePoint installations.
- Implement strict output monitoring for security tool conflicts or unexpected disabling events.
- Enforce least privilege, especially for service accounts like the targeted Exchange account, to limit lateral movement potential.
- Harden backup systems by ensuring they are immutable or air-gapped, minimizing the success rate of backup destruction attempts.