入侵取证
So, cyber attackers are do the same thing — they often hide some little malware agents in the IT Infrastructure to keep a possibility to come back again.
因此,网络攻击者的行为是相同的-他们经常在IT基础架构中隐藏一些小的恶意软件代理,以保持再次出现的可能性。
You know some of these methods:
您知道其中一些方法:
- create a new scheduled task to rerun a malware beacon periodically; 创建一个新的计划任务以定期重新运行恶意软件信标;
- create a new autorun key in the system registry; 在系统注册表中创建一个新的自动运行键;
- create a new system service with autostart property; 用autostart属性创建一个新的系统服务;
But there is one more method to save the high-privileged permissions for further using the infected IT infrastructure — changing
但是,还有另一种方法可以保存高特权权限,以便进一步使用受感染的IT基础结构-更改
AdminSDholder (AdminSDholder)
permissions.
权限。
To understand the theoretical part of
了解理论部分
AdminSDholder (AdminSDholder)
you can check any article from Internet. As example
您可以从Internet查看任何文章。 举个例子
try this one. 试试这个 。In short — there is a periodically run process in Active Directory Services which can give the permissions to a User/Group for changing security groups (e.g. Domain Admins, Schema Admins etc.) membership. To do this an attacker just need to add a User/Group to the AdminSDHolder ACL.
简而言之-Active Directory服务中有一个定期运行的过程,该过程可以向用户/组授予更改安全组(例如域管理员,架构管理员等)成员资格的权限。 为此,攻击者只需将用户/组添加到AdminSDHolder ACL。
So, if an attacker has got a sufficient permissions to change the AdminSDHolder ACL, he can create a new User account and add this account name to the AdminSDHolder ACL.
因此,如果攻击者具有足够的权限来更改AdminSDHolder ACL,则他可以创建一个新的User帐户并将此帐户名添加到AdminSDHolder ACL中。
From the article I mentioned above, you know how to check AD for this thing using Powershell.
从我上面提到的文章中,您知道如何使用Powershell检查AD是否存在此问题。
But there is another method using YARA rule.
但是还有另一种使用YARA规则的方法。
Every time when someone changes the AdminSDHolder ACL, a specific
每当有人更改AdminSDHolder ACL时,
事件4662 (event 4662)
being created in the Domain Controllers Security event log:
正在域控制器安全事件日志中创建:
Now we can use the information from this event to create a YARA rule.
现在,我们可以使用此事件中的信息来创建YARA规则。
Here is it:
就这个:
rule adminSDholder
{
meta:
maltype = "LuckyCoin"
reference = "https://habr.com/ru/users/volnodumcev/"
date = "17.05.2019"
description = "YARA rule to find AdminSDholder being changed by a bad guy"
strings:
$hexEventID={ 36 12 00 00 00 00 00 00 20 80 }
$object={ 7b 00 35 00 37 00 35 00 36 00 62 00 36 00 65 00 65 00 2d 00 65 00 62 00 61 00 31 00 2d 00 34 00 30 00 32 00 37 00 2d 00 38 00 32 00 39 00 64 00 2d 00 39 00 31 00 39 00 37 00 33 00 36 00 37 00 35 00 64 00 63 00 35 00 32 00 7d }
$operation={ 7b 00 62 00 66 00 39 00 36 00 37 00 61 00 38 00 62 00 2d 00 30 00 64 00 65 00 36 00 2d 00 31 00 31 00 64 00 30 00 2d 00 61 00 32 00 38 00 35 00 2d 00 30 00 30 00 61 00 61 00 30 00 30 00 33 00 30 00 34 00 39 00 65 00 32 }
condition:
$hexEventID and $object and $operation
}So, you can use this rule with Rekall/Volatility, as example, to scan the memory dump.
因此,可以将此规则与Rekall / Volatility一起使用,例如,扫描内存转储。
Thank you again for attention! I'll be back soon with a new good stuff!
再次感谢您的关注! 我很快就会带回新的好东西!
入侵取证
3034
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
