监听在本地的26657端口,rmgr_daemon连接此端口转发来至C2的ssh指令。这里实现了拟合业务环境常用网络协议,使得常规的NIDS的检测逻辑被绕过。
第三步:消除
这里主要是指加固,避免被攻击者以同样的手法攻击。具体手段如下:
突破口加固,补丁更新,ACL加固。
运维通道,停用旧账户,修改攻击链路中服务器账户,并上双因素认证。
根据用户角色限定可访问系统范围。
受害系统dump保存虚机镜像,待查。
重装受害系统,重新发布部署业务环境。
新系统内核模块加载要求签名校验。
第四步:利用
完成应急响应工作,分析完事件现场和文件之后,整个事件中提取到的关键信息将沉淀为威胁情报。本文将威胁情报金字塔模型的内容缩减到iocs和ttps两部分,ttps用att&ck矩阵模型做归纳。
翻译;
Step 4: Utilizing the completed emergency response work, after analyzing the incident scene and documents, the key information extracted from the entire incident will be condensed into threat intelligence. This article reduces the content of the threat intelligence pyramid model to two parts: IOCs and TTPS. TTPS is summarized using the ATT&CK matrix model.
威胁情报金字塔模型
1. iocs
(1) md5:
7d859a22f38f0bcd55a46bc8b67c40df
fa73b2fd914a0cfd5e7d3161af903b6c
(2) c2:
hm2.yrnykx.com
2. ttps
第五步:分析
从上节ttps可以看出来,att&ck矩阵并不能完全覆盖此次木马用于对抗安全系统的全部隐匿手段。
粗略的分类其隐匿(进程、网络、文件)手段有:
C2通过fake_sshd避开NIDS的检测;
通过patchELF绕开hook libc的命令审计HIDS;
通过fake_bash_add_history让shell审计失效;
通过patch seq_show修改系统对/proc下文件信息读取的返回,实现对木马相关的文件、进程、网络连接信息的隐匿;
通过patch vfs_readdir实现隐藏木马文件;
通过摘除内核进程、模块链表信息,避免被rookit检测工具发现内核中木马痕迹;
可见,此款木马套装存在大量技术细节来对抗安全系统,不过它主要针对市面上已知的一些旧款HIDS和事后取证调查工具。内核态的进程派生syscall hook和inotify+云查杀还是可以发现它的。
木马与安全系统的对抗维度
一套完整的木马系统不可能仅仅因为一次渗透入侵而开发,必然会借鉴很多开源或者家族代码。所以从溯源角度来说,可以做代码“考古”工作,同时将相关代码风格和木马行为纳入安全系统特征库。限于篇幅,暂不在此赘述。
总结
事实上,实际的事件响应处置过程顺序不可能完全跟上述流程一致。但走完整套流程,笔者认为才能算是一个安全事件处置圆满的结束。其实,F3EAD流程比较重视情报从分析到应用(改进安全对抗能力),特别是在“分析”阶段的反复迭代。
翻译:
In conclusion, the actual sequence of incident response and handling may not perfectly align with the above process. However, completing the entire process is considered a successful conclusion to a security incident. The F3EAD process places significant emphasis on the transition from intelligence analysis to application (improving security countermeasures), particularly the iterative process within the "analysis" phase.
翻译
;A Brief Discussion on Permission Abuse Attacks and Defense
Exploiting privilege abuse vulnerabilities can sometimes allow servers to initiate specific requests (similar to SSRF attacks), and sometimes it can grant access to special functions, such as accessing the camera, recording audio using the microphone, writing and implanting Trojans, and creating reverse shells.
Currently, there are many mobile device testing platforms available both domestically and internationally, such as Testin Cloud Testing, China Mobile Terminal Pool, Testdroid, TestObject, TestCloud, uTest, UserTesting, and WeTest. The author randomly selected an Android device testing platform for testing.
First, after logging in, users can select a device model as the test target.
;A Brief Discussion on Permission Abuse Attacks and Defense
Exploiting privilege abuse vulnerabilities can sometimes allow servers to initiate specific requests (similar to SSRF attacks), and sometimes it can grant access to special functions, such as accessing the camera, recording audio using the microphone, writing and implanting Trojans, and creating reverse shells.
Currently, there are many mobile device testing platforms available both domestically and internationally, such as Testin Cloud Testing, China Mobile Terminal Pool, Testdroid, TestObject, TestCloud, uTest, UserTesting, and WeTest. The author randomly selected an Android device testing platform for testing.
First, after logging in, users can select a device model as the test target.
除了网站提供我们使用的WIFI,意外发现了很多其他的WIFI,细看之下,还会注意到这里面夹杂了很多内部的办公网络WIFI,甚至有些WIFI可直接连接无需输入密码,笔者猜测当前设备曾经已授权连接过这些WIFI,因此无需要输入密码直接可连接进入办公网络了!
除此之外,我们还可以在手机上安装apk来尝试获取手机ROOT权限,ROOT之后的手机就如同内网中一台被我们拿下的服务器一样危险。这里我们使用meterpreter生成反弹shell的apk并上传安装,然后我们本地就可以root权限完全控制手机。
翻译;
Besides the Wi-Fi provided by the website, we unexpectedly discovered many other Wi-Fi networks. Upon closer inspection, we also noticed that many of these were internal office network Wi-Fi networks, some of which allowed direct connection without a password. We suspect that our device had previously been authorized to connect to these networks, thus gaining access to the office network without a password!
Furthermore, we can install an APK on the phone to attempt to gain root access. A rooted phone is as dangerous as a compromised server on an internal network. Here, we use Meterpreter to generate a reverse shell APK, upload and install it, and then we can gain complete root control of the phone locally.
这里我们可以看到手机机房的全貌,如果录像的话可以一直监控机房工作人员的一举一动,甚至有些手机摆放的位置比较恰当的话,可以拍到记录密码的便签贴。 我们还可以开启手机录音功能,实现长时间的远程窃听等……
翻译;
Here we can see the entire mobile phone server room. If we record video, we can continuously monitor the actions of the staff in the room. If some phones are positioned strategically, we can even capture images of the notes containing passwords. We can also enable the phone's recording function for extended remote eavesdropping, etc.
另外,我们可以通过手机的定位功能找到受控机器所在的位置。
翻译;
In addition, we can use the location function of a mobile phone to find the location of the controlled machine.
合作意向;https://t.me/chuanfua1
XML外部实体注入(XML External Entity)
当允许引用外部实体时,通过构造恶意内容,可导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等危害。
引入外部实体方式有多种,比如:
恶意引入外部实体方式1:
XML内容:
翻译;
Unknown Attacks, Unknown Defenses – XXE Vulnerability Attack and Defense
XML External Entity Injection
When referencing external entities is allowed, malicious content can be crafted to lead to arbitrary file reading, execution of system commands, probing of internal network ports, and attacks on internal websites, among other harms.
There are several ways to introduce external entities, such as:
Malicious External Entity Injection Method 1:
XML Content:
合作意向;https://t.me/chuanfua1
未知攻焉知防——XXE漏洞攻防
一、XML基础知识
XML用于标记电子文件使其具有结构性的标记语言,可以用来标记数据、定义数据类型,是一种允许用户对自己的标记语言进行定义的源语言。XML文档结构包括XML声明、DTD文档类型定义(可选)、文档元素。
翻译;
Unknown Attacks, Unknown Defenses – XXE Vulnerability Attack and Defense
I. XML Basics
XML is a markup language used to mark up electronic documents, giving them structure. It can be used to mark up data and define data types. It is a source language that allows users to define their own markup languages. The structure of an XML document includes an XML declaration, a DTD document type definition (optional), and document elements.
合作意向;https://t.me/chuanfua1