简介
您会注意到,我们最近将许多关键服务器基础设施从 MSSP 的域 Forela.local 转移到 Northpole.local。我们实际上设法从 MSSP 购买了一些二手服务器,他们确认这些服务器和圣诞节一样安全!但事实似乎并非如此,圣诞节注定要失败,攻击者似乎像叮当作响的雪橇铃一样隐蔽,或者他们根本不想躲藏!!!!!!我们在所有 TinkerTech 工作站和服务器上都发现了格林奇的恶意字条!圣诞节似乎注定要失败。请帮助我们从实施这次恶意攻击的人那里恢复过来!请注意 - 这些 Sherlock 是按顺序构建的!
给了一张提醒的纸条,一份由KAPE取证工具导出的数据,还有被加密后的可疑文件
使用hayabusa能够将事件目录导出成时间线.csv
https://github.com/Yamato-Security/hayabusa
PS D:\wangan\ctf\sherlock\hayabusa> .\hayabusa-2.17.0-win-x64.exe csv-timeline -d .\DC01.northpole.local-KAPE\uploads\auto\C%3A\Windows\System32\winevt\ -o event.csv
<SNIP>
✔ Which set of detection rules would you like to load? · 5. All event and alert rules (4,493 rules) ( status: * | level: informational+ )
✔ Include deprecated rules? (214 rules) · no
✔ Include unsupported rules? (45 rules) · no
✔ Include noisy rules? (12 rules) · no
✔ Include sysmon rules? (3,758 rules) · yes
<SNIP>
Top 5 computers with most unique detections:
critical: DC01.forela.local (4), DC01.northpole.local (1)
high: DC01.forela.local (7), DC01.northpole.local (5)
medium: DC01.forela.local (17), DC01.northpole.local (14), WIN-2K324VCQ0RP (1), DC01 (1)
low: DC01.forela.local (14), DC01.northpole.local (9), WIN-2K324VCQ0RP (3), DC01 (2)
informational: DC01.forela.local (33), DC01.northpole.local (32), DC01 (8), WIN-2K324VCQ0RP (8)
Results Summary:
Events with hits / Total events: 11,094 / 288,184 (Data reduction: 277,090 events (96.15%))
Total | Unique detections: 11,567 | 84
Total | Unique critical detections: 111 (0.96%) | 5 (0.00%)
Total | Unique high detections: 250 (2.16%) | 9 (44.05%)
Total | Unique medium detections: 1,110 (9.60%) | 19 (16.67%)
Total | Unique low detections: 478 (4.13%) | 14 (22.62%)
Total | Unique informational detections: 9,618 (83.15%) | 37 (10.71%)
Dates with most total detections:
critical: 2023-12-13 (66), high: 2023-11-30 (112), medium: 2023-06-08 (250), low: 2023-06-08 (158), informational: 2023-06-22 (1,715)
Top 5 computers with most unique detections:
critical: DC01.forela.local (4), DC01.northpole.local (1)
high: DC01.forela.local (7), DC01.northpole.local (5)
medium: DC01.forela.local (17), DC01.northpole.local (14), WIN-2K324VCQ0RP (1), DC01 (1)
low: DC01.forela.local (14), DC01.northpole.local (9), WIN-2K324VCQ0RP (3), DC01 (2)
informational: DC01.forela.local (33), DC01.northpole.local (32), DC01 (8), WIN-2K324VCQ0RP (8)
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts: Top high alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Active Directory Replication from Non Mach... (66) External Remote SMB Logon from Public IP (114) │
│ Defender Alert (Severe) (36) Mimikatz DC Sync (66) │
│ Antivirus Exploitation Framework Detection (6) Antivirus Relevant File Paths Alerts (28) │
│ Antivirus Ransomware Detection (2) Antivirus Hacktool Detection (18) │
│ Antivirus Password Dumper Detection (1) Defender Alert (High) (14) │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts: Top low alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (419) Logon Failure (Wrong Password) (130) │
│ Ntdsutil Abuse (193) Volume Shadow Copy Mount (73) │
│ Uncommon New Firewall Rule Added In Window... (149) Firewall Rule Modified In The Windows Fire... (61) │
│ Suspicious Remote Logon with Explicit Cred... (122) Logon Failure (Unknown Reason) (56) │
│ Explicit Logon (Suspicious Process) (122) Windows Service Terminated With Error (43) │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Task Executed (3,262) Admin Logon (805) │
│ PwSh Engine Started (1,083) PwSh Pipeline Exec (648) │
│ Kerberos Service Ticket Requested (929) Kerberos TGT Requested (267) │
│ Logoff (859) WMI Provider Started (182) │
│ Logon (Network) (817) VSSAudit Security Event Source Registratio... (146) │
╰─────────────────────────────────────────────────────╌─────────────────────────────────────────────────────╯
|
威胁行为者 (TA) 最初利用哪个 CVE 来获取 DC01 的访问权限?
看到上面的Top报警,ADReplication和DCSync,是存在着DSync攻击了,但是这种攻击是需要初始用户的,用TimelineExploer打开.csv
Computer过滤出DC01.northpole.local,基本上都是2023-12-13的事件,按照时间降序。在DCSync往下找,有一条
| Time |
Level |
Computer |
Details |
| 2023-12-13 09:24:23 |
info |
DC01.northpole.local |
Svc: vulnerable_to_zerologon ¦ Path: %systemroot%\hAvbdksT.exe ¦ Acct: LocalSystem ¦ StartType: demand start |
并且在这条之后也有一个重置密码操作的事件,zerologon就是通过加密疏忽来重置密码实现无需密码的登录
得知是利用了zerologon, CVE-2020-1472
TA 最初是在什么时候利用 CVE 的?(UTC)
2023-12-13 09:24:23
在 CVE 被利用期间,系统上安装的与异常服务相关的可执行文件的名称是什么?
见上面那条事件:hAvbdksT.exe
不寻常的服务开始于什么日期和时间?
在vulnerable_to_zerologon被安装之后发生了多次NTLM验证,然后过了几分钟之后有一个重置密码,那么服务开始事件是2023-12-13 09:24:24
我们内部网络中 TA 的 IP 地址是多少?
在事件Detail中能看到目标IP:SrcIP: 192.168.68.200
请列出TA在访问期间使用的所有用户帐户。(升序)
搜索TgtUsers
Administrator, Bytesparkle
TA创建的计划任务叫什么名字?
搜索Scheduled Task
有一条事件:
Name: CreatedTaskProcess ¦ Path: C:\Users\bytesparkle\Downloads\svc\svchost.exe ¦ Priority: 16384 ¦ ProcessID: 1800 ¦ TaskName: \Microsoft\svc_vnc
服务名:svc_vnc
圣诞老人最近记性有点差!他喜欢把很多东西都记下来,但我们所有的重要文件都加密了!圣诞老人的新雪橇设计打算使用哪种生物?
解压得到的加密文件的目录,然后我的Windows Defender直接告警在splunk_svc.dll,应该是加密用的程序,放入IDA64分析
在sub_180001330找到加密逻辑
void __fastcall sub_180001330(char *a1)
{
<SNIP>
SubStr[0] = ".3ds";
v1 = a1;
SubStr[1] = ".jpg";
SubStr[2] = ".JPG";
SubStr[3] = ".png";
SubStr[4] = ".PNG";
<SNIP>
fputc(v24 ^ aEncryptingc4fu[v23], v20);
}
v6 = v53;
if ( fclose(v19) || fclose(v20) )
LABEL_46:
sub_180001020("\nXOR operation failed!");
++dword_180005628;
SHGetSpecialFolderPathA(0i64, pszPath, 0, 0);
v27 = Buffer;
v28 = 5i64;
<SNIP>
}
|
核心函数是fputc(v24 ^ aEncryptingc4fu[v23], v20);也就是将是上述列表中的后缀的文件与”EncryptingC4Fun!”进行异或,那么要恢复只需要再次异或,使用cyberchef导入topsecret.png.xmax,key选择UTF-8
Unicorn(独角兽)
请确认加密我们文件的进程的进程 ID。
使用EVTXcmd,导出完整的事件,然后timeexplore打开
PS D:\wangan\ctf\sherlock\EvtxeCmd> .\EvtxECmd.exe -d '.\Logs\' --csv .\ --csvf MyOutputFile.csv
|
搜索xmax,provider是Microsoft-Windows-UAC-FileVirtualization,用事件查看器查看这个事件,找到事件ID4000,查看详细XML视图
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-UAC-FileVirtualization" Guid="{c02afc2b-e24e-4449-ad76-bcc2c2575ead}" />
<EventID>4000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-12-13T11:03:20.1723586Z" />
<EventRecordID>28</EventRecordID>
<Correlation />
<Execution ProcessID="5828" ThreadID="6480" />
<Channel>Microsoft-Windows-UAC-FileVirtualization/Operational</Channel>
<Computer>DC01.northpole.local</Computer>
<Security UserID="S-1-5-21-555278382-3747106525-1010465941-1110" />
</System>
- <EventData>
<Data Name="Flags">8</Data>
<Data Name="SidLength">28</Data>
<Data Name="Sid">S-1-5-21-555278382-3747106525-1010465941-1110</Data>
<Data Name="FileNameLength">147</Data>
<Data Name="FileNameBuffer">\Device\HarddiskVolume4\ProgramData\Package Cache\{A250E750-DB3F-40C1-8460-8EF77C7582DA}v14.32.31326\packages\vcRuntimeAdditional_x86\cab1.cab.xmax</Data>
<Data Name="ProcessImageNameLength">53</Data>
<Data Name="ProcessImageNameBuffer">\Device\HarddiskVolume4\Windows\System32\rundll32.exe</Data>
<Data Name="CreateOptions">83886176</Data>
<Data Name="DesiredAccess">1180054</Data>
<Data Name="IrpMajorFunction">0</Data>
</EventData>
</Event>
|
5828
