æ
å ±ã»ãã¥ãªãã£ã€ã³ã·ãã³ãã«å¯Ÿå¿ããããã®ã¢ã«ãŽãªãºã ãšæŠè¡ãçŸåšã®ãµã€ããŒæ»æã®åŸåãäŒæ¥å
ã®ããŒã¿æŒæŽ©ã®èª¿æ»ã¢ãããŒãããã©ãŠã¶ãšã¢ãã€ã«ããã€ã¹ã®èª¿æ»ãæå·åããããã¡ã€ã«ã®åæãäœçœ®æ
å ±ããŒã¿ã®æœåºãšå€§éã®ããŒã¿ã®åæ - ããããã¹ãŠããã³ãã®ä»ã®ãããã¯Group-IBãšBelkasoftã®æ°ããå
±åã³ãŒã¹ã§åŠã¶ããšãã§ããŸãã XNUMXæã«ç§ãã¡ã¯
XNUMXã€ã®ãªãŒã«ã€ã³ã¯ã³
å ±åãã¬ãŒãã³ã° ã³ãŒã¹ãå®æœãããšããã¢ã€ãã¢ã¯ãGroup-IB ã³ãŒã¹ã®åå è ãã䟵害ãããã³ã³ãã¥ãŒã¿ãŒ ã·ã¹ãã ããããã¯ãŒã¯ã®èª¿æ»ã«åœ¹ç«ã¡ãã€ã³ã·ãã³ã察å¿äžã«äœ¿çšããããšãæšå¥šããããŸããŸãªç¡æãŠãŒãã£ãªãã£ã®æ©èœãçµã¿åãããããŒã«ã«ã€ããŠè³ªåãå§ããåŸã«çŸããŸããã
ç§ãã¡ã®æèŠã§ã¯ããã®ãããªããŒã«ã¯ Belkasoft Evidence Center ã§ããå¯èœæ§ããããŸã (ããã«ã€ããŠã¯ãã§ã«æ¬¡ã®èšäºã§èª¬æããŠããŸã)ã
éèŠ: ã³ãŒã¹ã¯é£ç¶ããŠãããçžäºã«æ¥ç¶ãããŠããŸãã Belkasoft Digital Forensics 㯠Belkasoft Evidence Center ããã°ã©ã ã«ç¹åããŠãããBelkasoft Incident Response Exam 㯠Belkasoft 補åã䜿çšããã€ã³ã·ãã³ãã®èª¿æ»ã«ç¹åããŠããŸãã ã€ãŸããBelkasoft Incident Response Exam ã³ãŒã¹ãåŠç¿ããåã«ãBelkasoft Digital Forensics ã³ãŒã¹ãå®äºããããšã匷ããå§ãããŸãã ããã«ã€ã³ã·ãã³ã調æ»ã®ã³ãŒã¹ãéå§ãããšãåŠç㯠Belkasoft Evidence Center ã®äœ¿çšãæ³å»åŠçææç©ã®çºèŠãšèª¿æ»ã«é¢ããŠè¿·æãªç¥èäžè¶³ã«çŽé¢ããå¯èœæ§ããããŸãã ããã¯ãBelkasoft Incident Response Exam ã³ãŒã¹ã§ã®ãã¬ãŒãã³ã°äžã«ããã¬ãŒãã³ã°æéãè²»ãããããããåŠçãææãç¿åŸããæéããªãã£ãããã°ã«ãŒãã®ä»ã®ã¡ã³ããŒãæ°ããç¥èãç¿åŸããã®ãé ããªã£ãããããšããäºå®ã«ã€ãªããå¯èœæ§ããããŸãããã¬ãŒããŒã Belkasoft ããžã¿ã« ãã©ã¬ã³ãžã㯠ã³ãŒã¹ã®å 容ã説æããŸãã
Belkasoft Evidence Center ã«ããã³ã³ãã¥ãŒã¿ãŒãã©ã¬ã³ãžãã¯
ã³ãŒã¹ã®ç®ç Belkasoft ããžã¿ã« ãã©ã¬ã³ãžã㯠â åŠçã« Belkasoft Evidence Center ããã°ã©ã ã玹ä»ãããã®ããã°ã©ã ã䜿çšããŠããŸããŸãªãœãŒã¹ (ã¯ã©ãŠã ã¹ãã¬ãŒãžãã©ã³ãã ã¢ã¯ã»ã¹ ã¡ã¢ãª (RAM)ãã¢ãã€ã« ããã€ã¹ãã¹ãã¬ãŒãž ã¡ãã£ã¢ (ããŒã ãã©ã€ãããã©ãã·ã¥ ãã©ã€ããªã©)ããã¹ã¿ãŒ) ãã蚌æ ãåéããæ¹æ³ãæããŸããåºæ¬çãªãã©ã¬ã³ãžãã¯æè¡ãšãã¯ããã¯ãWindows ã¢ãŒãã£ãã¡ã¯ããã¢ãã€ã« ããã€ã¹ãRAM ãã³ãã®ãã©ã¬ã³ãžãã¯æ€æ»ã®æ¹æ³ããŸãããã©ãŠã¶ãŒãã€ã³ã¹ã¿ã³ã ã¡ãã»ãŒãžã³ã° ããã°ã©ã ã®ã¢ãŒãã£ãã¡ã¯ããç¹å®ããŠææžåããããšãããŸããŸãªãœãŒã¹ããããŒã¿ã®ãã©ã¬ã³ãžã㯠ã³ããŒãäœæããããšãå°çäœçœ®æ å ±ããŒã¿ãæœåºããŠæ€çŽ¢ããããšãåŠç¿ããŸããããã¹ã ã·ãŒã±ã³ã¹ã®æ€çŽ¢ (ããŒã¯ãŒãã«ããæ€çŽ¢)ã調æ»æã®ããã·ã¥ã®äœ¿çšãWindows ã¬ãžã¹ããªã®åæãæªç¥ã® SQLite ããŒã¿ããŒã¹ã®æ¢çŽ¢ã¹ãã«ãã°ã©ãã£ã㯠ãã¡ã€ã«ããã㪠ãã¡ã€ã«ã®èª¿æ»ã®åºæ¬ã調æ»äžã«äœ¿çšãããåæãã¯ããã¯ãç¿åŸããŸãã
ãã®ã³ãŒã¹ã¯ãã³ã³ãã¥ãŒã¿ãŒæè¡ãã©ã¬ã³ãžã㯠(ã³ã³ãã¥ãŒã¿ãŒãã©ã¬ã³ãžãã¯) ã®åéãå°éãšããå°é家ã«ãšã£ãŠåœ¹ç«ã¡ãŸãã äŸµå ¥æåã®çç±ãç¹å®ããäžé£ã®ã€ãã³ããšãµã€ããŒæ»æã®çµæãåæããæè¡å°é家ã æè¡å°é家ãå éšé¢ä¿è ïŒå éšéåè ïŒã«ããããŒã¿çé£ïŒæŒæŽ©ïŒãç¹å®ãææžåããã e-Discovery ã¹ãã·ã£ãªã¹ãã SOC ããã³ CERT/CSIRT ã¹ã¿ããã æ å ±ã»ãã¥ãªãã£æ åœè ã ã³ã³ãã¥ãŒã¿ãŒãã©ã¬ã³ãžãã¯ã®æ奜家ã
ã³ãŒã¹ãã©ã³ïŒ
- Belkasoft Evidence Center (BEC): æåã®ã¹ããã
- BEC ã§ã®ã±ãŒã¹ã®äœæãšåŠç
- BEC ã䜿çšããŠãã©ã¬ã³ãžãã¯èª¿æ»ã®ããã®ããžã¿ã«èšŒæ ãåé
- ãã£ã«ã¿ãŒã®äœ¿çš
- å ±å
- ã€ã³ã¹ã¿ã³ãã¡ãã»ãŒãžã³ã°ããã°ã©ã ã®ç 究
- ãŠã§ããã©ãŠã¶ã®èª¿æ»
- ã¢ãã€ã«ããã€ã¹ã®ç 究
- å°çäœçœ®æ å ±ããŒã¿ã®æœåº
- ã±ãŒã¹å ã®ããã¹ãã·ãŒã±ã³ã¹ã®æ€çŽ¢
- ã¯ã©ãŠãã¹ãã¬ãŒãžããã®ããŒã¿ã®æœåºãšåæ
- ããã¯ããŒã¯ã䜿çšããŠèª¿æ»äžã«èŠã€ãã£ãéèŠãªèšŒæ ã匷調衚瀺ãã
- Windowsã·ã¹ãã ãã¡ã€ã«ã®æ€æ»
- Windows ã¬ãžã¹ããªåæ
- SQLiteããŒã¿ããŒã¹ã®åæ
- ããŒã¿å埩æ¹æ³
- RAM ãã³ãã調ã¹ãããã®ãã¯ããã¯
- ãã©ã¬ã³ãžãã¯ç 究ã«ãããããã·ã¥èšç®æ©ãšããã·ã¥åæã®äœ¿çš
- æå·åããããã¡ã€ã«ã®è§£æ
- ã°ã©ãã£ãã¯ãã¡ã€ã«ãšãããªãã¡ã€ã«ãç 究ããæ¹æ³
- æ³å»åŠç 究ã«ãããåææè¡ã®äœ¿çš
- çµã¿èŸŒã¿ã® Belkascripts ããã°ã©ãã³ã°èšèªã䜿çšããŠæ¥åžžçãªã¢ã¯ã·ã§ã³ãèªååããŸã
- å¿çšåé¡
ã³ãŒã¹: Belkasoft ã€ã³ã·ãã³ã察å¿è©Šéš
ãã®ã³ãŒã¹ã®ç®çã¯ããµã€ããŒæ»æã®ãã©ã¬ã³ãžãã¯èª¿æ»ã®åºç€ãšã調æ»ã« Belkasoft Evidence Center ã䜿çšããå¯èœæ§ãåŠã¶ããšã§ãã ã³ã³ãã¥ãŒã¿ãŒ ãããã¯ãŒã¯ã«å¯ŸããçŸä»£ã®æ»æã®äž»ãªãã¯ãã«ã«ã€ããŠåŠã³ãMITRE ATT&CK ãããªãã¯ã¹ã«åºã¥ããŠã³ã³ãã¥ãŒã¿ãŒæ»æãåé¡ããæ¹æ³ãåŠã³ããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ç 究ã¢ã«ãŽãªãºã ãé©çšããŠäŸµå®³ã®äºå®ã確ç«ããæ»æè ã®è¡åãåæ§ç¯ããã¢ãŒãã£ãã¡ã¯ããã©ãã«ããããåŠã³ãŸããæåŸã«éããããã¡ã€ã«ã瀺ããå®è¡å¯èœãã¡ã€ã«ãã©ã®ããã«ããŠã³ããŒãããå®è¡ãããããæ»æè ããããã¯ãŒã¯äžãã©ã®ããã«ç§»åãããã«é¢ããæ å ±ããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã«ä¿åãããå ŽæãBEC ã䜿çšããŠãããã®ã¢ãŒãã£ãã¡ã¯ãã調ã¹ãæ¹æ³ãåŠã³ãŸãã ãŸããã€ã³ã·ãã³ã調æ»ãšãªã¢ãŒã ã¢ã¯ã»ã¹æ€åºã®èŠ³ç¹ããã·ã¹ãã ãã°å ã®ã©ã®ãããªã€ãã³ããéèŠã§ããããåŠã³ãBEC ã䜿çšããŠãããã調æ»ããæ¹æ³ãåŠã³ãŸãã
ãã®ã³ãŒã¹ã¯ãäŸµå ¥æåã®çç±ãç¹å®ããäžé£ã®ã€ãã³ããšãµã€ããŒæ»æã®çµæãåæããæè¡å°é家ã«ãšã£ãŠåœ¹ç«ã¡ãŸãã ã·ã¹ãã 管çè ã SOC ããã³ CERT/CSIRT ã¹ã¿ããã æ å ±ã»ãã¥ãªãã£ã¹ã¿ããã
ã³ãŒã¹ã®æŠèŠ
Cyberââ Kill Chain ã§ã¯ã被害è
ã®ã³ã³ãã¥ãŒã¿ (ãŸãã¯ã³ã³ãã¥ãŒã¿ ãããã¯ãŒã¯) ã«å¯Ÿããæè¡çæ»æã®äž»ãªæ®µéã次ã®ããã«èª¬æããŸãã
SOC åŸæ¥å¡ (CERTãæ
å ±ã»ãã¥ãªãã£ãªã©) ã®è¡åã¯ãä¿è·ãããæ
å ±ãªãœãŒã¹ãžã®äŸµå
¥è
ã®ã¢ã¯ã»ã¹ãé²ãããšãç®çãšããŠããŸãã
æ»æè ãä¿è·ãããã€ã³ãã©ã¹ãã©ã¯ãã£ã«äŸµå ¥ããå Žåãäžèšã®æ åœè ã¯ãæ»æè ã®æŽ»åã«ãã被害ãæå°éã«æããæ»æãã©ã®ããã«è¡ãããããç¹å®ãã䟵害ãããæ å ±æ§é å ã§ã®ã€ãã³ããšæ»æè ã®äžé£ã®è¡åãåæ§ç¯ãã次ã®æªçœ®ãè¬ããå¿ èŠããããŸããä»åŸãã®çš®ã®æ»æãé²ãããã®æªçœ®ãè¬ããŸãã
䟵害ãããæ å ±ã€ã³ãã©ã¹ãã©ã¯ãã£ã§ã¯ããããã¯ãŒã¯ (ã³ã³ãã¥ãŒã¿ãŒ) ã䟵害ãããããšã瀺ã次ã®çš®é¡ã®çè·¡ãèŠã€ãããŸãã
ãã®ãããªçè·¡ã¯ãã¹ãŠãBelkasoft Evidence Center ããã°ã©ã ã䜿çšããŠèŠã€ããããšãã§ããŸãã
BEC ã«ã¯ãã€ã³ã·ãã³ã調æ»ãã¢ãžã¥ãŒã«ããããã¹ãã¬ãŒãž ã¡ãã£ã¢ãåæãããšãã«ãç 究è ãã€ã³ã·ãã³ãã調æ»ããéã«åœ¹ç«ã€ã¢ãŒãã£ãã¡ã¯ãã«é¢ããæ å ±ãé 眮ãããŸãã
BEC ã¯ãAmcacheãUserassistãPrefetchãBAM/DAM ãã¡ã€ã«ã
䟵害ãããã·ã¹ãã ã§ã®ãŠãŒã¶ãŒã®ã¢ã¯ã·ã§ã³ã«é¢ããæ å ±ãå«ããã¬ãŒã¹ã«é¢ããæ å ±ã¯ã次ã®åœ¢åŒã§è¡šç€ºãããŸãã
ãã®æ
å ±ã«ã¯ãå®è¡å¯èœãã¡ã€ã«ã®å®è¡ã«é¢ããæ
å ±ãå«ãŸããŸãã
ãã¡ã€ã«ãRDPWInst.exeãã®å®è¡ã«é¢ããæ å ±ã
䟵害ãããã·ã¹ãã ã«ãããæ»æè ã®ååšã«é¢ããæ å ±ã¯ãWindows ã¬ãžã¹ããªã®ã¹ã¿ãŒãã¢ãã ããŒããµãŒãã¹ãã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ããã°ãªã³ ã¹ã¯ãªãããWMI ãªã©ã§èŠã€ãããŸãã ã·ã¹ãã ã«æ¥ç¶ãããŠããæ»æè ã«é¢ããæ å ±ãæ€åºããäŸãã次ã®ã¹ã¯ãªãŒã³ã·ã§ããã«ç€ºããŸãã
PowerShell ã¹ã¯ãªãããå®è¡ããã¿ã¹ã¯ãäœæããããšã§ãã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ã䜿çšããŠæ»æè ãå¶éããŸãã
Windows Management Instrumentation (WMI) ã䜿çšããŠæ»æè ãçµ±åããŸãã
ãã°ãªã³ ã¹ã¯ãªããã䜿çšããŠæ»æè ãçµ±åããŸãã
䟵害ãããã³ã³ãã¥ãŒã¿ ãããã¯ãŒã¯å šäœã§ã®æ»æè ã®ç§»åã¯ãããšãã° Windows ã·ã¹ãã ãã°ãåæããããšã«ãã£ãŠæ€åºã§ããŸã (æ»æè ã RDP ãµãŒãã¹ã䜿çšããŠããå Žå)ã
æ€åºããã RDP æ¥ç¶ã«é¢ããæ å ±ã
ãããã¯ãŒã¯äžã®æ»æè ã®ç§»åã«é¢ããæ å ±ã
ãããã£ãŠãBelkasoft Evidence Center ã¯ãç 究è ãæ»æãããã³ã³ãã¥ãŒã¿ ãããã¯ãŒã¯å ã§äŸµå®³ãããã³ã³ãã¥ãŒã¿ãç¹å®ãããã«ãŠã§ã¢ã®èµ·åã®çè·¡ãã·ã¹ãã å ã§ã®åºå®ããã³ãããã¯ãŒã¯å ã§ã®ç§»åã®çè·¡ã䟵害ãããã³ã³ãã¥ãŒã¿äžã§ã®æ»æè ã®æŽ»åã®ãã®ä»ã®çè·¡ãèŠã€ããã®ã«åœ¹ç«ã¡ãŸãã
ãã®ãããªèª¿æ»ãå®æœããäžèšã®ã¢ãŒãã£ãã¡ã¯ããæ€åºããæ¹æ³ã«ã€ããŠã¯ãBelkasoft Incident Response Exam ãã¬ãŒãã³ã° ã³ãŒã¹ã§èª¬æãããŠããŸãã
ã³ãŒã¹ãã©ã³ïŒ
- ãµã€ããŒæ»æã®åŸåã æ»æè ã®ãã¯ãããžãŒãããŒã«ãç®ç
- è åšã¢ãã«ã䜿çšããŠæ»æè ã®æŠè¡ããã¯ããã¯ãæé ãç解ãã
- ãµã€ããŒãã«ãã§ãŒã³
- ã€ã³ã·ãã³ã察å¿ã¢ã«ãŽãªãºã : èå¥ãäœçœ®ç¹å®ãã€ã³ãžã±ãŒã¿ãŒã®çæãæ°ãã«ææããããŒãã®æ€çŽ¢
- BEC ã䜿çšãã Windows ã·ã¹ãã ã®åæ
- BECã䜿çšãããã«ãŠã§ã¢ã®äžæ¬¡ææããããã¯ãŒã¯æ¡æ£ãçµ±åãããã³ãããã¯ãŒã¯æŽ»åã®ææ³ã®æ€åº
- BEC ã䜿çšããŠææããã·ã¹ãã ãç¹å®ããææå±¥æŽã埩å ãã
- å¿çšåé¡
ãããã質åã³ãŒã¹ã¯ã©ãã§éå¬ãããŸãã?
ã³ãŒã¹ã¯ãGroup-IB æ¬éšãŸãã¯å€éšãµã€ã (ãã¬ãŒãã³ã° ã»ã³ã¿ãŒ) ã§éå¬ãããŸãã æ³äººé¡§å®¢ãããçŸå Žãžãã¬ãŒããŒãåºåŒµããããšãå¯èœã§ãã
誰ãææ¥ãè¡ãã®ã§ãã?
Group-IB ã®ãã¬ãŒããŒã¯ããã©ã¬ã³ãžãã¯èª¿æ»ãäŒæ¥èª¿æ»ãæ
å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ããžã®å¯Ÿå¿ã«ãããŠé·å¹Žã®çµéšãæã€å°é家ã§ãã
ãã¬ãŒããŒã®è³æ Œã¯ãGCFAãMCFEãACEãEnCE ãªã©ã®å€æ°ã®åœé蚌ææžã«ãã£ãŠç¢ºèªãããŠããŸãã
ç§ãã¡ã®ãã¬ãŒããŒã¯èŽè¡ãšã®å ±éèšèªãç°¡åã«èŠã€ããŠãæãè€éãªãããã¯ã§ãæ確ã«èª¬æããŸãã åŠçã¯ãã³ã³ãã¥ãŒã¿ã€ã³ã·ãã³ãã®èª¿æ»ãã³ã³ãã¥ãŒã¿æ»æã®ç¹å®ãšå¯Ÿçæ¹æ³ã«ã€ããŠå€ãã®é¢é£æ§ã®ããèå³æ·±ãæ å ±ãåŠã³ãåæ¥åŸããã«å¿çšã§ããå®éçãªç¥èãåŸãããšãã§ããŸãã
ã³ãŒã¹ã§ã¯ãBelkasoft 補åã«é¢ä¿ã®ãªãæçšãªã¹ãã«ãæäŸãããŸãã? ãããšãããã®ãœãããŠã§ã¢ããªããã°ãããã®ã¹ãã«ã¯é©çšã§ããŸããã?
ãã¬ãŒãã³ã°äžã«ç¿åŸããã¹ãã«ã¯ãBelkasoft 補åã䜿çšããªããŠã圹ç«ã¡ãŸãã
åæãã¹ãã«ã¯äœãå«ãŸããŸãã?
äžæ¬¡ãã¹ãã¯ãã³ã³ãã¥ãŒã¿ãŒãã©ã¬ã³ãžãã¯ã®åºæ¬ã«é¢ããç¥èããã¹ããããã®ã§ãã Belkasoft ããã³ Group-IB 補åã«é¢ããç¥èããã¹ãããäºå®ã¯ãããŸããã
äŒç€Ÿã®æè²ã³ãŒã¹ã«é¢ããæ
å ±ã¯ã©ãã§å
¥æã§ããŸãã?
Group-IB ã¯ãæè²ã³ãŒã¹ã®äžç°ãšããŠãã€ã³ã·ãã³ã察å¿ããã«ãŠã§ã¢ç 究ããµã€ã㌠ã€ã³ããªãžã§ã³ã¹ ã¹ãã·ã£ãªã¹ã (è
åšã€ã³ããªãžã§ã³ã¹)ãã»ãã¥ãªã㣠ãªãã¬ãŒã·ã§ã³ ã»ã³ã¿ãŒ (SOC) ã§åãã¹ãã·ã£ãªã¹ããããã¢ã¯ãã£ããªè
åšãã³ãã£ã³ã°ã®ã¹ãã·ã£ãªã¹ã (è
åšãã³ã¿ãŒ) ãªã©ãèšç·ŽããŸãã ã Group-IB ã®ç¬èªã³ãŒã¹ã®å®å
šãªãªã¹ããå©çšå¯èœã§ã
Group-IB ãš Belkasoft ã®å
±åã³ãŒã¹ãå®äºããåŠçã¯ã©ã®ãããªããŒãã¹ãåãåããŸãã?
Group-IB ãš Belkasoft éã®å
±åã³ãŒã¹ã®ãã¬ãŒãã³ã°ãå®äºãã人ã«ã¯ã以äžãäžããããŸãã
- ã³ãŒã¹ä¿®äºèšŒææžã
- Belkasoft Evidence Center ãžã®æé¡ç¡æãµãã¹ã¯ãªãã·ã§ã³ã
- Belkasoft Evidence Center ã®è³Œå ¥ã 10% å²åŒã«ãªããŸãã
æåã®ã³ãŒã¹ã¯æææ¥ã«å§ãŸãããšããç¥ããããŸãã 9 9æ, - æ
å ±ã»ãã¥ãªãã£ãã³ã³ãã¥ãŒã¿ãã©ã¬ã³ãžãã¯ãã€ã³ã·ãã³ã察å¿ã®åéã«ãããç¬èªã®ç¥èãåŸãæ©äŒããèŠéããªã! ã³ãŒã¹ãžã®ç»é²
ãœãŒã¹èšäºãäœæããéãOleg Skulkin ã«ãããã¬ãŒã³ããŒã·ã§ã³ããã¹ãããŒã¹ã®ãã©ã¬ã³ãžãã¯ã䜿çšããŠãã€ã³ããªãžã§ã³ã¹äž»å°ã®ã€ã³ã·ãã³ã察å¿ãæåãããããã®äŸµå®³ã®å åãååŸãããã䜿çšããŸããã
åºæïŒ habr.com