{"id":1291,"date":"2021-08-06T15:42:17","date_gmt":"2021-08-06T07:42:17","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1291"},"modified":"2021-08-06T15:42:18","modified_gmt":"2021-08-06T07:42:18","slug":"%e9%a7%ad%e5%ae%a2%e5%88%86%e8%b4%93%e9%ac%a7%e4%b8%8d%e5%92%8c%ef%bc%8cconti%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94%e9%81%ad%e6%9c%83%e5%93%a1%e7%88%86%e6%96%99%e5%85%ac%e9%96%8b%e5%85%b6%e6%94%bb","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1291","title":{"rendered":"\u99ed\u5ba2\u5206\u8d13\u9b27\u4e0d\u548c\uff0cConti\u52d2\u7d22\u8edf\u9ad4\u906d\u6703\u54e1\u7206\u6599\u516c\u958b\u5176\u653b\u64ca\u548c\u57f9\u8a13\u7684\u6280\u8853\u624b\u518a"},"content":{"rendered":"\n<p>\u63d0\u4f9b\u52d2\u7d22\u8edf\u9ad4\u5373\u670d\u52d9\uff08Ransomware-as-a-Service, RaaS\uff09\u7684\u7d44\u7e54Conti\uff0c\u5176\u6703\u54e1\u56e0\u5206\u5230\u7684\u8d16\u91d1\u592a\u5c11\uff0c\u5fc3\u751f\u4e0d\u6eff\u7684\u5728\u5730\u4e0b\u99ed\u5ba2\u8ad6\u58c7XSS\u4e0a\u8f09\u4e86Conti\u52d2\u7d22\u8edf\u9ad4\u57f9\u8a13\u6703\u54e1\u53ca\u7528\u65bc\u653b\u64ca\u7684\u624b\u518a\u3002\u64da\u4e86\u89e3\uff0c\u8a72\u6280\u8853\u624b\u518a\u5167\u5bb9\u542b\u5982\u4f55\u5728\u88ab\u99ed\u516c\u53f8\u5167\u90e8\u5b58\u53d6\u3001\u6a6b\u5411\u79fb\u52d5\u548c\u5347\u7d1a\u5b58\u53d6\u6b0a\u9650\uff0c\u540c\u6642\u9084\u5305\u542b\u5982\u4f55\u5728\u52a0\u5bc6\u6a94\u6848\u4e4b\u524d\u5c07\u6578\u64da\u76dc\u53d6\u7b49\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"458\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-3.png\" alt=\"\" class=\"wp-image-1292\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-3.png 554w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-3-300x248.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><figcaption>\u5fc3\u61f7\u4e0d\u6eff\u7684Conti RaaS\u6703\u54e1\u5728XSS\u8ad6\u58c7\u767c\u5e03\u7684\u5e16\u5b50<\/figcaption><\/figure>\n\n\n\n<p>\u4e00\u822c\u4f86\u8aaa\uff0c\u64cd\u4f5cConti\u52d2\u7d22\u8edf\u9ad4\u7684\u6838\u5fc3\u5718\u968a\u5728\u6bcf\u6b21\u5206\u8d13\u53ef\u8cfa\u53d6\u8d16\u91d1\u768420-30%\uff0c\u800c\u5176\u9918\u90e8\u5206\u7684\u5247\u7531\u5176\u6703\u54e1\u8cfa\u53d6\u3002\u6b64\u6b21\u7684\u7206\u6599\u4e8b\u4ef6\uff0c\u7591\u662f\u56e0\u70baConti\u6703\u54e1\u53ea\u5206\u5230\u4e86$1500\u7f8e\u5143\uff0c\u800c\u6838\u5fc3\u6210\u54e1\u537b\u5206\u5230\u904e\u767e\u842c\u7f8e\u5143\u6240\u5f15\u8d77\u7684\u3002\u9019\u540d\u6df1\u6df1\u4e0d\u5fff\u7684Conti\u6703\u54e1\uff0c\u4eca\u5929\u5c07Conti\u7684\u8cc7\u8a0a\u5305\u62ecCobalt Strike C2\u4f3a\u670d\u5668\u7684 IPs\u548c\u5305\u542b\u5927\u91cf\u5de5\u5177\u548c\u7528\u65bc\u9032\u884c\u52d2\u7d22\u8edf\u9ad4\u653b\u64ca\u7684\u57f9\u8a13\u8cc7\u6599\u7d04 110 MB \u7684\u5b58\u6a94\uff0c\u4e0a\u50b3\u5230XSS\u99ed\u5ba2\u8ad6\u58c7\uff0c\u5f15\u8d77\u8f5f\u52d5\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"374\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-4.png\" alt=\"\" class=\"wp-image-1293\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-4.png 554w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-4-300x203.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><figcaption>\u5feb\u628aConti\u7684IPs\u963b\u64cb\u8d77\u4f86- 162.244.80.235\/ 85.93.88.165\/185.141.63.120\/ 82.118.21.1<\/figcaption><\/figure>\n\n\n\n<p>\u53e6\u5916\uff0c\u6839\u64da\u570b\u5916\u8cc7\u5b89\u5a92\u9ad4\u5831\u5c0e\uff0c\u5916\u6d29\u7684\u624b\u518a\u5305\u542b\u6709\u95dc\u5982\u4f55\u57f7\u884c\u4ee5\u4e0b\u64cd\u4f5c\u7684\u6307\u5357\uff1a<\/p>\n\n\n\n<p>*\u4f7f\u7528 MEGA \u5e33\u6236\u914d\u7f6e Rclone\u8edf\u9ad4\u4ee5\u9032\u884c\u6578\u64da\u6d29\u9732<\/p>\n\n\n\n<p>*\u5c07AnyDesk \u8edf\u9ad4\u914d\u7f6e\u4f5c\u70ba\u53d7\u5bb3\u8005\u7db2\u8def\u4e2d\u7684\u6301\u4e45\u6027\u548c\u9060\u7aef\u5b58\u53d6\u7684\u65b9\u6cd5[\u4e00\u7a2e\u5df2\u77e5\u7684 Conti \u7b56\u7565<\/p>\n\n\n\n<p>*\u914d\u7f6e\u548c\u4f7f\u7528 Cobalt Strike<\/p>\n\n\n\n<p>*\u4f7f\u7528 NetScan \u5de5\u5177\u6383\u63cf\u5167\u90e8\u7db2\u8def<\/p>\n\n\n\n<p>&nbsp;*\u5728\u865b\u64ec\u5c08\u7528\u670d\u52d9\u5668 (VPS) \u4e0a\u5b89\u88dd Metasploit \u6ef2\u900f\u6e2c\u8a66\u6846\u67b6<\/p>\n\n\n\n<p>*\u4f7f\u7528Ngrok \u5b89\u5168\u96a7\u9053\u901a\u904e RDP \u9023\u63a5\u5230\u88ab\u99ed\u7684\u7db2\u8def<\/p>\n\n\n\n<p>*\u5728\u516c\u53f8\u7684\u88ab\u99ed\u7db2\u8def\u4e2d\u63d0\u5347\u4e26\u7372\u5f97\u7ba1\u7406\u54e1\u6b0a\u9650<\/p>\n\n\n\n<p>*\u63a5\u7ba1\u7db2\u57df\u63a7\u5236\u5668<\/p>\n\n\n\n<p>*\u5f9e Active Directory \u8f49\u5132\u5bc6\u78bc\uff08NTDS \u8f49\u5132\uff09<\/p>\n\n\n\n<p>*\u57f7\u884c SMB \u66b4\u529b\u653b\u64ca<\/p>\n\n\n\n<p>*\u5f37\u529b\u8def\u7531\u5668\u3001NAS \u8a2d\u5099\u548c\u5b89\u5168\u651d\u50cf\u982d<\/p>\n\n\n\n<p>*\u4f7f\u7528 ZeroLogon \u6f0f\u6d1e<\/p>\n\n\n\n<p>*\u57f7\u884cKerberoasting\u653b\u64ca<\/p>\n\n\n\n<p>*\u7981\u7528 Windows Defender \u4fdd\u8b77<\/p>\n\n\n\n<p>*\u522a\u9664\u5377\u5f71\u526f\u672c<\/p>\n\n\n\n<p>*\u6703\u54e1\u5982\u4f55\u914d\u7f6e\u81ea\u5df1\u7684\u64cd\u4f5c\u7cfb\u7d71\u4ee5\u4f7f\u7528 Tor \u533f\u540d\u7db2\u8def\u7b49<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"140\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-5.png\" alt=\"\" class=\"wp-image-1294\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-5.png 554w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/08\/image-5-300x76.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/figure>\n\n\n\n<p>\u6709\u95dcConti\u52d2\u7d22\u8edf\u9ad4\u7684\u60c5\u8cc7:<\/p>\n\n\n\n<p><a href=\"https:\/\/otx.alienvault.com\/pulse\/5f0781369d8978954c40d9f1\">https:\/\/otx.alienvault.com\/pulse\/5f0781369d8978954c40d9f1<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/otx.alienvault.com\/pulse\/60a2d0486c6e368ed30220da\">https:\/\/otx.alienvault.com\/pulse\/60a2d0486c6e368ed30220da<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u63d0\u4f9b\u52d2\u7d22\u8edf\u9ad4\u5373\u670d\u52d9\uff08Ransomware-as-a-Service, RaaS\uff09\u7684\u7d44\u7e54Conti\uff0c\u5176\u6703\u54e1\u56e0\u5206\u5230 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=1291\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[173,112],"class_list":["post-1291","post","type-post","status-publish","format-standard","hentry","category-6","tag-conti","tag-112"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1291"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1291\/revisions"}],"predecessor-version":[{"id":1295,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1291\/revisions\/1295"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}