为了尽量减少被发现的可能性,攻击者用到了一些有意思的手法:
1、使用文件执行调试选项来隔离进程链,使即便后门进程被发现也不会暴露植入后门的SolarWinds相关进程的来源。
2、尽可能使用系统自带的工具程序执行操作。
3、执行操作前关闭日志记录,操作完成以后再打开。
4、落地文件的时间戳与系统工具文件同步。
本质是利用蓝队的“代价金字塔”进行隐蔽渗透。有多少红队用过这种思路?
PowerView is easier to use but at the cost of getting detected. Using existing built in tools keeps you as near to offsec as possible and ADSI is almost very hard to detect. And ADSI isn't really that hard to use. Bit of ldap query knowledge + Accelerator is all you need
Yes, I know, as mentioned I built training material around that specific topic. But I would argue that if you're going to "keep as near to opsec as possible" that you should drop PowerShell and use DirectorySearcher in .NET or a C++ solution.
And I was just chiming in as to why people used it, and I stand by my personal opinion that there's minimal advantage of using the PS ADSI accelerators over a (IOC stripped) version of PowerView because both are exposed to the standard PowerShell security features 
全文完!
往期精选
围观
热文
热文
本文始发于微信公众号(天御攻防实验室):红队攻防揭秘 - 作战安全(OPSEC)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论