DEV Community

Sean Lee
Sean Lee

Posted on

LetsDefend: SOC335 - CVE-2024-49138 Exploitation Detected

Incident Case Report

Case Title: CVE-2024-49138 Exploitation via svohost.exe and Remote RDP Access

Case ID: SOC-IR-2025-0122-313

Date/Time of Detection: January 22, 2025, 02:37 AM (UTC)

Analyst Assigned: Security Analyst, SOC Team

Severity Level: High

Executive Summary

On January 22, 2025, the SOC detected suspicious behavior on host Victor (IP: 172.16.17.207) at 02:37 AM via detection rule SOC335. A non-standard process, svohost.exe, was executed from an unusual path (C:\temp\service_installer), showing signs of exploiting CVE-2024-49138, a privilege escalation vulnerability. A successful RDP login from a malicious IP (185[.]107[.]56[.]141) confirmed the attacker had gained remote access.

Detection Details

Field Value
Event ID 313
Rule Name SOC335 - CVE-2024-49138 Exploitation Detected
Detection Time January 22, 2025, 02:37 AM
Affected Hostname Victor
File/Process Name svohost.exe
File Path C:\temp\service_installer\svohost.exe
Malicious IP 185.107.56.141
Command Line \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Incident Narrative

At 02:37 AM, an alert flagged svohost.exe for exhibiting behaviors consistent with CVE-2024-49138. The executable was spawned by powershell.exe, suggesting a fileless attack. The file’s unusual location and behavior indicated malicious intent. A successful RDP login from a known malicious IP shortly followed, confirming system compromise.

Indicators of Compromise (IOCs)

  • File Hash: b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9
  • Malicious IP: 185.107.56.141
  • CVE Exploited: CVE-2024-49138

Impact Assessment

  • System Compromise: Confirmed via RDP access.
  • Privilege Escalation: Likely, based on PowerShell and conhost.exe behavior.
  • Persistence: Not confirmed.
  • Scope: Single host (Victor).

Recommendations

  1. Isolate Host: Prevent lateral movement.
  2. Revoke Credentials: Rotate LetsDefend user credentials.
  3. Block Malicious IP: At firewall level.
  4. Search for IOCs: Across environment.
  5. Collect Forensics: Memory and disk images of Victor.

Long-Term Actions:

  • Patch systems vulnerable to CVE-2024-49138.
  • Implement MFA for RDP access and segment the network.

Conclusion

The attacker exploited CVE-2024-49138 for privilege escalation and gained remote access via RDP. Immediate containment and further investigation are essential for full remediation.

Top comments (0)