2024 网鼎杯 半决赛 安全运营挑战赛 威胁分析
2024 网鼎杯 半决赛 安全运营挑战赛 威胁分析
官方 writeup 未公布,无标准答案
按照题目描述进行检材分析
First of all - 在此之前
对题目提供的附件进行分析,题目提供了以下附件
- dump.mem
- disk.ad1
- disk.ad1.txt
其中,文件 disk.ad1.txt
的内容为
Created By AccessData® FTK® Imager 4.7.1.2
Case Information:
Acquired using: ADI4.7.1.2
Case Number:
Evidence Number:
Unique Description:
Examiner:
Notes:
--------------------------------------------------------------
Information for C:\Users\skills\Desktop\disk.ad1:
[Custom Content Sources]
F:\:NONAME [NTFS]|[root]|Windows|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|ProgramData|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|Program Files (x86)|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|Program Files|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|Documents and Settings|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|PerfLogs|*(Wildcard,Consider Case,Include Subdirectories)
F:\:NONAME [NTFS]|[root]|System Volume Information|*(Wildcard,Consider Case,Include Subdirectories)
[Computed Hashes]
MD5 checksum: a576646c40769abb7dd36904417b6a4f
SHA1 checksum: 9cee1fe36957674626661e1197b19b5f0b047026
Image information:
Acquisition started: Tue Nov 5 11:04:42 2024
Acquisition finished: Tue Nov 5 11:49:00 2024
Segment list:
C:\Users\skills\Desktop\disk.ad1
Image Verification Results:
Verification started: Tue Nov 5 11:52:50 2024
Verification finished: Tue Nov 5 12:07:07 2024
MD5 checksum: a576646c40769abb7dd36904417b6a4f : verified
SHA1 checksum: 9cee1fe36957674626661e1197b19b5f0b047026 : verified
由此可以得知,文件 disk.ad1
是由 FTK Imager
所制作的磁盘镜像,文件 dump.mem
是目标计算机上捕获的内存镜像
对于 disk.ad1
文件, 可以使用 FTK Imager
进行加载并挂载到虚拟盘符;而对于 dump.mem
文件,可以使用 Volatility
进行取证分析(需要内存镜像中系统版本对应的符号表)或者使用 R-Studio
对内存中的 NTFS
结构表进行读取分析,或者直接使用 Strings
进行暴力检索分析
威胁分析 - 01
在调查网络性能或安全问题时,了解特定应用程序在一段时间内的数据传输情况对于检测异常流量和潜在威胁至关重要。通过分析网络活动日志,我们可以确定是否存在数据泄露或异常通信。
请问,firefox 进程自有记录以来一共发送了多少字节的数据?(请将答案编辑并存入
/opt/wxfx/answer/1.txt
文件中,参考/opt/wxfx/example
目录)
基于题目描述,可以定位到 Windows 的服务报告使用数据库文件 SRUDB.dat
参考资料 See all Windows 11 network data usage – addshore
在 FTK Imager
定位到 SRUDB.dat
文件的路径 F:\Windows\System32\sru\SRUDB.dat
使用 NetworkUsageView - NirSoft 进行查看
定位到 firefox.exe
进程的记录
3981907 + 384784 = 4366691
即可确定答案
4366691
威胁分析 - 02
识别安全防护软件的查杀记录,对于评估系统受感染的程度和了解攻击者所使用的工具至关重要。通过检查安全日志,可以获取被检测到的威胁信息。
请问,Windows Defender 检测到的第一个恶意软件的威胁 ID 是什么?(请将答案编辑并存入
/opt/wxfx/answer/2.txt
文件中,参考/opt/wxfx/example
目录)
在 disk.ad1
文件的磁盘数据中,定位到 F:\Windows\System32\winevt\Logs\
文件夹
将整个文件夹进行提取
根据 Windows Defender 的日志 ID 表 Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint | Microsoft Learn 可以知道,当 Windows Defender 检测到威胁时所记录的 日志,其日志 ID 为 1116
使用 FullEventLogView - NirSoft 进行分析
或者直接定位到 Windows Defender 的操作日志文件 Microsoft-Windows-Windows Defender%4Operational.evtx
Windows Defender 已从隔离区删除一个项目。
有关详细信息,请参阅以下内容:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Meterpreter.O&threatid=2147729928&enterprise=0
名称: Trojan:Win32/Meterpreter.O
ID: 2147729928
严重性: Severe
类别: Trojan
用户: DESKTOP-M3JIVN3\skills
安全智能版本: AV: 1.421.82.0, AS: 1.421.82.0
引擎版本: 1.1.24090.11
即可确定答案
2147729928
威胁分析 - 03
了解恶意软件的内部名称(如开发者给它的命名)有助于识别其家族、版本和特定功能,进而制定有效的防御策略。
请问,系统中正在运行的恶意软件的内部名称是什么?(请将答案编辑并存入
/opt/wxfx/answer/3.txt
文件中,参考/opt/wxfx/example
目录)
思路一 基于常见关键词进行定位
对内存镜像的 Strings 进行分析,经过常见恶意程序的关键词匹配,可以定位到内存中的以下部分
<------------- [ Welcome to DarkSide] ------------->
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to get access on website?
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4
When you open our website, put the following data in the input form:
Key:
lsJTyyTnzJlGQ1I6sfwV6oVcXaRynwN6mWphA7BKXEDIHJcDlhNNHsrxlkpggRChK2nQ7wP0sknJvl37lbqElTopkUywK3QnfJFmqDBSCmFISeWSudjgwxB4kKSp7h4VySHeu4LmDiZXTAh1dbZHWxTtZ0bA6PhCoDrbGkctY4rucITW4IdYUZJC8d2B7SFnr5EA7EoRkajrZW54brM5Kgwqsz67qzH6Hk0Vr3EDcnGzNjGQBapJczIWkgPtMCJdTkeemQ34XH7wawXu3eOGV3uJlBZNoSuaxtDHMGApS8EWsUXhafMW8WxFLAPLCo6pdm7MLcLsVDp9iBXU1sLv2KkGyUJbO0KOmom9f1JREuidviHRfsndEgMFBAjyq5v4VEIraiioAbtWM7eecYaXPVt3rolsBi8mtjxLOpFj73NPPitoIDxBNfHGzXxvRTXi06Pjx9pRnAtjIqoq5wovnHa8uBel8nq8yDJTk7NWdGdsv3yVwV2TmBin7OvFqHN9lweFNJyuziKCVGEtSaglUNudMmpFnNObGlhfh58jQsrQiQZ2d3AOFsi
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
基于已知明文,可以定位到相关进程
PS D:\Downloads\attachment\attachment> .\volatility_2.6_win64_standalone.exe -f .\dump.mem --profile=Win10x64_14393 yarascan -Y "Your computers and servers are encrypted"
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process SearchProtocol Pid 4036
0x2079976dcc5 59 6f 75 72 20 63 6f 6d 70 75 74 65 72 73 20 61 Your.computers.a
0x2079976dcd5 6e 64 20 73 65 72 76 65 72 73 20 61 72 65 20 65 nd.servers.are.e
0x2079976dce5 6e 63 72 79 70 74 65 64 2c 20 62 61 63 6b 75 70 ncrypted,.backup
0x2079976dcf5 73 20 61 72 65 20 64 65 6c 65 74 65 64 2e 20 57 s.are.deleted..W
0x2079976dd05 65 20 75 73 65 20 73 74 72 6f 6e 67 20 65 6e 63 e.use.strong.enc
0x2079976dd15 72 79 70 74 69 6f 6e 20 61 6c 67 6f 72 69 74 68 ryption.algorith
0x2079976dd25 6d 73 2c 20 73 6f 20 79 6f 75 20 63 61 6e 6e 6f ms,.so.you.canno
0x2079976dd35 74 20 64 65 63 72 79 70 74 20 79 6f 75 72 20 64 t.decrypt.your.d
0x2079976dd45 61 74 61 2e 20 0d 0a 20 42 75 74 20 79 6f 75 20 ata.....But.you.
0x2079976dd55 63 61 6e 20 72 65 73 74 6f 72 65 20 65 76 65 72 can.restore.ever
0x2079976dd65 79 74 68 69 6e 67 20 62 79 20 70 75 72 63 68 61 ything.by.purcha
0x2079976dd75 73 69 6e 67 20 61 20 73 70 65 63 69 61 6c 20 70 sing.a.special.p
0x2079976dd85 72 6f 67 72 61 6d 20 66 72 6f 6d 20 75 73 20 2d rogram.from.us.-
0x2079976dd95 20 75 6e 69 76 65 72 73 61 6c 20 64 65 63 72 79 .universal.decry
0x2079976dda5 70 74 6f 72 2e 20 54 68 69 73 20 70 72 6f 67 72 ptor..This.progr
0x2079976ddb5 61 6d 20 77 69 6c 6c 20 72 65 73 74 6f 72 65 20 am.will.restore.
Rule: r1
Owner: Process SearchProtocol Pid 4036
0x2079977314d 59 6f 75 72 20 63 6f 6d 70 75 74 65 72 73 20 61 Your.computers.a
0x2079977315d 6e 64 20 73 65 72 76 65 72 73 20 61 72 65 20 65 nd.servers.are.e
0x2079977316d 6e 63 72 79 70 74 65 64 2c 20 62 61 63 6b 75 70 ncrypted,.backup
0x2079977317d 73 20 61 72 65 20 64 65 6c 65 74 65 64 2e 20 57 s.are.deleted..W
0x2079977318d 65 20 75 73 65 20 73 74 72 6f 6e 67 20 65 6e 63 e.use.strong.enc
0x2079977319d 72 79 70 74 69 6f 6e 20 61 6c 67 6f 72 69 74 68 ryption.algorith
0x207997731ad 6d 73 2c 20 73 6f 20 79 6f 75 20 63 61 6e 6e 6f ms,.so.you.canno
0x207997731bd 74 20 64 65 63 72 79 70 74 20 79 6f 75 72 20 64 t.decrypt.your.d
0x207997731cd 61 74 61 2e 20 0d 0a 20 42 75 74 20 79 6f 75 20 ata.....But.you.
0x207997731dd 63 61 6e 20 72 65 73 74 6f 72 65 20 65 76 65 72 can.restore.ever
0x207997731ed 79 74 68 69 6e 67 20 62 79 20 70 75 72 63 68 61 ything.by.purcha
0x207997731fd 73 69 6e 67 20 61 20 73 70 65 63 69 61 6c 20 70 sing.a.special.p
0x2079977320d 72 6f 67 72 61 6d 20 66 72 6f 6d 20 75 73 20 2d rogram.from.us.-
0x2079977321d 20 75 6e 69 76 65 72 73 61 6c 20 64 65 63 72 79 .universal.decry
0x2079977322d 70 74 6f 72 2e 20 54 68 69 73 20 70 72 6f 67 72 ptor..This.progr
0x2079977323d 61 6d 20 77 69 6c 6c 20 72 65 73 74 6f 72 65 20 am.will.restore.
Rule: r1
Owner: Process svchost.exe Pid 5784
0x00d1a10d 59 6f 75 72 20 63 6f 6d 70 75 74 65 72 73 20 61 Your.computers.a
0x00d1a11d 6e 64 20 73 65 72 76 65 72 73 20 61 72 65 20 65 nd.servers.are.e
0x00d1a12d 6e 63 72 79 70 74 65 64 2c 20 62 61 63 6b 75 70 ncrypted,.backup
0x00d1a13d 73 20 61 72 65 20 64 65 6c 65 74 65 64 2e 20 57 s.are.deleted..W
0x00d1a14d 65 20 75 73 65 20 73 74 72 6f 6e 67 20 65 6e 63 e.use.strong.enc
0x00d1a15d 72 79 70 74 69 6f 6e 20 61 6c 67 6f 72 69 74 68 ryption.algorith
0x00d1a16d 6d 73 2c 20 73 6f 20 79 6f 75 20 63 61 6e 6e 6f ms,.so.you.canno
0x00d1a17d 74 20 64 65 63 72 79 70 74 20 79 6f 75 72 20 64 t.decrypt.your.d
0x00d1a18d 61 74 61 2e 20 0d 0a 20 42 75 74 20 79 6f 75 20 ata.....But.you.
0x00d1a19d 63 61 6e 20 72 65 73 74 6f 72 65 20 65 76 65 72 can.restore.ever
0x00d1a1ad 79 74 68 69 6e 67 20 62 79 20 70 75 72 63 68 61 ything.by.purcha
0x00d1a1bd 73 69 6e 67 20 61 20 73 70 65 63 69 61 6c 20 70 sing.a.special.p
0x00d1a1cd 72 6f 67 72 61 6d 20 66 72 6f 6d 20 75 73 20 2d rogram.from.us.-
0x00d1a1dd 20 75 6e 69 76 65 72 73 61 6c 20 64 65 63 72 79 .universal.decry
0x00d1a1ed 70 74 6f 72 2e 20 54 68 69 73 20 70 72 6f 67 72 ptor..This.progr
0x00d1a1fd 61 6d 20 77 69 6c 6c 20 72 65 73 74 6f 72 65 20 am.will.restore.
排除掉正常系统服务,即可确定到 Process svchost.exe Pid 5784
为恶意进程
思路二 对磁盘非常规文件进行排查
使用 R-Studio
对内存中的 NTFS 结构数据库进行分析,找到 F:\Users\skills\svchost.exe
常规情况下,文件 svchost.exe
不会存在于用户目录中,可以确定为可疑文件