攻防演練 - HackMD

# 2025/08/12 第一場攻防演練 ## 進入時間 **2025/8/14 6:00 AM** 下午：蠕蟲攻擊網路遭受影響，逆向工程、網路分析、SIEM 檔案共享路徑 share (file://WS-WIN10-CNT2/share) ## 線索 **時間/主機/路徑/檔案(需詳細記錄以便緩解)** **** 8/14 5:03 AM 192.168.100.14 防毒EPO更新失敗 8/14 5:04 AM 192.168.100.15 防毒EPO更新失敗 8/14 5:09 AM 192.168.100.14-> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command Remove-Item -Force C:\Windows\SysWOW64\msshield.exe 8/14 5:10 AM 192.168.100.13 防毒EPO更新失敗 8/14 5:10 AM 192.168.100.13->172.16.100.0/24 & 192.168.66.0/24 & 192.168.100.0/24 & 192.168.200.0/24 & 192.168.214.0/24 Ping Sweep 8/14 5:12 AM 192.168.100.14-> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe schtasks /Create /SC MINUTE /MO 1 /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file C:\ProgramData\Weaponizing.ps1 -windowstyle hidden' /TN MicrosoftPowerShellUpdaterTask /RU user055 /RL HIGHEST 8/14 5:13 AM 192.168.100.14-> 192.168.100.13 登入 User055 445 8/14 5:13 AM 192.168.100.14-> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass SCHTASKS /DELETE /TN MicrosoftPowerShellUpdaterTask 8/14 5:14 AM 192.168.100.12->172.16.100.0/24 & 192.168.66.0/24 & 192.168.200.0/24 & 192.168.214.0/24 Ping Sweep 8/14 5:14 AM 192.168.100.12透過445對172.16.100.4、6 & 192.168.200.1、23、30、40、90、100 & 192.168.214.4連線 8/14 5:14 AM 192.168.100.13透過445對172.16.100.4、6 & 192.168.200.1、6、20、23、30、40、90、100 & 192.168.214.4連線 8/14 5:15 AM 192.168.100.14->172.16.100.0/24 & 192.168.66.0/24 & 192.168.200.0/24 & 192.168.214.0/24 Ping Sweep 8/14 5:15 AM 192.168.100.14透過445對172.16.100.4、6 & 192.168.200.1、6、23、30、40、90、100 & 192.168.214.4連線 8/14 5:17 AM 192.168.100.13-> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command Test-Path C:\Windows\SysWOW64\msshield.exe -PathType Leaf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command [bool](ps -name msshield -erroraction silentlycontinue) --------------------------------- 192.168.100.13 Ping Sweep 192.168.66.0/24 192.168.100.0/24 192.168.200.0/24 192.168.214.0/24 172.16.100.0/24 執行時間 audiodg.exe > msshield.exe > Winmg.exe ![image](https://hackmd.io/_uploads/ry4kMZj_gg.png) Registry 註冊 McShield C:\Windows\SysWoW64\msshield.exe C:\Windows\SysWOW64 08/14/2025 05:13 AM 89,600 msshield.exe 08/14/2025 05:13 AM 15,872 Winmg.exe C:\temp 08/14/2025 05:13 AM 89,600 audiodg.exe 08/14/2025 05:13 AM 3,657 log.txt ------------------------------------ 192.168.100.14 D:\ 08/14/2025 05:11 AM 51 AUTORUN.INF 08/14/2025 05:10 AM 109,482 OFFICE.ICO 08/14/2025 05:10 AM 89,600 OFFICE_XP_SP6.EXE Registry 註冊 (很多個地方有) McShield C:\Windows\SysWoW64\msshield.exe C:\Windows\SysWOW64 08/14/2025 05:13 AM 89,600 msshield.exe 08/14/2025 05:13 AM 15,872 Winmg.exe C:\Windows\Tempc cd .. 08/14/2025 05:13 AM 757 z1mc5cwo.inf 08/14/2025 05:13 AM 791 vsivp1iz.inf 08/14/2025 05:13 AM 786 szeio4pn.inf 192.168.66.20 --------------- c:\temp\audiodg 192.168.200.1 ---------------- c:\temp\audiodg McShield C:\Windows\SysWoW64\msshield.exe C:\Windows\SysWOW64 08/14/2025 05:13 AM 89,600 msshield.exe 08/14/2025 05:13 AM 15,872 Winmg.exe 192.168.200.40 ---------------- c:\temp\audiodg McShield C:\Windows\SysWoW64\msshield.exe C:\Windows\SysWOW64 08/14/2025 05:13 AM 89,600 msshield.exe 08/14/2025 05:13 AM 15,872 Winmg.exe ## 可疑檔案解析 ------------ 192.168.100.14 **OFFICE_XP_SP6.EXE** << 這支很明顯看到蠕蟲訊息: 看起來是跟msshield.exe相同的內容在OFFICE_XP_SP6.EXE\Worm.Windows\InjectionMethods 中會對這兩個檔案注入 ByteCode陣列 public static readonly string DllInjectorFileName = "msldr.exe"; public static readonly string InjectedDllFileName = "msldr.dll"; **szeio4pn.inf** C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass Remove-Item C:\ProgramData\Weaponizing.ps1 -Force taskkill /IM cmstp.exe /F **vsivp1iz.inf** ; Commands Here will be run Before Setup Begins to install C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass SCHTASKS /DELETE /TN MicrosoftPowerShellUpdaterTask /f taskkill /IM cmstp.exe /F **z1mc5cwo.inf** C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass D:\OFFICE_XP_SP6.EXE taskkill /IM cmstp.exe /F ------------ 192.168.100.13 ** msshield.exe ** << 這支很明顯看到蠕蟲訊息: 1. // Worm, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null 2. // Worm.Program 裡 (1). 程式會判斷, 如果網域名稱不是 services.dom 就直接結束 (2). C:\\temp\\log.txt 會寫入"Running in debug mode. Ver 1.1"); (3). 程式開始後會先寫Log字串: WatchDog run in start function (4). 程式裡寫死需掃描的IP範圍: Attacker.AttackSources.Add(new AttackSourceLocalIPs()); IPRange range = new IPRange("172.16.100.0", "172.16.100.255"); IPRange range2 = new IPRange("192.168.200.0", "192.168.200.255"); IPRange range3 = new IPRange("192.168.214.0", "192.168.214.255"); IPRange range4 = new IPRange("192.168.100.0", "192.168.100.255"); IPRange range5 = new IPRange("192.168.66.0", "192.168.66.255"); (5). 在AttackDomainControllers()段中, 會嘗試AttackDomainControllers(), 如果沒有找到process名稱為"msshield.exe", 沒找到就開始分析 DC 上的 processlist, 然後嘗試注入 DC IOMethods.CopySelfToRemoteMachine(value); IOMethods.CopyInjectionFilesToRemoteMachine(value); (6). 攻擊完 DC 接著開始攻擊(4)中提到的AttackSources各網段的 device 啟動"msshield.exe" 這個執行檔 (7). SelfDeleteBatchFilePath = "c:\\temp\\1.bat"; (8). TempExecutableName = "audiodg.exe"; (9). public static string TrainerScriptName = "script.bat"; (10). Worm.Windows.Loader 中會判斷是否是第一次執行, 如果是, 會呼叫AddSelfToAutoRun(), 修改註冊表 **Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run").SetValue("McShield", IOMethods.AutoRunExecutablePath, RegistryValueKind.String); Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce").SetValue("McShield", IOMethods.AutoRunExecutablePath, RegistryValueKind.String); Registry.LocalMachine.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run").SetValue("McShield", IOMethods.AutoRunExecutablePath, RegistryValueKind.String); Registry.LocalMachine.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce").SetValue("McShield", IOMethods.AutoRunExecutablePath, RegistryValueKind.String);** 若不是第一次執行, 就會清除c:\\temp\\1.bat後隱藏msshield.exe的執行視窗 192.168.100.13 ** audiodg.exe ** << 這支很明顯看到蠕蟲訊息: 大致與 msshield.exe相同 192.168.100.13 ** winmg.exe ** << 這支應該是跟惡意程式有關的 Watchdog, 執行的時候傳入參數 "debug" 就可以定時??產生 EventLog eventLog.Source = "Windows Memory Initializer" 並持續輸出 Trace.TraceInformation("Running in debug mode"); ---- 192.168.100.15 Ping Sweep 172.16.100.0.24 192.168.214.0/24 192.168.66.0/24 192.168.200.0/24 ---- 192.168.200.6 Ping Sweep 172.16.100.0/24 192.168.214.0/24 192.168.66.0/24 192.168.100.0/24 ---- User055 multiple login failed on 192.168.200.6 ## 緩解確認(緩解後請紀錄) **刪除/阻擋/砍掉Process** **** ## 題目 **請協助將題目翻譯與解析(各選項也需一併)** **External Device****外部設備** To which host was the external device connected? (Hostname)外部設備連接到哪個主機？（主機名稱） null What malicious file was on the external device? (Filename.extension)外部裝置上包含哪些惡意檔案？（檔名.副檔名） null **File Encryption****檔案加密** Which hosts were affected by this? (Hostname1, Hostname2...)哪些主機受此影響？（主機名稱 1、主機名稱 2…） null What is the encrypted file extension? (Extension)加密檔案的副檔名是什麼？（擴展名） null What is the UUID given to the user by the ransomware? (Value)勒索軟體提供給使用者的 UUID 是什麼？（值） null **Ping Sweep****Ping 掃描** What was the purpose of this action?此操作的目的是什麼？ null **Process for Creating Communication****建立通訊的進程** What TCP port is this process listening on?此進程監聽哪個 TCP 連接埠？ null With what privileges did the process run?此進程以什麼權限運行？ null What is the full path of the process file? (C:\example.exe)進程文件的完整路徑是什麼？ (C:\example.exe) null What is the name of the process? (ProcessName)進程的名稱是什麼？ (ProcessName) null **Process for Defense Evasion****防禦規避進程** On which host(s) are these processes running?這些進程在哪些主機上運作？ null What is the full path of the process file? (C:\example.exe)這些進程在哪些主機上運作？ null What is the parent process? (ProcessName)父進程是什麼？ (ProcessName) null What is the process command line?進程的命令列是什麼？ null What is the name of the process? (ProcessName)進程的名稱是什麼？ (ProcessName) null **Registry Run Key Changes****註冊表運行鍵更改** What value was added to the registry run keys? (ValueName)註冊表運行鍵中新增了什麼值？（值名稱） null To which host was the registry value added?註冊表值加到了哪個主機？ null **Service Manupulation****服務操作** What is the name of the service? (ServiceName)服務名稱是什麼？（服務名稱） null What configuration was changed?哪些配置發生了變更？ null **Web Shell****Web Shell** From which IP address did the attacker use the web shell? (X.X.X.X)攻擊者從哪個 IP 位址使用了 Web Shell？ (X.X.X.X) null From which host did the attacker use the web shell? (Hostname)攻擊者從哪個主機使用了 Web Shell？ (主機名稱) null --- ## 實用小技巧補充 ### 常見Decode Base64、ROT13 ### ILSPY 執行檔拉進去後關鍵字搜尋 ### OLETools Office文件都要丟進去確認，再判定是否為巨集 ## Windows簡易採證 ### 檔案目錄結構(查檔案生成時間) dir C:\ /od/tc/a/s > dir_C.txt dir D:\ /s/a/tc/od > dir_D.txt ### 開機自動啟動(服務、排程、啟動資料夾等) SysinternalsSuite\autorunsc64.exe -a * -h -s -u -x > autoruns_nosign.xml ### 網路連線(找可疑外部IP，看一下開了哪些port) SysinternalsSuite\tcpvcon64.exe -a -c -n >> tcpview.csv netstat -anbo >> netstat.txt ### 找process中，是否有注入奇怪的dll(看奇怪的路徑) ysinternalsSuite\Listdlls64.exe -r /accepteula > listDlls-r.txt ### 針對想知道路徑進行簽章確認 SysinternalsSuite\sigcheck64.exe -accepteula -u -e -h 路徑 > 路徑_unsign.txt c:\windows c:\windows\system32 c:\windows\SysWOW64 c:\windows\temp c:\PerfLogs c:\ProgramData c:\$Recycle.Bin c:\Users\download or desktop ### 系統日誌查找 wevtutil qe security /q:"*[System[(EventID=4624)]]" /rd:true /f:text > security_4624.txt (主要看登入類型10和3，需對應時間點) wevtutil qe security /q:"*[System[(EventID=4625)]]" /rd:true /f:text > security_4625.txt (登入失敗) wevtutil qe security /q:"*[System[(EventID=4648)]]" /rd:true /f:text > security_4648.txt (登入別人) wevtutil qe security /q:"*[System[(EventID=4688)]]" /rd:true /f:text > security_4688.txt (process紀錄) wevtutil qe security /q:"*[System[(EventID=4697)]]" /rd:true /f:text > security_4697.txt wevtutil qe security /q:"*[System[(EventID=4698)]]" /rd:true /f:text > security_4698.txt wevtutil qe security /q:"*[System[(EventID=4720)]]" /rd:true /f:text > security_4720.txt 1102稽核紀錄被清除 4719系統稽核原則已變更 4697嘗試安裝服務 4698已建立排程的工作 4720已建立使用者帳戶 4950Windows 防火牆設定已變更 5025Windows 防火牆服務已停止 wevtutil qe system /q:"*[System[(EventID=7045)]]" /rd:true /f:text > sytem_7045.txt wevtutil qe "Windows Powershell" /q:"*[System[(EventID=400)]]" /rd:true /f:text > powershell_400.txt ## USB HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR，另一個是 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies。 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR: 這個路徑包含了所有曾經連接到電腦的USB 儲存裝置資訊，每個子鍵代表一個裝置的序號。 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies ## Linux建議採證 ### 檔案目錄結構(查檔案生成時間) ls -altc --full-time -R > ls.txt ### 查過往下過的指令 history cp /home/使用者/.bash_history 使用者.txt ### 網路連線(找可疑外部IP，看一下開了哪些port) NETSTAT -anp > netstat-anp.txt ### process (用./去看有什麼特別在執行中) PS auxeww > psauxeww.txt ### 看一下hosts有沒有被新增對應dns CP /etc/hosts more /etc/hosts ### 排程 CP -R /var/spool/cron CP -R /etc/cron.* CP -R /var/spool/anacron/ CP -R /var/spool/at/ CP /etc/at.* ### 登入行為 LAST -axF > last.txt (按照時間呈現登入紀錄) LASTLOG > lastlog.txt (每個帳號最後的登入時間) LASTB > lastb.txt (登入失敗) ### 查看系統日誌有沒有什麼意思，可看sshd登入軌跡 CP /var/log/secure* varlog/ CP /var/log/messages* varlog/ CP /var/log/auth.log* varlog/ CP /var/log/syslog* varlog/ WinLogonview Notepad (Get-PSReadLineOption).HistorySavePath ## AWS docker ps docker exec -it image_id bash aws s3 ls aws s3 ls bucket_id aws s3 cp s3://bucket_id/檔名