Investigating a SharePoint Compromise: IR Tales from the Field

NetmanageIT OpenCTI - opencti.netmanageit.com

Investigating a SharePoint Compromise: IR Tales from the Field



SUMMARY :

An incident response investigation uncovered an attacker who exploited a SharePoint vulnerability (CVE-2024-38094) to gain initial access. The attacker remained undetected for two weeks, moving laterally across the network and compromising the entire domain. Key tactics included installing Horoung Antivirus to impair defenses, using tools like Impacket and Mimikatz for lateral movement and credential harvesting, and establishing persistence through scheduled tasks. The attacker attempted to destroy backups and used various binaries for network reconnaissance and privilege escalation. The investigation revealed the importance of efficient response procedures and comprehensive security tooling to mitigate the impact of such breaches.

OPENCTI LABELS :

lateral movement,mimikatz,credential harvesting,impacket,domain compromise,fast reverse proxy (frp),cve-2024-38094,sharepoint


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Investigating a SharePoint Compromise: IR Tales from the Field