红队攻防揭秘 - 作战安全（OPSEC）

OPSEC的概念这里不多解释，国内目前似乎没有比较好的公开的资料，不过以下这篇文章可以参考一下：

SolarWinds事件背后的黑手是Turla？也许吧

为了尽量减少被发现的可能性，攻击者用到了一些有意思的手法：

1、使用文件执行调试选项来隔离进程链，使即便后门进程被发现也不会暴露植入后门的SolarWinds相关进程的来源。

2、尽可能使用系统自带的工具程序执行操作。

3、执行操作前关闭日志记录，操作完成以后再打开。

4、落地文件的时间戳与系统工具文件同步。

以下开始正文（仔细看文字和图片）：

I have not seen a single instance where my ADSI queries have been detected, but I can't say the same for PowerView. There was a red team in which I was using custom Powerview against mdatp and after 6-7 days of using it, it suddenly got detected and started getting blocked.

I am just saying the MDAtp or most EDRs dont tag ADSI queries as malicious since its actually used by IT as well. But can't say the same for PowerView. I don't have anything against powerview, just my experience is different

本质是利用蓝队的“代价金字塔”进行隐蔽渗透。有多少红队用过这种思路？

PowerView is easier to use but at the cost of getting detected. Using existing built in tools keeps you as near to offsec as possible and ADSI is almost very hard to detect. And ADSI isn't really that hard to use. Bit of ldap query knowledge + Accelerator is all you need

Yes, I know, as mentioned I built training material around that specific topic. But I would argue that if you're going to "keep as near to opsec as possible" that you should drop PowerShell and use DirectorySearcher in .NET or a C++ solution. 

And I was just chiming in as to why people used it, and I stand by my personal opinion that there's minimal advantage of using the PS ADSI accelerators over a (IOC stripped) version of PowerView because both are exposed to the standard PowerShell security features

全文完！

往期精选

围观

威胁猎杀实战（六）：横向移动攻击检测

热文

全球“三大”入侵分析模型

热文

实战化ATT&CK：威胁情报

本文始发于微信公众号（天御攻防实验室）：红队攻防揭秘 - 作战安全（OPSEC）