Executive Summary A forensic review of Linux auditd logs confirms that the host was compromised through an external SSH brute-force attack. The attacker authenticated as a low-privileged user, executed automated system enumeration, escalated privileges using a local sudo vulnerability, accessed sensitive credential material, and attempted basic anti-forensic cleanup. The entire intrusion lifecycle occurred within approximately six minutes.
Scope and Evidence Primary artifact:
audit.log (Linux auditd) Tools used:
aureport ausearch Manual timeline correlation Observed timeframe:
Alert Name: SOC335 – CVE-2024-49138 Exploitation Detected
Severity: High
Event ID: 313
Event Time: Jan 22, 2025, 02:37 AM
Category: Privilege Escalation
Base Information Field Value Event ID 313 Event Time Jan 22, 2025, 02:37 AM Rule SOC335 – CVE-2024-49138 Exploitation Detected Analyst Level Security Analyst Hostname Victor IP Address 172.16.17.207 Process Name svohost.exe Process Path C:\temp\service_installer\svohost.exe Process ID 7640 Parent Process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Command Line ??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 File Hash (SHA-256) b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9 Process User EC2AMAZ-ILGVOIN\LetsDefend Trigger Reason Suspicious behavior patterns linked to CVE-2024-49138 Device Action Allowed Incident Details Field Value Incident Name EventID 313 – SOC335 CVE-2024-49138 Exploitation Incident Type Privilege Escalation Created Date Jan 08, 2026, 09:12 AM Pre-Investigation Notes Date: Jan 22, 2025, 02:37 AM Hostname: Victor IP Address: 172.