forensic/침해사고분석

CVE-2018-5955,GitStack 취약점활용 침해사고 분석

SKUSTI 2023. 2. 11. 21:05

gitstack mem

writer : Kusti

used sites : https://www.base64decode.org/ , https://base64.guru/

used tools : vmware, powershell, volatility2, notepad++, hxd

pslist info

0x86995910 Sysmon.exe 3568 476 10 190 0 0 2019-07-06 13:53:52 UTC+0000 //sysmon 확인

0x88671d40 mimikatz.exe 1392 3972 1 100 1 0 2019-07-06 14:01:04 UTC+0000 //미미카츠 사용

0x86c303c8 cmd.exe 2956 3044 0 -------- 1 0 2019-07-06 13:56:57 UTC+0000 2019-07-06 13:56:57 UTC+0000 //0초 0x86505660 openssl.exe 2712 2956 0 -------- 1 0 2019-07-06 13:56:57 UTC+0000 2019-07-06 13:56:57 UTC+0000 //0초 0x88768030 powershell.exe 2944 1740 0 -------- 1 0 2019-07-06 13:56:57 UTC+0000 2019-07-06 13:56:57 UTC+0000 //0초 , 미미카츠 시작지 0x85971a60 powershell.exe 1240 2944 8 294 1 0 2019-07-06 13:56:57 UTC+0000 //cmd사용 p-log

0x870f3570 cmd.exe 2236 1240 0 -------- 1 0 2019-07-06 13:57:50 UTC+0000 2019-07-06 13:58:32 UTC+0000 //1분 0x86c32a38 cmd.exe 3972 1240 1 44 1 0 2019-07-06 14:00:54 UTC+0000

분석해 볼만한거

0x000000007e7a97c8 9 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx //sysmon evtx

0x000000007e93a340 7 0 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx //sysmon evtx

0x000000007e93a448 17 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Windows PowerShell.evtx //powershell

0x000000007c41ea70 3 1 RW-r-- \Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

0x000000007c4a5108 8 0 -W-r-- \Device\HarddiskVolume2\GitStack\gitphp\exploit.php

0x000000007f8b8c68 5 0 R--r-d \Device\HarddiskVolume2\GitStack\gitphp\mimikatz.exe

이벤트 발생 시간 (pslist)

2019-07-06 13:53:52 UTC+0000 //sysmon 동작 시간

2019-07-06 13:56:57 UTC+0000 //공격 예상 시간(cmd)

2019-07-06 13:56:57 UTC+0000 //openssl.exe 시작 시간

2019-07-06 13:56:57 UTC+0000 //powershell 동작 시간

Sysmon1.evtx

2019-07-06 13:55:07.208 cmd.exe /c "C:/GitStack/git/bin/git.exe --version"

2019-07-06 13:55:07.271 ![image-20230131135313018](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131135313018.png)

인증서 비밀번호 : bol3jss2

2019-07-06 13:55:07.302 C:\GitStack\apache\bin\openssl.exe C:/GitStack/apache/bin/openssl.exe passwd -apr1 -salt boI3jss2 p ![image-20230131140119365](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131140119365.png)

2019-07-06 13:56:36.990 cmd.exe /c "whoami" IE11WIN7\IEUser

2019-07-06 13:56:57.115 base64 decoding 값 : ![image-20230131141433670](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131141433670.png)

![image-20230131162123519](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131162123519.png)

gzip 공격코드![image-20230131164123412](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131164123412.png)

Win powershell 에서 동작하는 악성코드임이 확인 가능하다.

2019-07-06 13:56:57.130 C:/GitStack/apache/bin/openssl.exe passwd -apr1 -salt boI3jss2 k 위와 같은 문자

2019-07-06 13:56:57.146 cmd /c powershell.exe -nop -w hidden -noni -e 위와 같은 문자

2019-07-06 13:57:50.255 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 위와 같은 문자 마지막

powershell.evtx

이유는 모르겠지만 로그 이벤트로그 x

exploit.php

![image-20230131164841263](https://raw.githubusercontent.com/Kimdaeho-SCR/imageserver/main/imageserver/image-20230131164841263.png)

study

powershell.exe -nop -w hidden -noni -e

  • -nop : no profile
  • -w hidden : window hidden
  • -noni : NonInteractive, noni와 매치되는 것은 noninteractive뿐이다.
  • -e : powershell CLI's -EncodedCommand_parameter, base64로 인코딩된 문자열 받는용

참고 사이트