avatarJoel Fukuzawa

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6344

Abstract

lass="hljs-keyword">Get</span>-EventLog -logname security -InstanceId <span class="hljs-number">4720</span> | <span class="hljs-keyword">Select</span>-<span class="hljs-type">Object</span> *</pre></div><figure id="9247"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1ogBlqZ-7dNeDpNg7baIUw.png"><figcaption></figcaption></figure><p id="fab0">Our initial assumption was accurate. Now, let’s list the privileges held by the <b><i>‘apt’ </i></b>user. Since we already know this user belongs to the Administrator group, we can confirm this by enumerating the admin group.</p><div id="0989"><pre>net localgroup Administrators</pre></div><figure id="31eb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*n8AmAAO-wgl9guGrSdE1PQ.png"><figcaption></figcaption></figure><p id="2be9">However, the privileges held by the user <b><i>‘apt’</i></b> remain uncertain. To determine their access level, we will employ the Sysinternals tool called <b><i><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk">accesschk</a>,’</i></b> which will assist us in identifying the extent of access granted to the ‘apt’ user. Go to the respective folder and this file with the below command attribute.</p><div id="f085"><pre>.\accesschk64<span class="hljs-selector-class">.exe</span> apt -<span class="hljs-selector-tag">a</span> *</pre></div><figure id="9f6f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*kHHnzdbij_wQaZXIosY8sg.png"><figcaption></figcaption></figure><p id="7afb">Indeed, it’s confirmed that the user ‘apt’ possesses full privileges within the operating system. Our next step is to identify any active sessions associated with this user. To acquire this information, we can leverage system commands, Sysinternals tools, or even examine event logs. For now, we’ll opt for the Sysinternals tool ‘<a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon">PsLoggedon</a>,’ which will help us determine any active login sessions.</p><figure id="7a36"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*SFoW2OOgM7DZZyVHPuDfSw.png"><figcaption></figcaption></figure><p id="e60d">This observation reveals that the user ‘apt’ has logged into the victim machine through system shares. To determine the origin of this connection, we can utilize the ‘net’ command to gather more information.</p><div id="d661"><pre>net session</pre></div><figure id="9ac1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*JApyNvTUPHprvRSnyaJE6A.png"><figcaption></figcaption></figure><p id="0b6d">The observation indicates that the attacker’s machine is identified as <b><i>192.168.0.104</i></b>, and the connection to the victim’s machine remains active, suggesting that the attacker is currently on that system.</p><h1 id="0006">Process and Service Information</h1><p id="3547">Now, let’s extract valuable information from processes and services, as critical data is often concealed there. To gather process information, we have two PowerShell cmdlets at our disposal: ‘Get-Process’ and ‘Get-WmiObject Win32_Process.’ I recommend using ‘WmiObject’ because it provides more comprehensive data compared to the first cmdlet. We will retrieve a list of processes running at the time of the investigation.</p><div id="54a8"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">select</span> ProcessName, ProcessId,CommandLine</pre></div><figure id="ea4e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*okLiTkQMzF-ji_193xAgCg.png"><figcaption></figcaption></figure><p id="b190">Numerous processes are running, making it challenging to identify anomalies. However, given that user <b><i>VictimA</i></b> has been compromised, we should focus on processes initiated by this user.</p><div id="cca5"><pre>Get-WmiObject -Class Win32_Process | <span class="hljs-built_in">where</span> { <span class="hljs-variable">$_</span>.GetOwner().User -eq <span class="hljs-string">"VictimA"</span> } | <span class="hljs-keyword">select</span> ProcessId, Name, CommandLine</pre></div><figure id="4972"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*sh5NIGAVwx9SSsyg5ED1bg.png"><figcaption></figcaption></figure><p id="66f7">We noticed that some processes initiated by user <b><i>VictimA</i></b> appear suspicious based on their command lines. Let’s investigate the parent-child relationships for these processes using its Process ID.</p><div id="3dd1"><pre><span class="hljs-keyword">Get</span>-WmiObject -<span class="hljs-keyword">Class</span> Win32_Process | <span class="hljs-keyword">where</span> processid -<span class="hljs-keyword">In</span> <span class="hljs-number">7036</span>,<span class="hljs-number">5892</span>,<span class="hljs-number">5776</span>,<span class="hljs-number">9112</span>,<span class="hljs-number">7912</span>,<span class="hljs-number">460</span>,<span class="hljs-number">8864</span> | <span class="hljs-keyword">select</span> ParentProcessId,ProcessId, Name, CommandLine</pre></div><figure id="1b1a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5CeYdOtVvcy4bDPKdmxXbA.png"><figcaption></figcaption></figure><p id="ddaa">It has been observed that the <b><i>‘ad.bat’</i></b> file executed a PowerShell command. The purpose of this command was to download a PowerShell script and run it, specifying an IP address and port number as attributes. This suggests that the PowerShell script was designed to establish a reverse connection as part of an attack. The reference image is given from Process Explorer.</p><figure id="aaaa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*fNdvmFTnbrtYE9MBTCAvdQ.png"><figcaption></figcaption></figure><p id="c8d3">Now that we have collected a significant amount of information about the suspicious processes, let’s shift our focus to the services, where we might find valuable insights. We will gather a list of all actively running services.</p><div id="6cfd"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>'| <span class="hljs

Options

-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="1a9a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*WVIZinER8JAbBjd-6vzfgg.png"><figcaption></figcaption></figure><p id="7bd7">No suspicious findings so far, but I’d like to take a closer look at the running services associated with the Process IDs we identified during our process investigation.</p><div id="2ff9"><pre>Get-WmiObject -<span class="hljs-keyword">class</span> <span class="hljs-title class_">Win32_service</span> |<span class="hljs-title">where</span> <span class="hljs-title">State</span> -<span class="hljs-title">eq</span> '<span class="hljs-title">Running</span>' |<span class="hljs-title">where</span> <span class="hljs-title">processid</span> -<span class="hljs-title">In</span> 7036,<span class="hljs-type">5892</span>,<span class="hljs-type">5776</span>,<span class="hljs-type">9112</span>,<span class="hljs-type">7912</span>,<span class="hljs-type">460</span>,<span class="hljs-type">8864|</span> <span class="hljs-title">select</span> <span class="hljs-title">name</span>,<span class="hljs-type">processid</span>,<span class="hljs-type">status</span>,<span class="hljs-type">started</span>,<span class="hljs-type">state</span>,<span class="hljs-type">pathname</span></pre></div><figure id="4c35"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6CV3yOovqZM7JUBwaHnxYA.png"><figcaption></figcaption></figure><p id="49a9">Nothing suspicious was observed!!</p><h1 id="7870">Network Information</h1><p id="f2ac">As we’re aware of the reverse connection, our next step is to confirm its presence or establishment. To achieve this, we will utilize the <b><i>‘netstat</i></b>’ utility. Our first action is to retrieve a list of all connections.</p><figure id="786e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Ap9HOX5ljV59a3JvaZHSVQ.png"><figcaption></figcaption></figure><p id="11b0">Now, we’ll inspect the established connections and identify their owners. In our particular instance, we noted a connection on port 4444, and it’s associated with PowerShell, which is indicated by the PID 7912. This confirmation implies that a Command and Control session has been established on <b><i>192.168.0.108</i></b>.</p><figure id="0027"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*z-wRQ1UG_jCLSdxaYQPCdw.png"><figcaption></figcaption></figure><p id="b7dd">We’ll now examine the nature of communication between the compromised machine and the C2C server, which typically functions as a Master-Slave relationship. To inspect this interaction, we’ll employ Wireshark</p><figure id="5026"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*a_g9T6ZW98cMgq_iPdOznA.png"><figcaption></figcaption></figure><h1 id="c47c">Autorun and schedule task information</h1><p id="ab11">As we approached the final phase of our live forensics on the Windows machine, our attention was drawn to the C2C (Command and Control) connection, where the server was attempting to add a .bat file to the registry to establish persistence on the system. Before delving into the registry path, we conducted a preliminary check to see if any applications were located in the startup locations. Unfortunately, we did not discover any malicious applications in these areas.</p><figure id="bf7a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1_Ng1FqB8eP4KK8XE_jOxA.png"><figcaption></figcaption></figure><p id="43dd">At this point, our attention is directed towards the startup commands within the registry. We’ve noticed that a registry key has been added, and the associated file is named “sd.bat.”</p><div id="93c4"><pre>gwmi <span class="hljs-title class_">Win32</span>_StartupCommand</pre></div><figure id="2a07"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*6C5wTI9ysapfJD6q5WY_OA.png"><figcaption></figcaption></figure><p id="3a9e">We’ll make an effort to gather more detailed information regarding this specific startup location to gain deeper insights into the activity. This confirms that the activity recorded in network forensics has been successfully executed, and persistence has been maintained.</p><div id="f52f"><pre>gwmi Win32_StartupCommand | <span class="hljs-keyword">where</span> name -eq <span class="hljs-string">"APT"</span> | <span class="hljs-keyword">select</span> *</pre></div><figure id="8544"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*lfQO-8KyGLRyWen8Hg44-g.png"><figcaption></figcaption></figure><p id="bdef">We will now check if any other persistence activity has been observed via scheduled tasks. Unfortunately, no suspicious activity has been found.</p><div id="0fac"><pre><span class="hljs-keyword">Get</span><span class="hljs-operator">-</span>ScheduledTask <span class="hljs-operator">|</span> <span class="hljs-keyword">where</span> state <span class="hljs-operator">-</span>eq <span class="hljs-string">'Ready'</span></pre></div><figure id="cfb5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*EihxglbQgcwtDh4rC5VPbQ.png"><figcaption></figcaption></figure><h1 id="51e5">Indicator of Attack</h1><p id="f3aa">- New user APT has been created — <b>Initial Access (T1078.003)</b>

  • User APT added to the admin group — <b>Privilege Escalation (T1098)</b>
  • The user ‘APT’ has logged into the victim’s machine using network services from the IP address 192.168.0.104 — <b>Lateral Movement (T1021.002)</b>
  • PowerShell commands were executed from a batch file, with the aim of downloading a PowerShell script and running it, providing an IP address and port number as inputs. This indicates the establishment of a reverse shell. — <b>Execution (T1059)</b>
  • I noticed a batch file added to HKU<user>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, indicating that this file will be executed upon user VictimA’s login. — <b>Persistence (T1547.001)</b></p><h1 id="afc0">Conclusion</h1><p id="3dda">The process we’ve discussed in this blog is not exhaustive, and there are other artifacts that can also be observed. We’ll aim to cover those in the next blog.</p></article></body>

燈光璀璨的故事 從日本明治起源到新竹工業的輝煌

如果問我,冬天最愛的風景,大概就是聖誕節前後,看到街上璀璨的聖誕燈飾,讓人感受到聖誕節節日溫暖氣氛的來臨。日本開始使用燈飾,可以回溯到明治時代,據說最早是超市年末商戰為了吸引客流的裝飾。根據愛迪生博物館的資料,1879年愛迪生發明了白熱電燈泡之後,為了向人們展示這一發明,他在美國新澤西州研究所附近的街道上掛起了電燈泡做成的燈飾是人類第一個有燈飾的夜景。在日本,聖誕節與燈飾之間確實有著深厚的聯繫。關於日本燈飾的起源也是眾說紛紜,其中最有力的說法是 1885 年在橫濱創業的高級超市明治屋為了年底商戰所做的「聖誕裝飾」。由於明治屋的創辦人磯野計先生曾在三菱創辦人岩崎彌太郎的金援下,被派到英國,在當地企業工作了四年,學習西洋的會計知識。在這段期間,他親身體驗了西歐人慶祝聖誕的方式。當磯野回日本之後,創立了明治屋,便年末商戰的時候,用燈泡裝飾店面,帶來不錯的效果。隨後,明治屋 1900 年在銀座開設分店,延續了橫濱店聖誕裝飾的模式,有人為了觀賞明治屋的聖誕裝飾專程趕來銀座。這樣的效果,使得銀座附近的其他商店也開始仿效明治屋進行裝飾,最後日本在聖誕商戰時期,聖誕燈飾成了不可或缺的行銷定番。

電燈燈泡點燃 日本街道的夜空

不過,也有人認為,根據1908年出版的《明治事物起源》,1900 年4月30日在神戶港舉行了軍艦観艦式,記載了「夜間各艦發光照亮海面」的情景,才是日本用燈飾裝點夜景的起點。 1903 年在大阪舉辦的「第5回内國勧業博覧會」同樣在夜間佈置了燈飾裝飾。現在在東京上野的國立科學博物館理工學研究部還保存有一幅「第五回内國勧業博覧会電燈装飾之圖」描述當時用燈飾裝飾街道的情景。接著在二戰之後的 1960. 年代,日本不光是商業設施,許多家庭也開始在聖誕節的時候,為家中的聖誕樹點上電燈燈飾。進入 2000 年之後,許多海外出身以及海外赴任返國的人們,也開始在家外牆裝飾電球,這一趨勢同時也受到了青色發光二極體(LED)技術的推動。與傳統的白熱電燈相比,LED電燈節能且壽命更長,使燈飾的應用範圍大幅擴展。

全球聖誕燈泡的故鄉 台灣

日本以及美國大量的聖誕燈飾需求,也意外牽動到台灣的工業發展。在台灣的工業歷史中,新竹市在聖誕燈泡製造領域擁有獨特而輝煌的地位。自從 1960 年以來,正好就是日本正好流行在家中佈置聖誕燈飾的時候,也正好帶動了台灣新竹的聖誕燈泡產業增長和發展。新竹聖誕燈泡產業的興起,始於一張1960年代來自義大利的大訂單,靠著這張訂單,使得新竹的聖誕燈飾產業迅速崛起。短短幾年內,新竹及其周邊地區迅速發展成為世界最大的聖誕燈泡生產以及組裝中心。到 1966 年新竹已經擁有超過 80 家聖誕燈泡和裝飾燈製造廠,使台灣成為全球的「聖誕燈泡王國」。到了 1970 年代,新竹的玻璃工業進入了蓬勃發展的時期。這一時期不僅見證了聖誕燈泡產業的快速發展,也鞏固了新竹在全球聖誕燈飾產業中的領先地位。新竹的玻璃工藝技術被廣泛應用於聖誕燈飾的生產中,提高了產品的品質和美觀度,進一步推動了產業的發展。

燈光藝術不再是燈泡的天下 LED崛起

只是隨著時間的推移,聖誕燈飾的形式和技術也在不斷進步。現在已經從最初的簡單燈飾到高科技LED 燈光秀,每年的聖誕燈飾也成為一種節日固定的藝術之一,吸引著無數遊客和攝影愛好者。有些地區的聖誕燈飾甚至成為文化和旅遊的重要的一部分,在多彩的燈光下,人們不僅感受到節日的歡樂氣氛,也體會到與家人、朋友共度時光的重要性。從明治時代的首次嘗試到現在的華麗變身,聖誕燈飾早已成為日本文化中不可或缺的一部分,每年都能吸引著來自世界各地的遊客前來欣賞。

#聖誕燈飾 #LED技術 #節日燈光秀 #日本明治時代 #愛迪生發明 #新竹聖誕燈泡 #節能燈飾 #家庭裝飾 #文化旅遊 #燈飾歷史
福澤喬 每天兩分鐘 帶你從縱深潛入 認識日本這個鄰居
當了十幾年的記者,希望做的事情就是用文字、影像去傳達心中的一些想法。

如果喜歡這篇文章也請讓我知道更歡迎 Follow
讓我可以調整寫作內容與方向

Medium 設置每篇文章打賞功能 可以點擊下方 Give a tip 功能 
Thank You!
日本
華文
Japan
Business
Illumination
Recommended from ReadMedium