3. rmgr_daemon
此进程由rmgr.ko释放写入磁盘,路径为/tmp/.tmp_{21个随机字母数字}。由C++开发,编译后upx加壳压缩,直接用开源软件upx -d rmgr_daemon即可脱壳,并无特殊处理。
它主要有的功能有:
(1) 监控内核模块状态,与内核rootkit信息交互;
翻译;
3. rmgr_daemon
This process is released and written to disk by rmgr.ko, at path /tmp/.tmp_{21 random alphanumeric characters}. Developed in C++, it is compressed using UPX after compilation. It can be unpacked directly using the open-source software `upx -d rmgr_daemon` without any special processing.
Its main functions include:
(1) Monitoring kernel module status and interacting with kernel rootkit information;
监听在本地的26657端口,rmgr_daemon连接此端口转发来至C2的ssh指令。这里实现了拟合业务环境常用网络协议,使得常规的NIDS的检测逻辑被绕过。
第三步:消除
这里主要是指加固,避免被攻击者以同样的手法攻击。具体手段如下:
突破口加固,补丁更新,ACL加固。
运维通道,停用旧账户,修改攻击链路中服务器账户,并上双因素认证。
根据用户角色限定可访问系统范围。
受害系统dump保存虚机镜像,待查。
重装受害系统,重新发布部署业务环境。
新系统内核模块加载要求签名校验。
第四步:利用
完成应急响应工作,分析完事件现场和文件之后,整个事件中提取到的关键信息将沉淀为威胁情报。本文将威胁情报金字塔模型的内容缩减到iocs和ttps两部分,ttps用att&ck矩阵模型做归纳。
翻译;
Step 4: Utilizing the completed emergency response work, after analyzing the incident scene and documents, the key information extracted from the entire incident will be condensed into threat intelligence. This article reduces the content of the threat intelligence pyramid model to two parts: IOCs and TTPS. TTPS is summarized using the ATT&CK matrix model.
威胁情报金字塔模型
1. iocs
(1) md5:
7d859a22f38f0bcd55a46bc8b67c40df
fa73b2fd914a0cfd5e7d3161af903b6c
(2) c2:
hm2.yrnykx.com
2. ttps
第五步:分析
从上节ttps可以看出来,att&ck矩阵并不能完全覆盖此次木马用于对抗安全系统的全部隐匿手段。
粗略的分类其隐匿(进程、网络、文件)手段有:
C2通过fake_sshd避开NIDS的检测;
通过patchELF绕开hook libc的命令审计HIDS;
通过fake_bash_add_history让shell审计失效;
通过patch seq_show修改系统对/proc下文件信息读取的返回,实现对木马相关的文件、进程、网络连接信息的隐匿;
通过patch vfs_readdir实现隐藏木马文件;
通过摘除内核进程、模块链表信息,避免被rookit检测工具发现内核中木马痕迹;
可见,此款木马套装存在大量技术细节来对抗安全系统,不过它主要针对市面上已知的一些旧款HIDS和事后取证调查工具。内核态的进程派生syscall hook和inotify+云查杀还是可以发现它的。
木马与安全系统的对抗维度
一套完整的木马系统不可能仅仅因为一次渗透入侵而开发,必然会借鉴很多开源或者家族代码。所以从溯源角度来说,可以做代码“考古”工作,同时将相关代码风格和木马行为纳入安全系统特征库。限于篇幅,暂不在此赘述。
总结
事实上,实际的事件响应处置过程顺序不可能完全跟上述流程一致。但走完整套流程,笔者认为才能算是一个安全事件处置圆满的结束。其实,F3EAD流程比较重视情报从分析到应用(改进安全对抗能力),特别是在“分析”阶段的反复迭代。
翻译:
In conclusion, the actual sequence of incident response and handling may not perfectly align with the above process. However, completing the entire process is considered a successful conclusion to a security incident. The F3EAD process places significant emphasis on the transition from intelligence analysis to application (improving security countermeasures), particularly the iterative process within the "analysis" phase.
翻译
;A Brief Discussion on Permission Abuse Attacks and Defense
Exploiting privilege abuse vulnerabilities can sometimes allow servers to initiate specific requests (similar to SSRF attacks), and sometimes it can grant access to special functions, such as accessing the camera, recording audio using the microphone, writing and implanting Trojans, and creating reverse shells.
Currently, there are many mobile device testing platforms available both domestically and internationally, such as Testin Cloud Testing, China Mobile Terminal Pool, Testdroid, TestObject, TestCloud, uTest, UserTesting, and WeTest. The author randomly selected an Android device testing platform for testing.
First, after logging in, users can select a device model as the test target.
;A Brief Discussion on Permission Abuse Attacks and Defense
Exploiting privilege abuse vulnerabilities can sometimes allow servers to initiate specific requests (similar to SSRF attacks), and sometimes it can grant access to special functions, such as accessing the camera, recording audio using the microphone, writing and implanting Trojans, and creating reverse shells.
Currently, there are many mobile device testing platforms available both domestically and internationally, such as Testin Cloud Testing, China Mobile Terminal Pool, Testdroid, TestObject, TestCloud, uTest, UserTesting, and WeTest. The author randomly selected an Android device testing platform for testing.
First, after logging in, users can select a device model as the test target.
除了网站提供我们使用的WIFI,意外发现了很多其他的WIFI,细看之下,还会注意到这里面夹杂了很多内部的办公网络WIFI,甚至有些WIFI可直接连接无需输入密码,笔者猜测当前设备曾经已授权连接过这些WIFI,因此无需要输入密码直接可连接进入办公网络了!
除此之外,我们还可以在手机上安装apk来尝试获取手机ROOT权限,ROOT之后的手机就如同内网中一台被我们拿下的服务器一样危险。这里我们使用meterpreter生成反弹shell的apk并上传安装,然后我们本地就可以root权限完全控制手机。
翻译;
Besides the Wi-Fi provided by the website, we unexpectedly discovered many other Wi-Fi networks. Upon closer inspection, we also noticed that many of these were internal office network Wi-Fi networks, some of which allowed direct connection without a password. We suspect that our device had previously been authorized to connect to these networks, thus gaining access to the office network without a password!
Furthermore, we can install an APK on the phone to attempt to gain root access. A rooted phone is as dangerous as a compromised server on an internal network. Here, we use Meterpreter to generate a reverse shell APK, upload and install it, and then we can gain complete root control of the phone locally.
这里我们可以看到手机机房的全貌,如果录像的话可以一直监控机房工作人员的一举一动,甚至有些手机摆放的位置比较恰当的话,可以拍到记录密码的便签贴。 我们还可以开启手机录音功能,实现长时间的远程窃听等……
翻译;
Here we can see the entire mobile phone server room. If we record video, we can continuously monitor the actions of the staff in the room. If some phones are positioned strategically, we can even capture images of the notes containing passwords. We can also enable the phone's recording function for extended remote eavesdropping, etc.