æãäžè¬çãªã¿ã€ãã®æ»æã® XNUMX ã€ã¯ãå®å
šã«æ£åœãªããã»ã¹ã®äžã«ããããªãŒå
ã«æªæã®ããããã»ã¹ãçæããããšã§ãã å®è¡å¯èœãã¡ã€ã«ãžã®ãã¹ãçãããå¯èœæ§ããããŸãããã«ãŠã§ã¢ã¯ AppData ãã©ã«ããŒãŸã㯠Temp ãã©ã«ããŒã䜿çšããããšããããããŸãããããã¯æ£èŠã®ããã°ã©ã ã§ã¯äžè¬çã§ã¯ãããŸããã å
¬å¹³ãæãããã«ãäžéšã®èªåæŽæ°ãŠãŒãã£ãªãã£ã¯ AppData ã§å®è¡ããããããèµ·åå Žæã確èªããã ãã§ã¯ããã°ã©ã ãæªæã®ãããã®ã§ãããã©ããã確èªããã®ã«ååã§ã¯ãããŸããã
æ£åœæ§ã®è¿œå èŠçŽ ã¯æå·çœ²åã§ããå€ãã®ãªãªãžãã« ããã°ã©ã ã¯ãã³ããŒã«ãã£ãŠçœ²åãããŠããŸãã 眲åããªãããšã¯ãäžå¯©ãªèµ·åé ç®ãèå¥ããæ¹æ³ãšããŠäœ¿çšã§ããŸãã ããããçãã 蚌ææžã䜿çšããŠèªèº«ã«çœ²åãããã«ãŠã§ã¢ãåã³ååšããŸãã
MD5 ãŸã㯠SHA256 æå·åããã·ã¥ã®å€ã確èªããããšãã§ããŸããããã¯ã以åã«æ€åºããããã«ãŠã§ã¢ã«å¯Ÿå¿ããŠããå¯èœæ§ããããŸãã (Yara ã«ãŒã«ãŸãã¯ãŠã€ã«ã¹å¯Ÿç補åã䜿çšããŠ) ããã°ã©ã å ã®ã·ã°ããã£ã調ã¹ãããšã§ãéçåæãå®è¡ã§ããŸãã åçåæ (å®å šãªç°å¢ã§ããã°ã©ã ãå®è¡ãããã®åäœãç£èŠãã) ããªããŒã¹ ãšã³ãžãã¢ãªã³ã°ããããŸãã
æªæã®ããããã»ã¹ã®å
åã¯æ°å€ãååšããå¯èœæ§ããããŸãã ãã®èšäºã§ã¯ãWindows ã§é¢é£ã€ãã³ãã®ç£æ»ãæå¹ã«ããæ¹æ³ã説æããçµã¿èŸŒã¿ã«ãŒã«ãäŸåããå
åãåæããŸãã
ããã°ã©ã ãèµ·åããããšãã³ã³ãã¥ãŒã¿ãŒã®ã¡ã¢ãªã«ããŒããããŸãã å®è¡å¯èœãã¡ã€ã«ã«ã¯ãã³ã³ãã¥ãŒã¿ãŒã®åœä»€ãšãµããŒã ã©ã€ãã©ãª (*.dll ãªã©) ãå«ãŸããŠããŸãã ããã»ã¹ããã§ã«å®è¡äžã®å Žåãè¿œå ã®ã¹ã¬ãããäœæã§ããŸãã ã¹ã¬ããã䜿çšãããšãããã»ã¹ã¯ç°ãªãåœä»€ã»ãããåæã«å®è¡ã§ããŸãã æªæã®ããã³ãŒããã¡ã¢ãªã«äŸµå
¥ããŠå®è¡ãããæ¹æ³ã¯æ°å€ããããŸãããã®äžéšãèŠãŠã¿ãŸãããã
æªæã®ããããã»ã¹ãèµ·åããæãç°¡åãªæ¹æ³ã¯ããŠãŒã¶ãŒã«çŽæ¥ (é»åã¡ãŒã«ã®æ·»ä»ãã¡ã€ã«ãªã©ãã) èµ·åãããã匷å¶ããã³ã³ãã¥ãŒã¿ã®é»æºãå ¥ãããã³ã« RunOnce ããŒã䜿çšããŠèµ·åããããšã§ãã ããã«ã¯ãããªã¬ãŒã«åºã¥ããŠå®è¡ããã PowerShell ã¹ã¯ãªãããã¬ãžã¹ã㪠ããŒã«ä¿åããããã¡ã€ã«ã¬ã¹ããã«ãŠã§ã¢ãå«ãŸããŸãã ãã®å ŽåãPowerShell ã¹ã¯ãªããã¯æªæã®ããã³ãŒãã§ãã
ãã«ãŠã§ã¢ãæ瀺çã«å®è¡ããå Žåã®åé¡ã¯ããããç°¡åã«æ€åºãããæ¢ç¥ã®ã¢ãããŒãã§ããããšã§ãã äžéšã®ãã«ãŠã§ã¢ã¯ãå¥ã®ããã»ã¹ã䜿çšããŠã¡ã¢ãªå ã§å®è¡ãéå§ãããªã©ãããè³¢ãããšãè¡ããŸãã ãããã£ãŠãããã»ã¹ã¯ãç¹å®ã®ã³ã³ãã¥ãŒã¿ãŒåœä»€ãå®è¡ããå®è¡ããå®è¡å¯èœãã¡ã€ã« (.exe) ãæå®ããããšã«ãã£ãŠãå¥ã®ããã»ã¹ãäœæã§ããŸãã
ãã¡ã€ã«ã¯ãå®å šãã¹ (C:Windowssystem32cmd.exe ãªã©) ãŸãã¯éšåãã¹ (cmd.exe ãªã©) ã䜿çšããŠæå®ã§ããŸãã å ã®ããã»ã¹ãå®å šã§ãªãå Žåãäžæ£ãªããã°ã©ã ã®å®è¡ãå¯èœã«ãªããŸãã æ»æã¯æ¬¡ã®ããã«ãªããŸããããã»ã¹ããã« ãã¹ãæå®ããã« cmd.exe ãèµ·åããæ»æè ãèªåã® cmd.exe ãé©åãªå Žæã«é 眮ããŠãããã»ã¹ãæ£èŠã®ããã»ã¹ããå ã«èµ·åããããã«ããŸãã ãã«ãŠã§ã¢ãå®è¡ããããšãæ£èŠã®ããã°ã©ã (C:Windowssystem32cmd.exe ãªã©) ãèµ·åãããå ã®ããã°ã©ã ãæ£åžžã«åäœãç¶ããå¯èœæ§ããããŸãã
åè¿°ã®æ»æã®ããªãšãŒã·ã§ã³ãšããŠãæ£èŠã®ããã»ã¹ãžã® DLL ã€ã³ãžã§ã¯ã·ã§ã³ããããŸãã ããã»ã¹ãéå§ããããšããã®æ©èœãæ¡åŒµããã©ã€ãã©ãªãæ€çŽ¢ããŠããŒãããŸãã DLL ã€ã³ãžã§ã¯ã·ã§ã³ã䜿çšããŠãæ»æè ã¯æ£èŠã®ãã®ãšåãååãš API ãæã€æªæã®ããã©ã€ãã©ãªãäœæããŸãã ãã®ããã°ã©ã ã¯æªæã®ããã©ã€ãã©ãªãããŒããã次ã«æ£èŠã®ã©ã€ãã©ãªãããŒãããå¿ èŠã«å¿ããŠãããåŒã³åºããŠæäœãå®è¡ããŸãã æªæã®ããã©ã€ãã©ãªã¯ãåè¯ãªã©ã€ãã©ãªã®ãããã·ãšããŠåäœãå§ããŸãã
æªæã®ããã³ãŒããã¡ã¢ãªã«æ¿å ¥ãããã XNUMX ã€ã®æ¹æ³ã¯ããã§ã«å®è¡ãããŠããå®å šã§ãªãããã»ã¹ã«ãã®ã³ãŒããæ¿å ¥ããããšã§ãã ããã»ã¹ã¯ããããã¯ãŒã¯ããã¡ã€ã«ããã®èªã¿åããªã©ãããŸããŸãªãœãŒã¹ããå ¥åãåãåããŸãã éåžžãå ¥åãæ£åœã§ããããšã確èªããããã«ãã§ãã¯ãå®è¡ãããŸãã ãã ããäžéšã®ããã»ã¹ã«ã¯ãåœä»€ã®å®è¡æã«é©åãªä¿è·ããããŸããã ãã®æ»æã§ã¯ããã£ã¹ã¯äžã«ã©ã€ãã©ãªãæªæã®ããã³ãŒããå«ãå®è¡å¯èœãã¡ã€ã«ã¯ååšããŸããã ãã¹ãŠã¯æªçšãããããã»ã¹ãšãšãã«ã¡ã¢ãªã«ä¿åãããŸãã
次ã«ãWindows ã§ãã®ãããªã€ãã³ãã®åéãæå¹ã«ããæ¹æ³ãšããã®ãããªè åšã«å¯Ÿããä¿è·ãå®è£ ãã InTrust ã®ã«ãŒã«ãèŠãŠã¿ãŸãããã ãŸããInTrust 管çã³ã³ãœãŒã«ãéããŠã¢ã¯ãã£ãåããŸãããã
ãã®ã«ãŒã«ã¯ãWindows OS ã®ããã»ã¹è¿œè·¡æ©èœã䜿çšããŸãã æ®å¿µãªããããã®ãããªã€ãã³ãã®åéãæå¹ã«ããããšã¯æ±ºããŠæããã§ã¯ãããŸããã å€æŽããå¿
èŠããã 3 ã€ã®ç°ãªãã°ã«ãŒã ããªã·ãŒèšå®ããããŸãã
[ã³ã³ãã¥ãŒã¿ã®æ§æ] > [ããªã·ãŒ] > [Windows ã®èšå®] > [ã»ãã¥ãªãã£ã®èšå®] > [ããŒã«ã« ããªã·ãŒ] > [ç£æ»ããªã·ãŒ] > [ç£æ»ããã»ã¹ã®è¿œè·¡]
[ã³ã³ãã¥ãŒã¿ã®æ§æ] > [ããªã·ãŒ] > [Windows ã®èšå®] > [ã»ãã¥ãªãã£ã®èšå®] > [詳现ãªç£æ»ããªã·ãŒã®æ§æ] > [ç£æ»ããªã·ãŒ] > [詳现ãªè¿œè·¡] > [ç£æ»ããã»ã¹ã®äœæ]
[ã³ã³ãã¥ãŒã¿ã®æ§æ] > [ããªã·ãŒ] > [管ççšãã³ãã¬ãŒã] > [ã·ã¹ãã ] > [ããã»ã¹äœæã®ç£æ»] > [ããã»ã¹äœæã€ãã³ãã«ã³ãã³ã ã©ã€ã³ãå«ãã]
InTrust ã«ãŒã«ãæå¹ã«ãããšãäžå¯©ãªåäœã瀺ããããŸã§ç¥ãããŠããªãã£ãè
åšãæ€åºã§ããããã«ãªããŸãã ããšãã°ã次ã®ããã«èå¥ã§ããŸãã
äžé£ã®ã¢ã¯ã·ã§ã³ã®äžã§ãDridex 㯠schtasks.exe ã䜿çšããŠã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ãäœæããŸãã ã³ãã³ã ã©ã€ã³ãããã®ç¹å®ã®ãŠãŒãã£ãªãã£ã䜿çšããããšã¯ãéåžžã«çãããåäœã§ãããšèããããŸãããŠãŒã¶ãŒ ãã©ã«ããŒãæããã©ã¡ãŒã¿ãŒããŸãã¯ãnet viewããŸãã¯ãwhoamiãã³ãã³ãã«é¡äŒŒãããã©ã¡ãŒã¿ãŒã䜿çšã㊠svchost.exe ãèµ·åããããšã¯ãåæ§ã«èŠããŸãã ããã¯å¯Ÿå¿ãããã®ã®æçã§ã
detection:
selection1:
CommandLine: '*svchost.exe C:Users\*Desktop\*'
selection2:
ParentImage: '*svchost.exe*'
CommandLine:
- '*whoami.exe /all'
- '*net.exe view'
condition: 1 of them
InTrust ã§ã¯ããã¹ãŠã®äžå¯©ãªåäœã 99 ã€ã®ã«ãŒã«ã«å«ãŸããŸããããã¯ããããã®åäœã®ã»ãšãã©ãç¹å®ã®è åšã«åºæã®ãã®ã§ã¯ãªããè€åäœå ã§äžå¯©ã§ãããã±ãŒã¹ã® XNUMX% ãå®å šã«åŽé«ãªç®çã§ã¯ãªãããã«äœ¿çšãããããã§ãã ãã®ã¢ã¯ã·ã§ã³ã®ãªã¹ãã«ã¯æ¬¡ã®ãã®ãå«ãŸããŸããããããã«éå®ãããŸããã
- ãŠãŒã¶ãŒã®äžæãã©ã«ããŒãªã©ãéåžžãšã¯ç°ãªãå Žæããå®è¡ãããŠããããã»ã¹ã
- çãããç¶æ¿ãæã€æ¢ç¥ã®ã·ã¹ãã ããã»ã¹ - äžéšã®è åšã¯ãã·ã¹ãã ããã»ã¹ã®ååã䜿çšããŠæ€åºãããªãããã«ããå¯èœæ§ããããŸãã
- cmd ã PsExec ãªã©ã®ç®¡çããŒã«ãããŒã«ã« ã·ã¹ãã ã®è³æ Œæ å ±ãŸãã¯äžå¯©ãªç¶æ¿ã䜿çšããå Žåãããããäžå¯©ã«å®è¡ãããŸãã
- äžå¯©ãªã·ã£ã㊠ã³ããŒæäœã¯ãã·ã¹ãã ãæå·åããåã®ã©ã³ãµã ãŠã§ã¢ ãŠã€ã«ã¹ã®äžè¬çãªåäœã§ãããããã¯ã¢ããã匷å¶çµäºããŸãã
â vssadmin.exeçµç±;
- WMIçµç±ã - ã¬ãžã¹ã㪠ãã€ãå šäœã®ãã³ããç»é²ããŸãã
- at.exe ãªã©ã®ã³ãã³ãã䜿çšããŠããã»ã¹ããªã¢ãŒãã§èµ·åããããšãã®ãæªæã®ããã³ãŒãã®æ°Žå¹³æ¹åã®ç§»åã
- net.exe ã䜿çšããäžå¯©ãªããŒã«ã« ã°ã«ãŒãæäœããã³ãã¡ã€ã³æäœã
- netsh.exe ã䜿çšããäžå¯©ãªãã¡ã€ã¢ãŠã©ãŒã« ã¢ã¯ãã£ããã£ã
- ACL ã®äžå¯©ãªæäœã
- ããŒã¿æœåºã« BITS ã䜿çšããã
- WMI ã«ããäžå¯©ãªæäœã
- äžå¯©ãªã¹ã¯ãªãã ã³ãã³ãã
- å®å šãªã·ã¹ãã ãã¡ã€ã«ããã³ãããããšããŸãã
çµã¿åãããã«ãŒã«ã¯ãRUYKãLockerGogaããã®ä»ã®ã©ã³ãµã ãŠã§ã¢ããã«ãŠã§ã¢ããµã€ããŒç¯çœªããŒã«ããããªã©ã®è åšãæ€åºããã®ã«éåžžã«ããŸãæ©èœããŸãã ãã®ã«ãŒã«ã¯ã誀æ€ç¥ãæå°éã«æããããã«ãå®çšŒåç°å¢ã§ãã³ããŒã«ãã£ãŠãã¹ããããŠããŸãã ãããŠãSIGMA ãããžã§ã¯ãã®ãããã§ããããã®ã€ã³ãžã±ãŒã¿ãŒã®ã»ãšãã©ã¯æå°éã®æ°ã®ãã€ãº ã€ãã³ããçæããŸãã
ãªããªãInTrust ã§ã¯ãããã¯ç£èŠã«ãŒã«ã§ãããè åšãžã®å¯Ÿå¿ãšããŠå¿çã¹ã¯ãªãããå®è¡ã§ããŸãã çµã¿èŸŒã¿ã¹ã¯ãªããã®ããããã䜿çšããããç¬èªã®ã¹ã¯ãªãããäœæãããšãInTrust ãèªåçã«é åžããŸãã
ããã«ãPowerShell ã¹ã¯ãªãããããã»ã¹ã®å®è¡ãã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã®æäœãWMI 管çã¢ã¯ãã£ããã£ãªã©ããã¹ãŠã®ã€ãã³ãé¢é£ã®ãã¬ã¡ããªãæ€æ»ããã»ãã¥ãªã㣠ã€ã³ã·ãã³ãæã®äºåŸåæã«äœ¿çšã§ããŸãã
InTrust ã«ã¯ä»ã«ãäœçŸãã®ã«ãŒã«ããããŸãããã®ãã¡ã®ããã€ãã¯æ¬¡ã®ãšããã§ãã
- PowerShell ã®ããŠã³ã°ã¬ãŒãæ»æã¯ã誰ããæå³çã«å€ãããŒãžã§ã³ã® PowerShell ã䜿çšãããšãã«æ€åºãããŸãã å€ãããŒãžã§ã³ã§ã¯ãäœãèµ·ãã£ãŠããããç£æ»ããæ¹æ³ããããŸããã§ããã
- é«ç¹æš©ãã°ãªã³ã®æ€åºã¯ãç¹å®ã®ç¹æš©ã°ã«ãŒã (ãã¡ã€ã³ç®¡çè ãªã©) ã®ã¡ã³ããŒã§ããã¢ã«ãŠã³ãã誀ã£ãŠããŸãã¯ã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã«ããã¯ãŒã¯ã¹ããŒã·ã§ã³ã«ãã°ãªã³ããå Žåã«çºçããŸãã
InTrust ã䜿çšãããšãäºåå®çŸ©ãããæ€åºã«ãŒã«ãšå¯Ÿå¿ã«ãŒã«ã®åœ¢åŒã§ã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ã䜿çšã§ããŸãã ãŸããäœããç°ãªãåäœãããå¿
èŠããããšæãããå Žåã¯ãã«ãŒã«ã®ç¬èªã®ã³ããŒãäœæããå¿
èŠã«å¿ããŠæ§æã§ããŸãã ãã€ããããå®æœããããã®ç³è«æžããŸãã¯äžæã©ã€ã»ã³ã¹ä»ãã®é
åžããããååŸããããã®ç³è«æžã¯ã次ã®æ¹æ³ã§æåºã§ããŸãã
賌èªããŠãã ãã
æ å ±ã»ãã¥ãªãã£ã«é¢ããä»ã®èšäºããèªã¿ãã ããã
åºæïŒ habr.com