Keypoints
- Initial access was achieved by exploiting Microsoft SharePoint RCE CVE-2024-38094, allowing the attacker to drop a webshell (ghostfile93.aspx) and execute commands remotely.
- An Exchange service account with domain admin privileges was abused for RDP access and lateral movement, enabling full domain compromise over a two-week dwell period.
- The attacker installed Huorong (Horoung) Antivirus to crash or disable existing security products, facilitating further activity and relating to defense-evasion tactics.
- Post-exploitation tools discovered included Mimikatz, ADExplorer, Impacket, kerbrute, Certify, Everything.exe, nxc.exe, and a Fast Reverse Proxy (msvrp.exe) used for external access.
- Persistence was achieved via scheduled tasks executing FRP; logging was tampered with and many event sources were disabled, complicating detection and analysis.
- Rapid7 recommends patching SharePoint, deploying detection tooling (Insight Agent, Velociraptor), and using available detection rules to hunt related behaviors.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited CVE-2024-38094 in SharePoint to achieve RCE and drop a webshell (‘POST /_vti_bin/DelveApi.ashx/config/ghostfile93.aspx’).
- [T1562] Impair Defenses – Installed Huorong (Horoung) Antivirus which “caused a conflict with active security products on the system. This resulted in a crash of these services.” (‘installation of Horoung Antivirus (AV) … caused a conflict with active security products on the system.’)
- [T1087] Account Discovery – Used Active Directory enumeration tools to map accounts and environment (‘Usage of Active Directory enumeration tools.’)
- [T1090] Proxy – Employed a Fast Reverse Proxy (FRP) to create an outbound tunnel for external access (‘Fast Reverse Proxy (FRP) … allows external access to the system’).
- [T1083] File and Directory Discovery – Deployed Everything.exe to index and search the NTFS file system (‘Everything.exe being observed on in-scope systems.’)
- [T1135] Network Share Discovery – Used nxc.exe (CrackMapExec variant) to scan and enumerate network shares (‘nxc.exe being observed on in-scope systems.’)
- [T1003] OS Credential Dumping – Performed credential harvesting with tools such as Mimikatz (‘Mimikatz’ and ‘Various credential harvesting tools observed on in-scope systems.’)
- [T1053] Scheduled Task/Job – Created scheduled tasks to maintain persistence by running the FRP tool (‘Scheduled tasks observed on in-scope systems to execute the FRP tool.’)
- [T1070] Indicator Removal on Host – Cleared and tampered with event logs to hinder detection (‘Mimikatz has the ability to clear event logs and disable system logging.’)
Indicators of Compromise
- [Filename and Path] Malicious and renamed binaries used for post-exploitation – c:programdatavmwaremsvrp.exe (FRP), c:programdatavmware66.exe (renamed Mimikatz)
- [SHA256 hashes] File hashes for observed tools – f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940 (msvrp.exe), 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 (66.exe/Mimikatz), and multiple other hashes
- [Log-based IOC] Exploit and webshell HTTP requests seen in SharePoint logs – “POST /_vti_bin/client.svc/web/GetFolderByServerRelativeUrl(‘/BusinessDataMetadataCatalog/’)/Files/add(url=’/BusinessDataMetadataCatalog/BDCMetadata.bdcm”, “POST /_vti_bin/DelveApi.ashx/config/ghostfile93.aspx”
- [IP Address] External infrastructure used for exploitation and FRP configuration – 18.195.61[.]200 (source of exploit/webshell traffic), 54.255.89[.]118 (IP from FRP .ini file)
Rapid7’s Incident Response team investigated a compromise that began when an external actor exploited a SharePoint remote code execution vulnerability (CVE-2024-38094) on a public-facing server. The attacker used proof-of-concept exploit patterns observed in the SharePoint inetpub logs to drop a webshell named ghostfile93.aspx, which generated repeated HTTP POST requests from an external IP address. After several hours using that webshell, the intruder authenticated to the server as the local administrator, executed Mimikatz and other tools, and manipulated logging so that many event sources were absent during the relevant timeframe.
From that foothold, the threat actor escalated their reach by leveraging a Microsoft Exchange service account that held domain admin privileges. Authentication logs from domain controllers showed RDP sessions from the compromised Exchange account and other suspicious authentications that dated back a week before the incident investigation began. On the domain controller, the attacker added an exclusion for a binary named msvrp.exe (placed in C:ProgramDataVMware) and disabled Windows Defender Threat Detection, actions consistent with efforts to evade detection and maintain control.
To bypass security controls and sustain connectivity, the adversary installed a Fast Reverse Proxy (FRP) tool which required an .ini file containing an external IP; scheduled tasks were created to run the FRP client and preserve remote access through NAT-based firewalls. The C:ProgramDataVMware folder also held additional attacker tooling—ADExplorer64.exe, NTDSUtil.exe, nxc.exe, and others—used to enumerate Active Directory, collect credentials, and scan systems. Attempts to execute Impacket from Python were initially blocked by security tooling, after which the attacker used a browser download and then installed Huorong (also spelled Horoung) Antivirus; that installation conflicted with and caused crashes in existing security products, assisting the attacker’s lateral movement and persistence.
During the two-week dwell period, the intruder ran a variety of programs to map and exploit the environment. Everything.exe was used to index file systems for rapid searching, kerbrute_windows_amd64.exe was used in brute-force attempts against Kerberos, Certify.exe was leveraged to create ADFS certificates for privilege escalation, and a renamed Mimikatz binary (66.exe) facilitated credential dumping. The adversary also tried multiple methods to tamper with or destroy third-party backups, including credential-based browser access and SSH connections, but did not succeed in compromising the backup solution.
Rapid7’s response included review of SharePoint logs that matched public PoC exploit strings and identification of webshell traffic from IP 18.195.61[.]200. Investigation artifacts revealed a clear chain from initial SharePoint exploitation to domain-wide compromise, including evidence of log tampering and cleared event logs likely tied to Mimikatz activity. The team used Velociraptor for remote triage and forensic collection and notes that Rapid7 customers can evaluate exposure through InsightVM/Nexpose authenticated checks added for CVE-2024-38094.
Rapid7 recommends patching SharePoint to the latest release, deploying endpoint visibility tools (such as the Insight Agent), and leveraging detection rules that flag behaviors seen in this incident: webserver-launched suspicious commands, IIS spawning PowerShell, use of attacker tools like Impacket and Mimikatz, hash dumping via NTDSUtil, clearing event logs, and disabling security or backup products. A Velociraptor artifact and additional IoCs and hashes were published to assist hunting and remediation efforts.
Read more: https://blog.rapid7.com/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/