{"id":2616,"date":"2023-04-26T16:28:31","date_gmt":"2023-04-26T08:28:31","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=2616"},"modified":"2023-04-27T11:15:15","modified_gmt":"2023-04-27T03:15:15","slug":"%e6%96%b0%e5%9e%8b%e9%a7%ad%e5%ae%a2%e5%b7%a5%e5%85%b7aukill%e9%80%8f%e9%81%8e%e5%88%a9%e7%94%a8-byovd%e6%94%bb%e6%93%8a%e6%89%8b%e6%b3%95%e4%be%86%e9%97%9c%e9%96%89-edr-%ef%bc%8c%e9%83%a8%e7%bd%b2","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=2616","title":{"rendered":"\u65b0\u578b\u99ed\u5ba2\u5de5\u5177AuKill\u900f\u904e\u5229\u7528 BYOVD\u653b\u64ca\u624b\u6cd5\u4f86\u95dc\u9589 EDR \uff0c\u90e8\u7f72\u52d2\u7d22\u8edf\u9ad4"},"content":{"rendered":"\n

\u7814\u7a76\u767c\u73fe\uff0c\u4e00\u7a2e\u540d\u70ba AuKill \u7684\u65b0\u578b\u99ed\u5ba2\u5de5\u5177\u56e0\u5176\u96b1\u853d\u529f\u80fd\u800c\u8d8a\u4f86\u8d8a\u53d7\u5230\u653b\u64ca\u8005\u7684\u9752\u775e\uff0c\u8a72\u5de5\u5177\u65e8\u5728\u901a\u904e\u81ea\u5e36\u9a45\u52d5\u7a0b\u5f0f\u653b\u64ca\u624b\u6cd5\uff08Bring Your Own Vulnerable Driver\uff0cBYOVD\uff09\u4f86\u95dc\u9589\u7aef\u9ede\u5075\u6e2c\u548c\u56de\u61c9(EDR) \u8edf\u9ad4\u3002BYOVD \u6280\u8853\u4f9d\u8cf4\u65bc\u653b\u64ca\u8005\u6feb\u7528\u7531 Microsoft \u7c3d\u7ae0\u7684\u5408\u6cd5\u4f46\u904e\u6642\u4e14\u53ef\u5229\u7528\u7684\u9a45\u52d5\u7a0b\u5f0f\uff08\u6216\u4f7f\u7528\u88ab\u76dc\u6216\u5916\u6d29\u9732\u7684\u6191\u8b49\uff09\u4f86\u7372\u5f97\u63d0\u5347\u7684\u7279\u6b0a\u4e26\u95dc\u9589\u5b89\u5168\u6a5f\u5236\u3002\u81ea\u4eca\u5e74\u5e74\u521d\u4ee5\u4f86\uff0cAuKill \u5df2\u88ab\u7528\u65bc\u81f3\u5c11\u4e09\u8d77\u52d2\u7d22\u8edf\u9ad4\u653b\u64ca\u3002\u6839\u64daSophos \u5831\u544a<\/a>\uff0c\u7814\u7a76\u4eba\u54e1\u89c0\u5bdf\u5230\u4e0d\u540c\u7684\u653b\u64ca\u8005\u5718\u9ad4\u5728\u5404\u7a2e\u60e1\u610f\u6d3b\u52d5\u4e2d\u4f7f\u7528 AuKill\u4f86\u95dc\u9589 EDR \u9032\u7a0b:<\/p>\n\n\n\n

*\u5728 2023 \u5e74\u7684\u9996\u5169\u500b\u6708\uff0c\u89c0\u5bdf\u5230\u5169\u8d77\u4e0d\u540c\u7684Medusa Locker \u52d2\u7d22\u8edf\u9ad4\u653b\u64ca\u6d3b\u52d5\u3002\u5728 1 \u6708 18 \u65e5\u548c 2 \u6708 14 \u65e5\uff0c\u653b\u64ca\u8005\u4f7f\u7528 AuKill \u7d42\u6b62\u4e86 EDR\u9032\u7a0b\uff0c\u7136\u5f8c\u90e8\u7f72\u4e86 Medusa Locker \u52d2\u7d22\u8edf\u9ad4<\/p>\n\n\n\n

*2 \u6708\u7684\u53e6\u4e00\u8d77\u6d3b\u52d5\u5247\u767c\u73feAuKill \u88ab\u7528\u4f86\u90e8\u7f72 LockBit \u52d2\u7d22\u8edf\u9ad4<\/p>\n\n\n\n

\"\"
AuKill\u51fa\u73fe\u548c\u6b78\u56e0\u4e8b\u4ef6\u7684\u65e5\u671f-Photo Credit : Sophos<\/figcaption><\/figure>\n\n\n\n

AuKill\u662f\u5982\u4f55\u904b\u4f5c\u7684\uff1f<\/strong><\/p>\n\n\n\n

AuKill \u5de5\u5177\u91dd\u5c0dProcess Explorer\u7684 v16.32 (\u904e\u6642\u7248\u672c)\u900f\u904e\u81ea\u5e36\u6613\u53d7\u653b\u64ca\u9a45\u52d5\u7a0b\u5f0f\u653b\u64ca BYOVD\u7684\u6280\u8853\u7d42\u6b62 EDR \u9032\u7a0b\u3002<\/p>\n\n\n\n

*\u611f\u67d3\u5f8c\uff0c\u5b83\u5728 Microsoft Process Explorer v16.32 \u4f7f\u7528\u7684\u9a45\u52d5\u7a0b\u5f0f\u65c1\u908a\u653e\u7f6e\u4e00\u500b\u6613\u53d7\u653b\u64ca\u7684 Windows \u9a45\u52d5\u7a0b\u5f0f procexp.sys\u3002Process Explorer\u662f\u4e00\u500b\u975e\u5e38\u6d41\u884c\u4e14\u5408\u6cd5\u7684\u5be6\u7528\u7a0b\u5f0f\uff0c\u53ef\u5e6b\u52a9\u6536\u96c6\u6709\u95dc\u6d3b\u52d5 Windows \u9032\u7a0b\u7684\u8cc7\u6599\u3002<\/p>\n\n\n\n

*\u63a5\u4e0b\u4f86\uff0cAuKill\u6703\u6aa2\u67e5\u5b83\u662f\u5426\u4ee5 SYSTEM \u6b0a\u9650\u904b\u884c\u3002\u5982\u679c\u4e0d\u662f\uff0c\u5b83\u6703\u5617\u8a66\u901a\u904e\u6a21\u64ec TrustedInstaller Windows \u6a21\u7d44\u5b89\u88dd\u7a0b\u5e8f\u670d\u52d9\u4f86\u5347\u7d1a\u5230\u6240\u9700\u7684\u6b0a\u9650\u3002<\/p>\n\n\n\n

*\u5b83\u555f\u52d5\u591a\u500b\u7dda\u7a0b\u4f86\u6383\u63cf\u548c\u7d42\u6b62\u8207 EDR \u76f8\u95dc\u7684\u670d\u52d9\u548c\u9032\u7a0b\u3002AuKill \u91dd\u5c0d\u7684 EDR\u4f9b\u61c9\u5546\u548c\u670d\u52d9\u56e0\u6a23\u672c\u800c\u7570\uff0c\u5305\u62ec Microsoft\u3001Sophos\u3001Splashtop \u548c Aladdin HASP Software\u3002<\/p>\n\n\n\n

\u5728default\u60c5\u6cc1\u4e0b\uff0cWindows\u4f7f\u7528\u9a45\u52d5\u7a0b\u5f0f\u7c3d\u7ae0\u5f37\u5236\u529f\u80fd\u4f86\u78ba\u4fdd\u5167\u6838\u6a21\u5f0f\u9a45\u52d5\u7a0b\u5f0f\u5728\u64cd\u4f5c\u7cfb\u7d71\u5141\u8a31\u5176\u57f7\u884c\u4e4b\u524d\u5df2\u7531\u6709\u6548\u7684\u7a0b\u5f0f\u7c3d\u7ae0\u6a5f\u69cb\u7c3d\u7ae0\u3002\u70ba\u4e86\u7e5e\u904e\u5b89\u5168\u63aa\u65bd\uff0c\u653b\u64ca\u8005\u9700\u8981\u627e\u5230\u4e00\u7a2e\u65b9\u6cd5\u8b93\u60e1\u610f\u9a45\u52d5\u7a0b\u5f0f\u901a\u904e\u53d7\u4fe1\u4efb\u7684\u6191\u8b49\u7c3d\u7ae0\uff0c\u6216\u8005\u6feb\u7528\u5408\u6cd5\u7684\u5546\u696d\u8edf\u9ad4\u9a45\u52d5\u7a0b\u5f0f\u4f86\u9054\u5230\u4ed6\u5011\u7684\u76ee\u6a19\u3002\u5728 Sophos \u89c0\u5bdf\u5230\u7684\u653b\u64ca\u4e2d\uff0c\u653b\u64ca\u8005\u4f7f\u7528\u4e86\u7531 Microsoft \u5efa\u7acb\u4e26\u7c3d\u7ae0\u7684\u9a45\u52d5\u7a0b\u5f0f\u3002<\/p>\n\n\n\n

Process Explorer \u9a45\u52d5\u7a0b\u5f0f\u662fWindows Sysinternals\u958b\u767c\u7684\u4e00\u5957\u9032\u968e\u7684\u7cfb\u7d71\u7ba1\u7406\u5de5\u5177\u5957\u4ef6\u7684\u4e00\u90e8\u5206\uff0c\u662f\u4e00\u7a2e\u9032\u7a0b\u6aa2\u8996\u5668\u548c\u63a7\u5236\u516c\u7528\u7a0b\u5f0f\u3002 \u6839\u64daSophos \uff0cAuKill \u5c07\u540d\u70ba PROCEXP.SYS \u7684\u9a45\u52d5\u7a0b\u5e8f\u5f0f\uff08\u4f86\u81ea\u9032\u7a0b\u8cc7\u6e90\u7ba1\u7406\u5668\u7684\u767c\u884c\u7248 16.32\uff09\u653e\u5165 C:\\Windows\\System32\\drivers \u8def\u5f91\u3002\u5408\u6cd5\u7684 Process Explorer \u9a45\u52d5\u7a0b\u5f0f\u540d\u70ba PROCEXP152.sys\uff0c\u901a\u5e38\u4f4d\u65bc\u540c\u4e00\u4f4d\u7f6e\u3002\u5169\u500b\u9a45\u52d5\u7a0b\u5f0f\u90fd\u53ef\u4ee5\u5b58\u5728\u65bc\u904b\u884c Process Explorer \u526f\u672c\u7684\u6a5f\u5668\u4e0a\u3002AuKill \u5b89\u88dd\u7a0b\u5f0f\u9084\u5c07\u5176\u81ea\u8eab\u7684\u53ef\u57f7\u884c\u526f\u672c\u653e\u5165 System32 \u6216 TEMP \u76ee\u9304\uff0c\u4f5c\u70ba\u670d\u52d9\u904b\u884c\u3002<\/p>\n\n\n\n

\"\"
Photo Credit: Sophos -\u60e1\u610f\u5b89\u88dd\u7684 Process Explorer \u9a45\u52d5\u7a0b\u5f0f\uff08\u4ee5\u7d05\u8272\u7a81\u51fa\u986f\u793a\uff09\u8207\u5408\u6cd5\u7684 Process Explorer \u9a45\u52d5\u7a0b\u5f0f proxexp152.sys \u5728 Drivers\u6a94\u6848\u593e\u4e2d<\/figcaption><\/figure>\n\n\n\n

AuKill \u4e26\u4e0d\u662f\u7b2c\u4e00\u500b\u901a\u904e Process Explorer \u91dd\u5c0d EDR \u670d\u52d9\u7684\u5de5\u5177\u3002\u904e\u53bb\uff0c\u4e00\u500b\u540d\u70ba Backstab<\/a> \u7684\u958b\u6e90\u5de5\u5177\u57f7\u884c\u4e86\u985e\u4f3c\u7684\u64cd\u4f5c\u3002\u64da\u4fe1\uff0cAuKill \u662f\u4f7f\u7528\u8207 Backstab \u76f8\u540c\u7684\u6838\u5fc3\u6280\u8853\u958b\u767c\u7684\u3002Sophos \u5831\u544a\u7a31\u7814\u7a76\u4eba\u54e1\u6536\u96c6\u4e86 AuKill \u60e1\u610f\u8edf\u9ad4\u7684\u516d\u7a2e\u4e0d\u540c\u8b8a\u7a2e\uff0c\u9019\u4e9b\u8b8a\u7a2e\u8207\u958b\u6e90\u5de5\u5177 Backstab \u6709\u591a\u7a2e\u76f8\u4f3c\u4e4b\u8655\u3002\u7814\u7a76\u4eba\u54e1\u89c0\u5bdf\u5230\u7684\u76f8\u4f3c\u4e4b\u8655\u5305\u62ecdebug\u5b57\u4e32\uff0c\u4ee5\u53ca\u8207\u9a45\u52d5\u7a0b\u5f0f\u4e92\u52d5\u7684\u5e7e\u4e4e\u76f8\u540c\u7684\u7a0b\u5f0f\u78bc\u908f\u8f2f\u3002<\/p>\n\n\n\n

AuKill\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n

SHA 1<\/p>\n\n\n\n

f7b0369169dff3f10e974b9a10ec15f7a81dec54<\/p>\n\n\n\n

23b531ae8ca72420c5b21b1a68ff85524f36203a   <\/p>\n\n\n\n

7f93f934b570c8168940715b1d9836721021fd41<\/p>\n\n\n\n

\u201c\u8f49\u8cbc\u3001\u5206\u4eab\u6216\u5f15\u7528\u6587\u7ae0\u5167\u5bb9\uff0c\u8acb\u8a3b\u660e\u51fa\u8655\u70ba\u7ae3\u76df\u79d1\u6280https:\/\/www.billows.tech\/<\/a>, \u4ee5\u514d\u89f8\u6cd5\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

\u7814\u7a76\u767c\u73fe\uff0c\u4e00\u7a2e\u540d\u70ba AuKill \u7684\u65b0\u578b\u99ed\u5ba2\u5de5\u5177\u56e0\u5176\u96b1\u853d\u529f\u80fd\u800c\u8d8a\u4f86\u8d8a\u53d7\u5230\u653b\u64ca\u8005\u7684\u9752\u775e\uff0c\u8a72\u5de5\u5177\u65e8\u5728\u901a\u904e\u81ea\u5e36\u9a45\u52d5\u7a0b READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-2616","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2616"}],"version-history":[{"count":7,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2616\/revisions"}],"predecessor-version":[{"id":2629,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2616\/revisions\/2629"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}