ALERT SUMMARY

MITRE ATTCK
T1078 Valid Accounts
T1021 Remote Services
T1059 PowerShell
T1105 Ingress Tool Transfer
WHO
External attacker from IP 185.107.56.141 located in Netherlands.
Target host Victor at 172.16.17.207.
Process executed under user EC2AMAZ ILGVOIN LetsDefend. WHAT
Malicious executable svohost.exe executed from C temp service_installer directory.
File hash b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9 flagged as Exploit Win64 CVE 2024 49138 on VirusTotal.
PowerShell script downloaded password protected archive and extracted malicious payload.
RDP logins observed from malicious Netherlands IP. WHEN
Jan 22 2025 at 02 37 AM. WHERE
Compromised host Victor 172.16.17.207.
Malicious file path C temp service_installer svohost.exe.
Inbound RDP connection from 185.107.56.141. WHY
Attacker likely gained access via exposed RDP service.
PowerShell used to download and execute exploit payload.
Goal was privilege escalation and system control via CVE 2024 49138 exploitation. HOW
RDP login from malicious IP observed.
PowerShell executed script to download service installer zip from external source.
Archive extracted using password infected.
svohost.exe executed from temp directory.
whoami command executed indicating command execution capability.
Behavior consistent with exploitation of privilege escalation vulnerability.