ADȯ ڵ TTP м...
2019 2020, AD(Active Directory) ϴ ̹ þ鼭 ̿ ̽ Ŀ ִ. AD ټ ý ϴ ȿ, ̼ Żȴٸ ü θ Ǵ ֱ ̴.
AD 2000 ̻ ǰ ϴ , ϸ ϴ ǻͰ ϴ α ϴ ̴. API(Application Programming Interface) , ڰ پ ֱ ſ , ݴ AD Ż ý ڿ ѱ ִ.
2019 ݱ 2020 Ϲݱ, AD ȯ , ̿ 氢 ߿ ϴ å ÿ . ̿ ڵ ڷḦ 䱸ϱ ߴ.
ѱͳ ̷ ħ AD ȯ Ŀ ݾ ̰ ֱ , 2019 AD ȯ м κ TTP(Tactic, Technique, Procedure) Ȯ ־ٰ .
ƿ TTP ȯ Ư ¹ ֱ 帧 ̳ ƴ Ѵٰ ߴ. ̷ KISA AD ȯ 븰 ݿ TTP ľϰ, ATT&CK Framework( ݿ Ÿ Ʈ) ۼ ǥߴ.
AD ȯ 븰 TTP
1. Reconnaissance
ܰ迡 Email Stealer Ǽڵ带 ̿Ͽ ýۿ ƿ ̸ Ѵ. ̷ ̸ Ϻδ ǥ APT ݿ ȴ.
2. Resource Development
AD ȯ濡 ̵ Cobalt Strike Ammyy Admin, Tiny Met Ǽڵ带 ַ Ѵ. , Ǽڵ ڿ ̸ Ȯϰ SMB ̵ ü Ѵ.
3. Initial Access
Ż Ǽ ̳ Ǽ ũ ÷ε Ǿǽ Ѵ. Ϸ ϱ Ư Ȱϱ ǽ ¿ Ź .
4. Execution
Ǽڵ带 پ ϸ ý۵ ̿ Ͽ Ѵ. SMB Ʈ AD ε ٸ ýۿ ϰ Ǽڵ带 Ѵ. WMI Ŀ Ͽ ýۿ Ѵ.
5. Persistence
ýۿ Ǽڵ Ӽ ϱ Ʈ ڵ ǵ Ѵ. , AD ε ý ÿ Ǽڵ忡 Ű ؼ AD DC(Domain Controller) å Ѵ.
6. Command and Control
ڴ Ammyy RAT, Amadey Bot Ǽڵ带 Ͽ ܺ C2 ý پ ϰ ߰ Ǽ ٿεѴ. Ŀ SMB ٸ ý ߰ ϰ Ǽڵ带 ٿε Ų.
7. Privilege Escalation
ŻϿ AD ε ٸ ýۿ Ѵ. , ȣȭ ũ Żϱ Ѵ.
8. Credential Access
ڴ ̵ н α Ͽ AD ߰ Ѵ.
9. Defense Evasion
α Ž ȸ Ǽڵ带 ϰų ȣȭ, msiexec Ǽڵ带 Ѵ. ߴ Ǽڵ ̺Ʈ α Ѵ.
10. Discovery
ħ ϰ ˻̳ Ʈũ Ž θ ľѴ. ̵ ý ϸ, μ ϱ Ѵ.
11. Lateral Movement
ڴ Ȯ AD Ÿ ýۿ RDP õϸ ַ (SMB) ̿Ͽ Ǽڵ带 ϰ ߰ Ų. Ŀ ٸ ýۿ Ͽ ܺ κ ߰ Ǽڵ带 ٿε ϰų Ǽڵ带 Ƴ ٸ ýۿ Ѵ.
12. Collection
ڴ ħ AD ȹϰ ̵ ϸ Ping castle, powerkatz 뵵 Ͽ μ, Ʈũ, Ѵ. Ǽڵ带 ý ϰ, ü XOR ڵ Ѵ.
13. Exfiltration
ý ϳ Ϸ Ͽ C&C() Ѵ. ܰ迡 ýۿ ̸ϰ C&C Ѵ.
14. Impact
Ž ȸ μ Ѵ. AD , AD DC å ϰų, SMB ϴ Ų.
, ڴ Ǿǽ ο ħ߰, Ż Ŀ DC ǰ SMB ̵ ״. ̷ ڰ 䱸ϴ ̹ ջ , ý ս Ӹ ƴ϶, AD Ư ý ü ֿ Ǵ ߰ ص Ѵ.
ƿ İ , å ħ̳ , ѻ Ż SMB ̵ κ AD ݿ ȮεǴ Ư̶ ߴ. ̿ AD ȯ ϴ ߿ϴٰ ߴ.
Ư, ħ ڴ Ż븦 ǥ θ Žϰ ̵ϰ Ǵµ, ̶ Ϲ ƹ Żϴ θ ǿ ʴ´. ŻǴ AD DC(Domain Controller) и ؾ Ѵٰ ߴ.
, ּȭϰ Ұϰ ϴ ý۵ ֱ ؾ ϸ, AD DC ϵ å Ͽ ǽɽ Ǹ ← Ѵٴ . , ֿ ý α״ ֱ ϰ Ż Žǰų, ߰ ý Ѵٰ ߴ.
ó: ȴ
https://www.boannews.com/media/view.asp?idx=98083&page=1&kind=1
[ö (
boanone@boannews.com)]