{"id":106758,"date":"2017-03-10T05:00:45","date_gmt":"2017-03-10T13:00:45","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=106758"},"modified":"2020-04-24T01:51:33","modified_gmt":"2020-04-24T08:51:33","slug":"unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","title":{"rendered":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>PowerShell\u306f\u904e\u53bb\u6570\u5e74\u9593\u3067\u4eba\u6c17\u3092\u7372\u5f97\u3057\u7d9a\u3051\u3066\u3044\u307e\u3059\u304c\u3001\u305d\u308c\u306f\u3053\u306e\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u304c\u767a\u9054\u3057\u7d9a\u3051\u3066\u3044\u308b\u304b\u3089\u3067\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001PowerShell\u3092\u591a\u304f\u306e\u653b\u6483\u3067\u898b\u304b\u3051\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u3066\u3082\u5c11\u3057\u3082\u9a5a\u304f\u3053\u3068\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002PowerShell\u306f\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u5e83\u7bc4\u56f2\u306b\u308f\u305f\u308b\u6a5f\u80fd\u3092\u653b\u6483\u8005\u306b\u30cd\u30a4\u30c6\u30a3\u30d6\u306a\u3082\u306e\u3068\u3057\u3066\u63d0\u4f9b\u3057\u307e\u3059\u3002\u6709\u5bb3\u306aPowerShell\u30c4\u30fc\u30eb\u304c\u6ea2\u308c\u304b\u3048\u3063\u3066\u3044\u308b\u73fe\u72b6\u3092\u3056\u3063\u3068\u898b\u6e21\u3057\u3066\u307f\u308b\u3068\u3001PowerShell\u306e\u4f38\u3073\u3092\u793a\u3059\u5341\u5206\u306a\u5146\u5019\u304c\u898b\u3066\u53d6\u308c\u307e\u3059\u3002<\/p>\n<p>Microsoft\u306f\u3001PowerShell\u306e\u6d3b\u52d5(Transcription\u3001ScriptBlock\u306a\u3069)\u306e\u30ed\u30b0\u3092\u53d6\u308b\u8907\u6570\u306e\u65b9\u6cd5\u3092\u63d0\u4f9b\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001PowerShell\u306e\u65b0\u3057\u3044\u65b9\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u304a\u3044\u3066\u7d20\u6674\u3089\u3057\u3044\u3053\u3068\u3092\u3057\u3066\u304f\u308c\u307e\u3057\u305f\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u5b9f\u884c\u6642\u306b\u96e3\u8aad\u5316\u3092\u3055\u3089\u306b\u884c\u304a\u3046\u3068\u3059\u308b\u5909\u5316\u304c\u8d77\u304d\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u821e\u53f0\u5de6\u624b\u304b\u3089PowerShell\u306e\u300c-EncodedCommand\u300d\u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u767b\u5834\uff01<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-01.png\" \/><\/p>\n<p>\u4e0a\u8a18\u306ePowerShell\u306e\u30d8\u30eb\u30d7\u8868\u793a\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001\u3053\u308c\u306f\u3001\u305d\u306e\u307e\u307e\u3060\u3063\u305f\u3089\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3067\u554f\u984c\u304c\u767a\u751f\u3059\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u8907\u96d1\u306a\u6587\u5b57\u5217\u3092\u53d7\u3051\u53d6\u308a\u3001PowerShell\u304c\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u30e9\u30c3\u30d7\u3059\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3067\u3059\u3002\u3046\u308b\u3055\u3044\u8996\u7dda\u304b\u3089\u30b3\u30de\u30f3\u30c9\u306e\u300c\u6709\u5bb3\u306a\u300d\u90e8\u5206\u3092\u96a0\u3059\u3053\u3068\u3067\u3001\u9632\u5fa1\u5074\u306b\u8b66\u544a\u3092\u4e0e\u3048\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u6587\u5b57\u5217\u3092\u9632\u6b62\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30d6\u30ed\u30b0\u8a18\u4e8b\u306e\u76ee\u7684\u306f2\u3064\u3042\u308a\u307e\u3059\u3002\u307e\u305a\u3001\u300c\u5206\u6790\u306e\u6982\u8981\u300d\u3067\u306f\u3001Palo Alto Networks\u306eAutoFocus\u5185\u3067\u7279\u5b9a\u3055\u308c\u305f\u6700\u8fd1\u306e\u30b5\u30f3\u30d7\u30eb4,100\u500b\u3092\u5206\u6790\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u3053\u306eEncodedCommand\u624b\u6cd5\u3092\u63a1\u7528\u3057\u3066\u3044\u307e\u3059\u306e\u3067\u3001\u5206\u6790\u3067\u306fPowerShell\u304c\u3069\u306e\u3088\u3046\u306b\u4f7f\u308f\u308c\u3066\u3044\u3066\u3001\u3069\u306e\u3088\u3046\u306a\u624b\u6cd5\u304cPowerShell\u306b\u3088\u308b\u653b\u6483\u306b\u95a2\u3057\u3066\u30cd\u30c3\u30c8\u4e0a\u3067\u4f7f\u308f\u308c\u3066\u3044\u308b\u306e\u304b\u3092\u8abf\u3079\u307e\u3059\u30022\u756a\u76ee\u306e\u76ee\u7684\u306f\u3001\u3053\u306e\u30d6\u30ed\u30b0\u8a18\u4e8b\u306b\u3088\u308a\u3001PowerShell\u306e\u30b3\u30fc\u30c9\u3092\u5206\u985e\u6574\u7406\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u305d\u306e\u969b\u306b\u306f\u3001\u30c7\u30b3\u30fc\u30c9\u6e08\u307f\u306e\u5404\u30b5\u30f3\u30d7\u30eb\u306e\u4f8b\u3092\u4ed8\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u5c06\u6765\u306e\u7279\u5b9a\u4f5c\u696d\u3084\u30ea\u30b5\u30fc\u30c1\u306b\u5f79\u7acb\u305f\u305b\u308b\u305f\u3081\u3067\u3059\u3002<\/p>\n<h3>\u5206\u6790\u306e\u6982\u8981<\/h3>\n<p>\u3053\u306e\u5206\u6790\u3092\u884c\u3046\u305f\u3081\u3001\u307e\u305a\u3001\u3053\u306e\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u3044\u308b\u30b5\u30f3\u30d7\u30eb\u3092\u7279\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3057\u305f\u3002\u3057\u304b\u3057\u3001PowerShell\u304c\u67d4\u8edf\u6027\u306b\u5bcc\u3093\u3067\u3044\u308b\u305f\u3081\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u547c\u3073\u51fa\u3057\u304c\u69d8\u3005\u306a\u5834\u5408\u3001\u30b5\u30f3\u30d7\u30eb\u3092\u7279\u5b9a\u3059\u308b\u3053\u3068\u306f\u601d\u3046\u307b\u3069\u305d\u3046\u5358\u7d14\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>\u4e0b\u8a18\u306fEncodedCommand\u30d1\u30e9\u30e1\u30fc\u30bf\u547c\u3073\u51fa\u3057\u304c\u53ef\u80fd\u306a\u69d8\u3005\u306a\u65b9\u6cd5\u306b\u95a2\u3059\u308b3\u3064\u306e\u4f8b\u3067\u3059\u3002<\/p>\n<ol>\n<li><b>\u7db4\u308a\u3092\u7565\u3055\u305a\u306b\u5b8c\u5168\u306b\u66f8\u304f:<br \/>\n<\/b>powershell.exe \u2013EncodedCommand ZQBjAGgAbwAgACIARABvAHIAbwB0AGgAeQAiAA==<\/li>\n<li><b>\u5927\u6587\u5b57\u5c0f\u6587\u5b57\u3092\u5909\u66f4\u3057\u3066\u7db4\u308a\u3092\u77ed\u304f\u3059\u308b:<\/b><br \/>\npowershell.exe \u2013eNco ZQBjAGgAbwAgACIAVwBpAHoAYQByAGQAIgA=<\/li>\n<li><b>\u30ab\u30ec\u30c3\u30c8\u300c^\u300d\u3092\u30a8\u30b9\u30b1\u30fc\u30d7\u6587\u5b57\u3068\u3057\u3066\u5272\u308a\u8fbc\u307e\u305b\u3066\u3001\u6587\u5b57\u5217\u3092\u5206\u5272\u3059\u308b:<\/b><br \/>\npowershell.exe \u2013^e^C^ ZQBjAGgAbwAgACIAVwBpAHQAYwBoACIA<\/li>\n<\/ol>\n<p>\u3053\u308c\u3089\u306e\u65b9\u6cd5\u306e\u7d44\u307f\u5408\u305b\u3092\u4f7f\u3048\u3070\u3001\u300cEncodedCommand\u300d\u30d1\u30e9\u30e1\u30fc\u30bf\u306b\u95a2\u3059\u308b\u3060\u3051\u3067\u3082\u512a\u306b100,000\u3092\u8d85\u3048\u308b\u30d0\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u306e\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u305d\u308c\u3092\u5ff5\u982d\u306b\u304a\u3044\u3066\u3001\u4e0b\u8a18\u306e\u6b63\u898f\u8868\u73fe\u3092\u601d\u3044\u3064\u304d\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u53ef\u80fd\u6027\u306e\u3042\u308b\u4e9c\u7a2e\u306e\u304b\u306a\u308a\u306e\u7bc4\u56f2\u3092\u30ab\u30d0\u30fc\u3057\u3001\u52d5\u7684\u5206\u6790\u30ec\u30dd\u30fc\u30c8\u306e\u5de8\u5927\u306a\u30b3\u30fc\u30d1\u30b9\u306b\u5bfe\u3057\u3066\u5bb9\u6613\u306b\u9069\u7528\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-02.png\" \/><\/p>\n<p>\u3053\u308c\u306f\u3001\u3055\u3089\u306b\u5206\u6790\u3092\u9032\u3081\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u884c\u3092\u5927\u898f\u6a21\u306b\u62bd\u51fa\u3059\u308b\u3053\u3068\u3092\u8003\u616e\u3057\u3066\u3044\u307e\u3059<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-03.png\" \/><\/p>\n<p>\u3055\u3066\u3001\u9a5a\u304f\u307b\u3069\u306e\u3053\u3068\u3067\u306f\u306a\u3044\u306e\u3067\u3059\u304c\u3001\u30a8\u30f3\u30b3\u30fc\u30c9\u6e08\u307f\u30c7\u30fc\u30bf\u306e\u5927\u90e8\u5206\u304c\u3001\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u304a\u3088\u3073\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30c4\u30fc\u30eb\u304b\u3089\u751f\u6210\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u306f\u660e\u3089\u304b\u3067\u3059\u3002\u653b\u6483\u8005\u306f\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3057\u3066\u5225\u306e\u6709\u5bb3\u306a\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3068\u304d\u3001\u305d\u306e\u90fd\u5ea6\u3001\u65e2\u306b\u3042\u308b\u3082\u306e\u3092\u308f\u3056\u308f\u3056\u4f5c\u308a\u76f4\u3059\u3053\u3068\u306a\u3069\u3057\u306a\u3044\u304b\u3089\u3067\u3059\u3002\u3053\u306e\u3053\u3068\u306f\u3001\u571f\u53f0\u3068\u306a\u3063\u3066\u3044\u308b\u30b3\u30fc\u30c9\u304c\u307b\u3068\u3093\u3069\u540c\u4e00\u3067\u3042\u308a\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u5834\u6240\u306a\u3069\u304c\u5c11\u3057\u3060\u3051\u8abf\u6574\u3055\u308c\u3066\u3044\u308b\u306e\u306b\u3059\u304e\u306a\u3044\u3001\u3068\u3044\u3046\u4e8b\u5b9f\u304b\u3089\u5206\u304b\u308a\u307e\u3059\u3002\u6b21\u306b\u3001\u30c7\u30fc\u30bf\u5206\u6790\u3092\u884c\u3046\u305f\u3081\u3001\u30b3\u30fc\u30c9\u3092\u8b58\u5225\u3057\u3001\u4f55\u304c\u305d\u306e\u30b3\u30fc\u30c9\u3092\u751f\u6210\u3057\u3066\u3044\u308b\u304b\u898b\u6975\u3081\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3057\u305f\u3002\u3042\u308b\u3044\u306f\u3001\u5c11\u306a\u304f\u3068\u3082\u3001\u30b3\u30fc\u30c9\u306e\u96c6\u56e3\u3092\u985e\u5225\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3057\u305f\u3002<\/p>\n<h3>\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u3088\u308b\u30a2\u30d7\u30ed\u30fc\u30c1<\/h3>\n<p>\u3053\u308c\u306b\u4f34\u3046\u56f0\u96e3\u306a\u70b9\u3092\u3044\u304f\u3064\u304b\u4f8b\u793a\u3059\u308b\u305f\u3081\u3001<a href=\"https:\/\/twitter.com\/mattifestation\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u3088\u308b\u30a2\u30d7\u30ed\u30fc\u30c1\">Matthew Graeber\u6c0f<\/a>\u304c2012\u5e74\u306b\u516c\u958b\u3057\u305f\u904e\u53bb\u306e<a href=\"https:\/\/www.exploit-monday.com\/2011\/10\/exploiting-powershells-features-not.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u3088\u308b\u30a2\u30d7\u30ed\u30fc\u30c1\">\u30d6\u30ed\u30b0\u8a18\u4e8b<\/a>\u3092\u898b\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u8a18\u4e8b\u306b\u306f\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u30e1\u30e2\u30ea\u306b\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3059\u308b\u3053\u3068\u306e\u3067\u304d\u308bPowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5bc4\u305b\u96c6\u3081\u3089\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u3053\u306e\u624b\u6cd5\u306b\u95a2\u3059\u308b\u57fa\u790e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3068\u306a\u3063\u305f\u3082\u306e\u3067\u3001\u3053\u306e\u6a5f\u80fd\u3092\u5229\u7528\u3057\u3088\u3046\u3068\u3059\u308b\u516c\u958b\u30c4\u30fc\u30eb\u306e\u5927\u90e8\u5206\u3067\u4f7f\u308f\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e2\u3064\u306f\u3001TrustedSec\u306e\u30c4\u30fc\u30eb\u3067\u3042\u308b<a href=\"https:\/\/github.com\/trustedsec\/social-engineer-toolkit\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u3088\u308b\u30a2\u30d7\u30ed\u30fc\u30c1\">Social-Engineer Toolkit (SET)<\/a>\u304a\u3088\u3073<a href=\"https:\/\/github.com\/trustedsec\/unicorn\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u3088\u308b\u30a2\u30d7\u30ed\u30fc\u30c1\">Magic Unicorn<\/a>\u306b\u7531\u6765\u3059\u308b\u624b\u6cd5\u3092\u305d\u306e\u307e\u307e\u4f7f\u3063\u305f\u3082\u306e\u3067\u3059\u30022\u3064\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u6bd4\u8f03\u3057\u3066\u307f\u308b\u3068\u3001\u521d\u671f\u5316\u6e08\u307f\u5909\u6570\u3068\u3057\u3066\u3001SET\u304c\u300c$c\u300d\u3092\u4f7f\u3063\u3066\u3044\u308b\u306e\u306b\u5bfe\u3057\u3001Magic Unicorn\u306f\u300c$nLR\u300d\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002\u540c\u69d8\u306b\u3001SET\u3067\u306e\u300c$size\u300d\u5909\u6570\u306fMagic Unicorn\u3067\u306f\u300c$g\u300d\u3067\u3042\u308a\u3001\u300c$sc\u300d\u5909\u6570\u306f\u300c$z\u300d\u3001\u305d\u3057\u3066\u6700\u5f8c\u306b\u3001\u300c$x\u300d\u5909\u6570\u306f\u300c$kuss\u300d\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>SET<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-04.png\" \/><\/p>\n<p>Magic Unicorn<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-05.png\" \/><\/p>\n<p>Magic Unicorn\u3067\u306f\u3001\u751f\u6210\u7528\u30b9\u30af\u30ea\u30d7\u30c8\u5185\u90e8\u306b\u3001\u4e00\u90e8\u306e\u5909\u6570\u3092\u30e9\u30f3\u30c0\u30e0\u5316\u3059\u308b\u884c\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u4e0b\u8a18\u306e\u629c\u7c8b\u306f\u3001\u305d\u306e\u52d5\u4f5c\u5185\u5bb9\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-06.png\" \/><\/p>\n<p>\u3053\u308c\u306f\u3001\u30e9\u30f3\u30c0\u30e0\u306a\u82f1\u6570\u5b57\u304b\u3089\u69cb\u6210\u3055\u308c\u308b3\u6587\u5b57\u304b\u30894\u6587\u5b57\u306e\u6587\u5b57\u5217\u3067\u3001\u4e00\u90e8\u306e\u5909\u6570\u3092\u5358\u7d14\u306b\u7f6e\u304d\u63db\u3048\u308b\u3082\u306e\u3067\u3059\u3002\u3057\u304b\u3057\u3001\u3059\u3079\u3066\u306e\u5909\u6570\u304c\u7f6e\u304d\u63db\u3048\u3089\u308c\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u306e\u3067\u3001\u3053\u306e\u30e9\u30f3\u30c0\u30e0\u6587\u5b57\u5217\u3092\u65e2\u77e5\u306eHTML\u30a2\u30f3\u30ab\u30fc\u3068\u7d44\u307f\u5408\u308f\u305b\u308b\u3053\u3068\u3067\u3001\u3053\u308c\u304c\u3069\u306e\u3088\u3046\u306b\u751f\u6210\u3055\u308c\u305f\u306e\u304b\u4eee\u8aac\u3092\u7acb\u3066\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u3042\u308b\u3044\u306f\u3001\u307e\u3055\u306b\u3053\u306e\u30b3\u30fc\u30c9\u304c\u3001Magic Unicorn\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u30e9\u30f3\u30c0\u30e0\u5316\u51e6\u7406\u306e\u90e8\u5206\u3092\u4f7f\u308f\u305a\u306b\u5225\u306e\u30c4\u30fc\u30eb\u306b\u30b3\u30d4\u30fc\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u3082\u5206\u304b\u308a\u307e\u3059\u3002\u306a\u305c\u306a\u3089\u3001\u5909\u6570\u306f\u5909\u66f4\u3055\u308c\u3066\u3044\u306a\u3044\u304b\u3089\u3067\u3059\u3002\u3064\u307e\u308a\u3001\u30e9\u30f3\u30c0\u30e0\u5316\u51e6\u7406\u3092\u5225\u9014\u52a0\u3048\u308b\u969b\u306e\u571f\u53f0\u306b\u306a\u3063\u3066\u3044\u305f\u304b\u3089\u3067\u3059\u3002<\/p>\n<p>\u3053\u308c\u306f\u53b3\u5bc6\u306a\u79d1\u5b66\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u9577\u5e74\u306b\u308f\u305f\u308a\u3001\u5927\u52e2\u306e\u69d8\u3005\u306a\u4eba\u306b\u3088\u3063\u3066\u3001\u306f\u306a\u306f\u3060\u3057\u304f\u518d\u5229\u7528\u3055\u308c\u3066\u304d\u305f\u30b3\u30fc\u30c9\u3092\u6271\u3046\u5834\u5408\u3001\u30b3\u30fc\u30c9\u304c\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306b\u9069\u3057\u3066\u3044\u306a\u3044\u3068\u3044\u3046\u4e8b\u614b\u306b\u3044\u305a\u308c\u906d\u9047\u3059\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u5206\u6790\u306f\u3067\u304d\u308b\u304b\u304e\u308a\u6b63\u78ba\u306b\u884c\u304a\u3046\u3068\u3057\u307e\u3057\u305f\u304c\u3001\u3072\u3068\u8a00\u6c17\u3092\u4ed8\u3051\u3066\u3044\u305f\u3060\u304d\u305f\u3044\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u5206\u6790\u5168\u4f53\u3092\u901a\u3057\u3066\u3001\u5177\u4f53\u7684\u306a\u540d\u79f0\u306f\u8a71\u534a\u5206\u306b\u53d7\u3051\u6b62\u3081\u3066\u304f\u3060\u3055\u3044\u3002\u306a\u305c\u306a\u3089\u3001\u4eba\u304c\u30b3\u30fc\u30c9\u3092\u81ea\u5206\u306e\u30c4\u30fc\u30eb\u5185\u306b\u30b3\u30d4\u30fc\u30a2\u30f3\u30c9\u30da\u30fc\u30b9\u30c8\u3059\u308b\u306e\u3092\u963b\u6b62\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u306a\u3044\u304b\u3089\u3067\u3059\u3002<\/p>\n<p>\u5168\u4f53\u3067\u3001\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30c4\u30fc\u30eb\u307e\u305f\u306f\u6a5f\u80fd\u306b\u95a2\u3057\u3066\u300127\u500b\u306e\u96c6\u56e3\u306b\u3064\u3044\u3066\u7279\u5fb4\u306e\u6982\u8981\u3092\u307e\u3068\u3081\u307e\u3057\u305f\u3002\u4ed6\u3068\u533a\u5225\u3059\u308b\u305f\u3081\u306e\u4e00\u610f\u306e\u8b58\u5225\u5b50\u3092\u4ed8\u3051\u3066\u3042\u308a\u307e\u3059\u3002\u5f8c\u307b\u3069\u3001\u5404\u4e9c\u7a2e\u3092\u5206\u985e\u3059\u308b\u969b\u3001\u305d\u308c\u305e\u308c\u306b\u3064\u3044\u3066\u898b\u3066\u3044\u304f\u3053\u3068\u306b\u3057\u307e\u3059\u304c\u3001\u4eca\u306f\u3001\u4e0b\u8a18\u306e\u8868\u3092\u3054\u89a7\u304f\u3060\u3055\u3044\u3002\u4e9c\u7a2e\u306e\u5206\u985e\u3001\u30de\u30c3\u30c1\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u306e\u500b\u6570\u3001\u30b5\u30f3\u30d7\u30eb \u30bb\u30c3\u30c8\u306b\u304a\u3044\u3066\u305d\u306e\u5206\u985e\u304c\u5360\u3081\u308b\u5168\u4f53\u306e\u5272\u5408\u304c\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>&nbsp;<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"212\"><b>\u4e9c\u7a2e<\/b><\/td>\n<td width=\"83\"><b>\u30ab\u30a6\u30f3\u30c8<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306e%<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader DFSP<\/td>\n<td width=\"83\">1,373<\/td>\n<td width=\"148\">33.49%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Shellcode Inject<\/td>\n<td width=\"83\">1,147<\/td>\n<td width=\"148\">27.98%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Unicorn<\/td>\n<td width=\"83\">611<\/td>\n<td width=\"148\">14.90%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">PowerShell Empire<\/td>\n<td width=\"83\">293<\/td>\n<td width=\"148\">7.15%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">SET<\/td>\n<td width=\"83\">199<\/td>\n<td width=\"148\">4.85%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">\u4e0d\u660e<\/td>\n<td width=\"83\">104<\/td>\n<td width=\"148\">2.54%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Powerfun Reverse<\/td>\n<td width=\"83\">100<\/td>\n<td width=\"148\">2.44%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader DFSP 2X<\/td>\n<td width=\"83\">81<\/td>\n<td width=\"148\">1.98%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader DFSP DPL<\/td>\n<td width=\"83\">24<\/td>\n<td width=\"148\">0.59%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader IEXDS<\/td>\n<td width=\"83\">19<\/td>\n<td width=\"148\">0.46%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">PowerWorm<\/td>\n<td width=\"83\">19<\/td>\n<td width=\"148\">0.46%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Unicorn Modified<\/td>\n<td width=\"83\">14<\/td>\n<td width=\"148\">0.34%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Scheduled Task COM<\/td>\n<td width=\"83\">11<\/td>\n<td width=\"148\">0.27%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">BITSTransfer<\/td>\n<td width=\"83\">11<\/td>\n<td width=\"148\">0.27%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">VB Task<\/td>\n<td width=\"83\">10<\/td>\n<td width=\"148\">0.24%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">TXT C2<\/td>\n<td width=\"83\">10<\/td>\n<td width=\"148\">0.24%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader Proxy<\/td>\n<td width=\"83\">9<\/td>\n<td width=\"148\">0.22%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">AMSI Bypass<\/td>\n<td width=\"83\">8<\/td>\n<td width=\"148\">0.20%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Veil Stream<\/td>\n<td width=\"83\">7<\/td>\n<td width=\"148\">0.17%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Meterpreter RHTTP<\/td>\n<td width=\"83\">6<\/td>\n<td width=\"148\">0.15%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">DynAmite Launcher<\/td>\n<td width=\"83\">6<\/td>\n<td width=\"148\">0.15%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Downloader Kraken<\/td>\n<td width=\"83\">5<\/td>\n<td width=\"148\">0.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">AppLocker Bypass<\/td>\n<td width=\"83\">4<\/td>\n<td width=\"148\">0.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">PowerSploit GTS<\/td>\n<td width=\"83\">3<\/td>\n<td width=\"148\">0.07%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Powerfun Bind<\/td>\n<td width=\"83\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">Remove AV<\/td>\n<td width=\"83\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"212\">DynAmite KL<\/td>\n<td width=\"83\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>\u5206\u6790\u5bfe\u8c61\u3068\u306a\u3063\u305f\u30b5\u30f3\u30d7\u30eb\u306e\u534a\u6570\u4ee5\u4e0a\u304c\u3001\u4e00\u822c\u7684\u306a\u300cDownloadFile-StartProcess\u300d\u624b\u6cd5\u304b\u3001\u4ee5\u524d\u3054\u7d39\u4ecb\u3057\u305f\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u624b\u6cd5\u306e\u4e9c\u7a2e\u306e\u3044\u305a\u308c\u304b\u3092\u5229\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h3>\u4e00\u822c\u7684\u306a\u914d\u4fe1\/\u7d71\u8a08<\/h3>\n<p>4,100\u500b\u306e\u30b5\u30f3\u30d7\u30eb\u5168\u4f53\u306b\u308f\u305f\u308a\u3001\u4e0b\u8a18\u306e4\u3064\u306e\u30d5\u30a1\u30a4\u30eb \u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u304c\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30a1\u30a4\u30eb \u30d5\u30a9\u30fc\u30de\u30c3\u30c8<\/b><\/td>\n<td width=\"148\"><b>\u30ab\u30a6\u30f3\u30c8<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306e%<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201cexe\u201d<\/td>\n<td width=\"148\">2,154<\/td>\n<td width=\"148\">52.54%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201cdoc\u201d<\/td>\n<td width=\"148\">1,717<\/td>\n<td width=\"148\">41.88%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201cxls\u201d<\/td>\n<td width=\"148\">228<\/td>\n<td width=\"148\">5.56%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201cdll\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>EXE\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u304a\u3088\u3073DOC\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306f\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb \u30bb\u30c3\u30c8\u5168\u4f53\u306b\u308f\u305f\u3063\u3066\u4f7f\u308f\u308c\u3066\u3044\u308b\u62e1\u5f35\u5b50\u306e\u5927\u90e8\u5206\u3092\u5360\u3081\u3066\u3044\u307e\u3059\u3002DOC\u30d5\u30a1\u30a4\u30eb\u306b\u3064\u3044\u3066\u8a73\u3057\u304f\u898b\u3066\u307f\u308b\u3068\u3001\u305d\u306e77%\u306b\u5f53\u305f\u308b1,326\u500b\u304c\u300cDownloader DFSP\u300d\u4e9c\u7a2e\u306b\u30de\u30c3\u30c1\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u4ee5\u4e0b\u306b\u793a\u3059DownloadFile-StartProcess\u65b9\u5f0f\u3092\u63a1\u7528\u3059\u308b\u6c4e\u7528\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3092\u5b9a\u7fa9\u3059\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-07.png\" \/><\/p>\n<p>\u305d\u3053\u304b\u3089\u5272\u308a\u51fa\u3059\u3068\u30011,159\u306eDOC\u30d5\u30a1\u30a4\u30eb(87%)\u304cCerber\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u306e\u65e2\u77e5\u306e\u30d1\u30bf\u30fc\u30f3\u306b\u4e00\u81f4\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u3053\u306e\u624b\u6cd5\u3067PowerShell\u3092\u8d77\u52d5\u3059\u308b\u30de\u30af\u30ed\u3092\u4f5c\u6210\u3059\u308b\u60aa\u610f\u306e\u3042\u308bMicrosoft Word\u6587\u66f8\u3092\u751f\u6210\u3059\u308b\u305f\u3081\u306b\u3001\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3068\u3057\u3066\u30c4\u30fc\u30eb\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>DOC\u30b5\u30f3\u30d7\u30eb\u306e\u57fa\u672c\u7684\u306a\u914d\u4fe1\u65b9\u6cd5\u306fSMTP\/POP3\u3067\u3001\u96fb\u5b50\u30e1\u30fc\u30eb\u653b\u6483\u6d3b\u52d5\u3092\u4ecb\u3057\u3001\u60aa\u610f\u306e\u3042\u308bMicrosoft Word\u6587\u66f8\u3092\u4f7f\u7528\u3057\u3066\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u3092\u914d\u4fe1\u3057\u3066\u3044\u308b\u73fe\u72b6\u3068\u5408\u81f4\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure style=\"width: 582px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-08.png\" alt=\"\u56f31 \u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8\u3092\u914d\u4fe1\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u305f\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\" width=\"582\" height=\"338\" \/><figcaption class=\"wp-caption-text\">\u56f31 \u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8\u3092\u914d\u4fe1\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u305f\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3<\/figcaption><\/figure>\n<p>\u6a19\u7684\u3068\u3055\u308c\u3066\u3044\u308b\u696d\u754c\u3092\u898b\u308b\u3068\u3001\u9ad8\u7b49\u6559\u80b2\u6a5f\u95a2\u3001\u30cf\u30a4\u30c6\u30af\u3001\u5c02\u9580\u304a\u3088\u3073\u6cd5\u7684\u30b5\u30fc\u30d3\u30b9\u3001\u533b\u7642\u6a5f\u95a2\u306b\u307b\u307c\u5747\u7b49\u306b\u5206\u5e03\u3057\u3066\u3044\u308b\u3053\u3068\u3082\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<figure style=\"width: 588px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-09.png\" alt=\"\u56f32 \u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8\u304c\u691c\u51fa\u3055\u308c\u305f\u696d\u754c\u306e\u5185\u8a33\" width=\"588\" height=\"336\" \/><figcaption class=\"wp-caption-text\">\u56f32 \u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8\u304c\u691c\u51fa\u3055\u308c\u305f\u696d\u754c\u306e\u5185\u8a33<\/figcaption><\/figure>\n<p>\u7d4c\u6642\u7684\u306a\u5206\u5e03\u3092\u898b\u308b\u3068\u3001\u3053\u3053\u3067\u3082\u30d4\u30fc\u30af\u6570\u3068\u3001\u96fb\u5b50\u30e1\u30fc\u30eb\u653b\u6483\u6d3b\u52d5\u306e\u6a19\u6e96\u52d5\u4f5c\u624b\u9806\u306e\u6642\u671f\u304c\u5408\u81f4\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<figure style=\"width: 363px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-10.png\" alt=\"\u56f33 \u904e\u53bb12\u304b\u6708\u306bAutoFocus\u3067\u691c\u51fa\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8\" width=\"363\" height=\"300\" \/><figcaption class=\"wp-caption-text\">\u56f33 \u904e\u53bb12\u304b\u6708\u306bAutoFocus\u3067\u691c\u51fa\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bPowershell Word\u6587\u66f8<\/figcaption><\/figure>\n<p>EXE\u30b5\u30f3\u30d7\u30eb\u306e\u5206\u985e\u65b9\u6cd5\u3092\u898b\u308b\u3068\u3001\u30b0\u30eb\u30fc\u30d7\u307e\u305f\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u95a2\u3057\u3066\u7279\u306b\u76ee\u7acb\u3063\u3066\u512a\u52e2\u306a\u3082\u306e\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u5927\u5909\u8208\u5473\u6df1\u3044\u3053\u3068\u306b\u3001\u30cf\u30a4\u30c6\u30af\u696d\u754c\u306e\u4f1a\u793e\u3092\u6a19\u7684\u306b\u3059\u308b\u3053\u3068\u3092\u597d\u3093\u3067\u3044\u308b\u3088\u3046\u3067\u3059\u3002<\/p>\n<figure style=\"width: 584px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-11.png\" alt=\"\u56f34 Powershell\u3092\u4f7f\u7528\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u304c\u691c\u51fa\u3055\u308c\u305f\u696d\u754c\u306e\u5185\u8a33\" width=\"584\" height=\"338\" \/><figcaption class=\"wp-caption-text\">\u56f34 Powershell\u3092\u4f7f\u7528\u3057\u305f\u60aa\u610f\u306e\u3042\u308b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u304c\u691c\u51fa\u3055\u308c\u305f\u696d\u754c\u306e\u5185\u8a33<\/figcaption><\/figure>\n<p>\u7d4c\u6642\u7684\u306a\u5206\u5e03\u3092DOC\u30b5\u30f3\u30d7\u30eb\u306e\u7d4c\u6642\u7684\u306a\u5206\u5e03\u3068\u6bd4\u8f03\u3057\u3066\u3082\u307b\u307c\u540c\u69d8\u3067\u3059\u3002<\/p>\n<figure style=\"width: 600px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-12.png\" alt=\"\u56f35 \u904e\u53bb12\u304b\u6708\u306bAutoFocus\u3067\u691c\u51fa\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bPowershell\u3092\u4f7f\u7528\u3057\u305f\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u6570\" width=\"600\" height=\"290\" \/><figcaption class=\"wp-caption-text\">\u56f35 \u904e\u53bb12\u304b\u6708\u306bAutoFocus\u3067\u691c\u51fa\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308bPowershell\u3092\u4f7f\u7528\u3057\u305f\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u6570<\/figcaption><\/figure>\n<p>\u3053\u308c\u306b\u3064\u3044\u3066\u8003\u3048\u3089\u308c\u308b\u539f\u56e0\u306f\u3001\u4e9c\u7a2e\u304c\u914d\u4fe1\u3055\u308c\u305f\u3068\u3044\u3046\u3053\u3068\u3067\u3059\u3002\u305f\u3068\u3048\u3070\u3001DOC\u30b5\u30f3\u30d7\u30eb\u306f\u4e3b\u306b\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066\u691c\u51fa\u3055\u308c\u307e\u3057\u305f\u304c\u3001EXE\u30b5\u30f3\u30d7\u30eb\u306f\u901a\u5e38Web\u30d6\u30e9\u30a6\u30b8\u30f3\u30b0\u3092\u901a\u3058\u3066\u914d\u4fe1\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u30b3\u30de\u30f3\u30c9\u81ea\u4f53\u3092\u6398\u308a\u4e0b\u3052\u308b\u524d\u306b\u6700\u5f8c\u306b\u53d6\u308a\u4e0a\u3052\u308b\u9805\u76ee\u306f\u3001EncodedCommand\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u691c\u51fa\u3055\u308c\u305f1\u3064\u306eDLL\u30d5\u30a1\u30a4\u30eb\u3067\u3059\u3002\u3053\u306eDLL\u306b\u306f\u3001\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u306f\u542b\u307e\u308c\u3066\u304a\u3089\u305a\u3001\u5358\u306b\u3001DLLMain\u30a8\u30f3\u30c8\u30ea \u30dd\u30a4\u30f3\u30c8\u3067\u547c\u3073\u51fa\u3055\u308c\u305f\u6642\u70b9\u3067PowerShell Empire\u30b9\u30c6\u30fc\u30b8\u30e3\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u30b9\u30c6\u30fc\u30b8\u30e3\u304cWeb\u30b5\u30a4\u30c8\u304b\u3089XOR\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001\u305d\u306e\u5f8c\u3001PowerShell\u306eInvoke-Expression\u30b3\u30de\u30f3\u30c9\u30ec\u30c3\u30c8\u3092\u4f7f\u7528\u3057\u3066\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u30012016\u5e7410\u6708\u306bSymantec\u304c<a href=\"https:\/\/www.symantec.com\/connect\/blogs\/odinaff-new-trojan-used-high-level-financial-attacks\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u4e00\u822c\u7684\u306a\u914d\u4fe1\/\u7d71\u8a08\">\u30d6\u30ed\u30b0<\/a>\u306b\u6295\u7a3f\u3057\u305f<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Odinaff\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u4e00\u822c\u7684\u306a\u914d\u4fe1\/\u7d71\u8a08\">Odinaff<\/a>\u30d5\u30a1\u30df\u30ea\u306b\u95a2\u9023\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h3>\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831<\/h3>\n<p>base64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3092\u8abf\u3079\u308b\u524d\u306b\u3001\u5404\u30d7\u30ed\u30bb\u30b9\u304c\u3069\u306e\u3088\u3046\u306b\u8d77\u52d5\u3055\u308c\u305f\u304b\u3092\u8abf\u3079\u307e\u3057\u305f\u3002\u3053\u306e\u983b\u5ea6\u5206\u6790\u3068\u691c\u67fb\u304b\u3089\u3001EncodedCommand\u3068\u3068\u3082\u306b\u3069\u306e\u8ffd\u52a0\u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u304b\u306b\u3064\u3044\u3066\u3044\u304f\u3064\u304b\u306e\u6d1e\u5bdf\u304c\u5f97\u3089\u308c\u307e\u3057\u305f\u3002<\/p>\n<p><b>EncodedCommand: (4,100\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 100%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>\u5b9f\u884c\u7528\u306b\u3001PowerShell\u3078base64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u6587\u5b57\u5217\u3092\u6e21\u3059\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"148\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-enc\u201d<\/td>\n<td width=\"148\">3,407<\/td>\n<td width=\"148\">83.29%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Enc\u201d<\/td>\n<td width=\"148\">412<\/td>\n<td width=\"148\">10.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-EncodedCommand\u201d<\/td>\n<td width=\"148\">229<\/td>\n<td width=\"148\">5.59%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-encodedcommand\u201d<\/td>\n<td width=\"148\">40<\/td>\n<td width=\"148\">0.98%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-encodedCommand\u201d<\/td>\n<td width=\"148\">7<\/td>\n<td width=\"148\">0.17%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-ec\u201d<\/td>\n<td width=\"148\">3<\/td>\n<td width=\"148\">0.07%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-en\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-ENC\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>WindowStyle Hidden: (2,083\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 50.8%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u969b\u306ePowerShell\u306b\u3088\u308b\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u8868\u793a\u3092\u963b\u6b62\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u300c-window hidden\u300d\u304c\u6700\u3082\u3088\u304f\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u4e9c\u7a2e\u3067\u3042\u308b\u306e\u306f\u3001\u524d\u8ff0\u306eCerber\u3092\u914d\u4fe1\u3059\u308bMicrosoft Word\u6587\u66f8\u304c\u4f7f\u7528\u3057\u3066\u3044\u308bPowerShell\u30b3\u30de\u30f3\u30c9\u306b\u8d77\u56e0\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"148\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-window hidden\u201d<\/td>\n<td width=\"148\">1,267<\/td>\n<td width=\"148\">30.90%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-W Hidden\u201d<\/td>\n<td width=\"148\">315<\/td>\n<td width=\"148\">7.68%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-w hidden\u201d<\/td>\n<td width=\"148\">159<\/td>\n<td width=\"148\">3.88%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-windowstyle hidden\u201d<\/td>\n<td width=\"148\">125<\/td>\n<td width=\"148\">3.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-win hidden\u201d<\/td>\n<td width=\"148\">67<\/td>\n<td width=\"148\">1.63%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-WindowStyle Hidden\u201d<\/td>\n<td width=\"148\">45<\/td>\n<td width=\"148\">1.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-win Hidden\u201d<\/td>\n<td width=\"148\">42<\/td>\n<td width=\"148\">1.02%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-wind hidden\u201d<\/td>\n<td width=\"148\">40<\/td>\n<td width=\"148\">0.98%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-WindowStyle hidden\u201d<\/td>\n<td width=\"148\">5<\/td>\n<td width=\"148\">0.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-WindowStyle hiddeN\u201d<\/td>\n<td width=\"148\">5<\/td>\n<td width=\"148\">0.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-windows hidden\u201d<\/td>\n<td width=\"148\">4<\/td>\n<td width=\"148\">0.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Win Hidden\u201d<\/td>\n<td width=\"148\">3<\/td>\n<td width=\"148\">0.07%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-win hid\u201d<\/td>\n<td width=\"148\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Window hidden\u201d<\/td>\n<td width=\"148\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Wind Hidden\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Win hidden\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>NonInteractive: (1,405\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 42.4%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>\u30e6\u30fc\u30b6\u30fc\u5411\u3051\u306e\u30a4\u30f3\u30bf\u30e9\u30af\u30c6\u30a3\u30d6 \u30d7\u30ed\u30f3\u30d7\u30c8\u306e\u4f5c\u6210\u3092\u963b\u6b62\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002WindowStyle Hidden\u3068\u7d44\u307f\u5408\u308f\u305b\u3066\u4f7f\u7528\u3057\u3001\u5b9f\u884c\u306e\u5146\u5019\u3092\u96a0\u3057\u307e\u3059\u3002\u300c-noni\u300d\u4e9c\u7a2e\u306e\u5834\u5408\u300176%\u304c\u6c4e\u7528\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30b3\u30fc\u30c9\u3068SET\u3067\u3057\u305f\u304c\u3001\u300c-NonI\u300d\u306fPowerShell Empire\u3067\u3057\u305f\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"148\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-noni\u201d<\/td>\n<td width=\"148\">1,042<\/td>\n<td width=\"148\">25.41%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-NonI\u201d<\/td>\n<td width=\"148\">331<\/td>\n<td width=\"148\">8.07%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-noninteractive\u201d<\/td>\n<td width=\"148\">27<\/td>\n<td width=\"148\">0.66%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-NonInteractive\u201d<\/td>\n<td width=\"148\">4<\/td>\n<td width=\"148\">0.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-nonI\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>NoProfile: (1,350\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 32.9%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>PowerShell\u304c\u8d77\u52d5\u6642\u306b\u5b9f\u884c\u3055\u308c\u308b\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30ed\u30fc\u30c9\u3059\u308b\u306e\u3092\u963b\u6b62\u3057\u307e\u3059\u3002\u3064\u307e\u308a\u3001\u6f5c\u5728\u7684\u306b\u4e0d\u8981\u306a\u30b3\u30de\u30f3\u30c9\u307e\u305f\u306f\u8a2d\u5b9a\u3092\u56de\u907f\u3057\u307e\u3059\u3002NonInteractive\u306e\u5185\u8a33\u3068\u540c\u69d8\u306b\u3001\u300c-nop\u300d\u306f\u4e3b\u306bSET\u3068\u6c4e\u7528\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3067\u3001\u300c-NoP\u300d\u306fPowerShell Empire\u3067\u3059\u3002<\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"148\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-nop\u201d<\/td>\n<td width=\"148\">955<\/td>\n<td width=\"148\">23.29%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-NoP\u201d<\/td>\n<td width=\"148\">332<\/td>\n<td width=\"148\">8.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-noprofile\u201d<\/td>\n<td width=\"148\">57<\/td>\n<td width=\"148\">1.39%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-NoProfile\u201d<\/td>\n<td width=\"148\">5<\/td>\n<td width=\"148\">0.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-noP\u201d<\/td>\n<td width=\"148\">1<\/td>\n<td width=\"148\">0.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>ExecutionPolicy ByPass: (453\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 11%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>\u30c7\u30d5\u30a9\u30eb\u30c8\u306ePowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u5b9f\u884c\u30dd\u30ea\u30b7\u30fc(Restricted)\u3092\u30d0\u30a4\u30d1\u30b9\u3057\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c\u3084\u30d7\u30ed\u30f3\u30d7\u30c8\u306e\u4f5c\u6210\u3092\u30d6\u30ed\u30c3\u30af\u3057\u306a\u3044\u3088\u3046\u306b\u3057\u307e\u3059\u3002\u7279\u306b\u8208\u5473\u6df1\u3044\u306e\u306f\u3001EncodedCommand\u30d1\u30e9\u30e1\u30fc\u30bf\u5185\u3067\u5b9f\u884c\u3055\u308c\u305f\u30b3\u30fc\u30c9\u304c\u5b9f\u884c\u30dd\u30ea\u30b7\u30fc\u306b\u9069\u7528\u3055\u308c\u306a\u3044\u70b9\u3067\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"208\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"87\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ep bypass\u201d<\/td>\n<td width=\"87\">128<\/td>\n<td width=\"148\">3.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-exec bypass\u201d<\/td>\n<td width=\"87\">80<\/td>\n<td width=\"148\">1.95%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-executionpolicy bypass\u201d<\/td>\n<td width=\"87\">78<\/td>\n<td width=\"148\">1.90%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-Exec Bypass\u201d<\/td>\n<td width=\"87\">73<\/td>\n<td width=\"148\">1.78%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ExecutionPolicy ByPass\u201d<\/td>\n<td width=\"87\">42<\/td>\n<td width=\"148\">1.02%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ExecutionPolicy bypass\u201d<\/td>\n<td width=\"87\">26<\/td>\n<td width=\"148\">0.63%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-Exec ByPass\u201d<\/td>\n<td width=\"87\">9<\/td>\n<td width=\"148\">0.22%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ExecutionPolicy Bypass\u201d<\/td>\n<td width=\"87\">5<\/td>\n<td width=\"148\">0.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ExecuTionPolicy ByPasS\u201d<\/td>\n<td width=\"87\">4<\/td>\n<td width=\"148\">0.10%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-exe byPass\u201d<\/td>\n<td width=\"87\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ep Bypass\u201d<\/td>\n<td width=\"87\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-ExecutionPolicy BypasS\u201d<\/td>\n<td width=\"87\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<tr>\n<td width=\"208\">\u201c-Exe ByPass\u201d<\/td>\n<td width=\"87\">2<\/td>\n<td width=\"148\">0.05%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>Sta: (219\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 5.3%\u306e\u30ab\u30d0\u30fc\u7387)<\/b><\/p>\n<p>\u30b7\u30f3\u30b0\u30eb\u30b9\u30ec\u30c3\u30c9 \u30a2\u30d1\u30fc\u30c8\u30e1\u30f3\u30c8\u3092\u4f7f\u7528\u3057\u307e\u3059(PowerShell 3.0\u4ee5\u964d\u306e\u30c7\u30d5\u30a9\u30eb\u30c8)\u3002\u3053\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u307b\u3068\u3093\u3069PowerShell Empire\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\"><b>\u30d5\u30e9\u30b0<\/b><\/td>\n<td width=\"148\"><b>\u4ef6\u6570<\/b><\/td>\n<td width=\"148\"><b>\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-sta\u201d<\/td>\n<td width=\"148\">\u00a0219<\/td>\n<td width=\"148\">\u00a05.34%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>NoExit: (23\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.5%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u8d77\u52d5\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u5f8c\u306fPowerShell\u306e\u7d42\u4e86\u3092\u963b\u6b62\u3057\u307e\u3059\u3002\u3053\u308c\u306fPowerWorm\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u3063\u3066\u306e\u307f\u4f7f\u7528\u3055\u308c\u3001EncodedCommand\u3068\u3068\u3082\u306b\u4f7f\u7528\u3055\u308c\u305f\u552f\u4e00\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3067\u3057\u305f\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\">\u30d5\u30e9\u30b0<\/td>\n<td width=\"148\">\u4ef6\u6570<\/td>\n<td width=\"148\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-noexit\u201d<\/td>\n<td width=\"148\">\u00a023<\/td>\n<td width=\"148\">\u00a00.56%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>ExecutionPolicy Hidden (5\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.12%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>PowerShell\u306f\u3053\u308c\u3092\u5358\u306b\u7121\u8996\u3059\u308b\u305f\u3081\u3001\u3053\u308c\u306f\u5b9f\u969b\u306b\u306f\u6709\u52b9\u306a\u30dd\u30ea\u30b7\u30fc\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u3059\u3079\u3066\u306e\u4f7f\u7528\u306f\u3001\u79c1\u304c\u300cTXT C2\u300d\u3068\u30e9\u30d9\u30eb\u4ed8\u3051\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u95a2\u9023\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001PowerWorm\u306b\u4f3c\u305f\u5225\u306ePowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u542b\u3080DNS TXT\u30ec\u30b3\u30fc\u30c9\u306e\u30ed\u30fc\u30c9\u3092\u8a66\u307f\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u305f\u3044\u304c\u3044\u3001\u5f7c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306e\u5f8c\u65b9\u306b\u3059\u3067\u306b\u300c-w hidden\u300d\u304c\u3042\u308b\u5834\u5408\u306f\u3001\u3053\u3053\u3067ByPass\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\">\u30d5\u30e9\u30b0<\/td>\n<td width=\"148\">\u4ef6\u6570<\/td>\n<td width=\"148\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-ep hidden\u201d<\/td>\n<td width=\"148\">\u00a05<\/td>\n<td width=\"148\">\u00a00.12%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>NoLogo: (33\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.8%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>PowerShell\u306e\u8d77\u52d5\u6642\u306b\u8457\u4f5c\u6a29\u30d0\u30ca\u30fc\u3092\u975e\u8868\u793a\u306b\u3057\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"148\">\u30d5\u30e9\u30b0<\/td>\n<td width=\"148\">\u4ef6\u6570<\/td>\n<td width=\"148\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-Nol\u201d<\/td>\n<td width=\"148\">10<\/td>\n<td width=\"148\">0.24%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-NoL\u201d<\/td>\n<td width=\"148\">10<\/td>\n<td width=\"148\">0.24%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-nologo\u201d<\/td>\n<td width=\"148\">9<\/td>\n<td width=\"148\">0.22%<\/td>\n<\/tr>\n<tr>\n<td width=\"148\">\u201c-nol\u201d<\/td>\n<td width=\"148\">4<\/td>\n<td width=\"148\">0.10%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>ExecutionPolicy Unrestricted (1\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.02%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>ByPass\u306b\u4f3c\u3066\u3044\u307e\u3059\u304c\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305f\u672a\u7f72\u540d\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3059\u308b\u524d\u306b\u3001\u30e6\u30fc\u30b6\u30fc\u306b\u8b66\u544a\u3057\u307e\u3059\u3002\u3053\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u4f7f\u7528\u3057\u305f\u57fa\u790e\u3068\u306a\u308b\u5b64\u7acb\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c\u3092\u8a66\u307f\u3001\u305d\u306e\u969b\u306b\u8b66\u544a\u3092\u751f\u6210\u3057\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"194\">\u30d5\u30e9\u30b0<\/td>\n<td width=\"101\">\u4ef6\u6570<\/td>\n<td width=\"148\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"194\">\u201c-ExecutionPolicy Unrestricted\u201d<\/td>\n<td width=\"101\">\u00a01<\/td>\n<td width=\"148\">\u00a00.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Command (1\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.02%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>PowerShell\u30d7\u30ed\u30f3\u30d7\u30c8\u3067\u5165\u529b\u3055\u308c\u305f\u304b\u306e\u3088\u3046\u306b\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u306b\u5f93\u3063\u3066\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u308c\u306f1\u3064\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u307f\u304c\u691c\u51fa\u3055\u308c\u307e\u3057\u305f\u3002\u7f72\u540d\u30d9\u30fc\u30b9\u306e\u691c\u51fa\u306e\u56de\u907f\u306b\u95a2\u3059\u308b<a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2016\/04\/ghosts_in_the_endpoi.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u30d6\u30ed\u30b0<\/a>\u3067\u53d6\u308a\u4e0a\u3052\u305fFireEye\u3068\u3044\u3046\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u4e00\u90e8\u306b\u76f4\u63a5\u95a2\u9023\u3057\u3066\u3044\u307e\u3057\u305f\u3002PowerShell\u30b3\u30fc\u30c9\u306fDOCM\u30d5\u30a1\u30a4\u30eb\u306e\u300cComments\uff08\u30b3\u30e1\u30f3\u30c8\uff09\u300d\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u542b\u307e\u308c\u3001Microsoft Word\u6587\u66f8\u5185\u306e\u30de\u30af\u30ed\u304b\u3089\u8d77\u52d5\u3055\u308c\u307e\u3057\u305f\u3002\u4ee5\u4e0b\u306f\u3001\u8907\u6570\u306e\u30b3\u30de\u30f3\u30c9\u3092\u9023\u9396\u3055\u305b\u3001FTP\u8ee2\u9001\u3068\u305d\u308c\u4ee5\u964d\u306eNetCat\u63a5\u7d9a\u3092\u5b9f\u884c\u3059\u308b\u554f\u984c\u3068\u306a\u3063\u3066\u3044\u308b\u30b3\u30fc\u30c9\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-13.png\" \/><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"56\">\u30d5\u30e9\u30b0<\/td>\n<td width=\"52\">\u4ef6\u6570<\/td>\n<td width=\"53\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"56\">\u201c-c\u201d<\/td>\n<td width=\"52\">\u00a01<\/td>\n<td width=\"53\">\u00a00.02%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u6700\u5f8c\u306b\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb \u30bb\u30c3\u30c8\u5168\u4f53\u3092\u901a\u3058\u3066\u691c\u51fa\u3055\u308c\u305f\u30c8\u30c3\u30d710\u306e\u7d44\u307f\u5408\u308f\u305b\u306b\u3056\u3063\u3068\u76ee\u3092\u901a\u3057\u3066\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u5206\u6790\u3092\u7de0\u3081\u304f\u304f\u308a\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"42%\">\u30d5\u30e9\u30b0\u306e\u7d44\u307f\u5408\u308f\u305b<\/td>\n<td width=\"22%\">\u4ef6\u6570<\/td>\n<td width=\"34%\">\u5408\u8a08\u306b\u5360\u3081\u308b\u5272\u5408(%)<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-window hidden -enc\u201d<\/td>\n<td width=\"22%\">1,242<\/td>\n<td width=\"34%\">30.29%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-enc\u201d<\/td>\n<td width=\"22%\">986<\/td>\n<td width=\"34%\">24.04%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-nop -noni -enc\u201d<\/td>\n<td width=\"22%\">736<\/td>\n<td width=\"34%\">17.95%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-NoP -sta -NonI -W Hidden -Enc\u201d<\/td>\n<td width=\"22%\">206<\/td>\n<td width=\"34%\">5.02%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-EncodedCommand\u201d<\/td>\n<td width=\"22%\">169<\/td>\n<td width=\"34%\">4.12%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-ep bypass -noni -w hidden -enc\u201d<\/td>\n<td width=\"22%\">102<\/td>\n<td width=\"34%\">2.48%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-NoP -NonI -W Hidden -Enc\u201d<\/td>\n<td width=\"22%\">60<\/td>\n<td width=\"34%\">1.46%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-nop\u00a0 -win hidden -noni -enc\u201d<\/td>\n<td width=\"22%\">57<\/td>\n<td width=\"34%\">1.39%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-executionpolicy bypass -windowstyle hidden -enc\u201d<\/td>\n<td width=\"22%\">51<\/td>\n<td width=\"34%\">1.24%<\/td>\n<\/tr>\n<tr>\n<td width=\"42%\">\u201c-nop -exec bypass -win Hidden -noni -enc\u201d<\/td>\n<td width=\"22%\">41<\/td>\n<td width=\"34%\">1.00%<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u5909\u66f4\u3092\u8003\u616e\u3057\u305f\u5834\u5408\u3067\u3082\u3001\u7d50\u679c\u3067\u306f\u30ab\u30c6\u30b4\u30ea\u3054\u3068\u306b\u3044\u304f\u3064\u304b\u306e\u30b5\u30f3\u30d7\u30eb\u304c\u5897\u3048\u305f\u3060\u3051\u3067\u3059\u3002<\/p>\n<p>\u8b58\u5225\u306e\u305f\u3081\u306b\u4e00\u610f\u306e\u7f72\u540d\u3092\u8a66\u3057\u3066\u7279\u5b9a\u3059\u308b\u8abf\u67fb\u3092\u5b9f\u65bd\u3057\u3066\u3044\u308b\u9593\u306b\u3001\u4ee5\u4e0b\u306e\u8907\u6570\u306e\u4f8b\u3092\u898b\u3064\u3051\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306f\u3001\u4f5c\u6210\u8005\u304c\u3088\u308a\u65b0\u3057\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30c4\u30fc\u30eb\u306b\u5408\u308f\u305b\u3066\u30d1\u30bf\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3057\u305f\u30b3\u30fc\u30c9\u3067\u3059\u3002<\/p>\n<figure style=\"width: 899px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-14.png\" alt=\"\u56f36 \u4f5c\u6210\u8005\u304c\u30c4\u30fc\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u9593\u3067\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3057\u305f\u30b3\u30fc\u30c9\" width=\"899\" height=\"84\" \/><figcaption class=\"wp-caption-text\">\u56f36 \u4f5c\u6210\u8005\u304c\u30c4\u30fc\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u9593\u3067\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3057\u305f\u30b3\u30fc\u30c9<\/figcaption><\/figure>\n<p>\u3053\u308c\u306b\u3088\u3063\u3066\u3001\u3053\u308c\u3089\u306e\u30d5\u30a1\u30df\u30ea\u5168\u4f53\u306e\u96c6\u8a08\u6570\u304c\u6e1b\u308a\u307e\u3059\u304c\u3001\u5408\u8a08\u306b\u5927\u304d\u306a\u5f71\u97ff\u306f\u306a\u3044\u3068\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002\u30c4\u30fc\u30eb\u3092\u30ec\u30d3\u30e5\u30fc\u3057\u305f\u3068\u3053\u308d\u3001\u653b\u6483\u8005\u306f\u3055\u3089\u306b\u653b\u6483\u3092\u96a0\u3059\u305f\u3081\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u52d5\u7684\u306a\u9806\u5e8f\u4ed8\u3051\u3084\u6f5c\u5728\u7684\u306b\u52d5\u7684\u306a\u30d1\u30e9\u30e1\u30fc\u30bf\u9577\u306e\u8abf\u6574\u306f\u3042\u307e\u308a\u91cd\u8996\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u4ee3\u308f\u308a\u306b\u3001\u57fa\u672c\u7684\u306a\u5927\u6587\u5b57\u5909\u63db\u306e\u30e9\u30f3\u30c0\u30e0\u5316\u3092\u8ffd\u52a0\u3057\u3001\u30b3\u30fc\u30c9\u306e\u300c\u672c\u8cea\u300d\u3092\u91cd\u8996\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u3063\u3066\u3001PowerShell\u30b3\u30de\u30f3\u30c9\u304c\u8d77\u52d5\u3055\u308c\u308b\u65b9\u6cd5\u306e\u307f\u306b\u57fa\u3065\u304f\u30ed\u30fc\u30d5\u30a1\u30a4(\u4f4e\u5fe0\u5b9f\u5ea6)\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>\u3055\u3089\u306b\u3001\u3059\u3079\u3066\u306e\u7d44\u307f\u5408\u308f\u305b\u306e72%\u3092\u5360\u3081\u308b\u30c8\u30c3\u30d73\u306e\u7d44\u307f\u5408\u308f\u305b\u306f\u3001\u307b\u3068\u3093\u3069\u5358\u7d14\u3067\u3001\u653b\u6483\u3092\u30e6\u30fc\u30b6\u30fc\u304b\u3089\u3055\u3089\u306b\u96a0\u3059\u305f\u3081\u306e\u5de7\u5999\u306a\u8a66\u307f\u3068\u306f\u5bfe\u7167\u7684\u306b\u3001\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u306e\u307f\u306b\u91cd\u70b9\u3092\u7f6e\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<h4>\u5206\u6790\u5f8c\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831<\/h4>\n<p>\u6b21\u306b\u3001\u8b58\u5225\u3055\u308c\u305f\u5404\u4e9c\u7a2e\u3092\u8abf\u3079\u3001\u305d\u308c\u3089\u306e\u6a5f\u80fd\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u305d\u308c\u305e\u308c\u306b\u5bfe\u3057\u3066\u3001\u89b3\u5bdf\u3055\u308c\u305fIP\/\u30c9\u30e1\u30a4\u30f3\/URL\uff08\u3053\u306e\u30d6\u30ed\u30b0\u306e\u6700\u5f8c\u306b\u63b2\u8f09\uff09\u3092\u542b\u3081\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u4e00\u90e8\u306f\u60aa\u610f\u306e\u3042\u308b\u5834\u5408\u3082\u3042\u308c\u3070\u3001\u4fb5\u5165\u30c6\u30b9\u30bf\u30fc\u306e\u5834\u5408\u3082\u3042\u308a\u3001\u65b0\u3057\u3044\u624b\u6cd5\u306e\u30e9\u30f3\u30c0\u30e0\u306a\u30c6\u30b9\u30c8\u3092\u5b9f\u65bd\u3057\u3066\u3044\u308b\u4eba\u3005\u306e\u5834\u5408\u3082\u3042\u308a\u307e\u3059\u3002\u6b8b\u5ff5\u306a\u304c\u3089\u3001\u901a\u5e38\u306f\u5927\u91cf\u5206\u6790\u3092\u5b9f\u65bd\u3059\u308b\u5834\u5408\u306e\u610f\u56f3\u3092\u63a8\u6e2c\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u304c\u3001\u8aad\u8005\u306b\u306f\u305d\u308c\u3089\u306b\u5fdc\u3058\u3066\u4f7f\u7528\u3067\u304d\u308b\u30c7\u30fc\u30bf\u304c\u63d0\u4f9b\u3055\u308c\u307e\u3059\u3002<\/p>\n<h4>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc<\/h4>\n<p>PowerShell\u30b3\u30fc\u30c9\u306e\u4e3b\u306a\u76ee\u7684\u304c\u3001\u30bb\u30ab\u30f3\u30c0\u30ea \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3068\u5b9f\u884c\u3001\u307e\u305f\u306f\u30ea\u30e2\u30fc\u30c8\u3067\u53d6\u5f97\u3057\u305fPowerShell\u30b3\u30fc\u30c9\u306e\u5b9f\u884c\u3067\u3042\u308b\u3053\u3068\u306f\u660e\u3089\u304b\u3067\u3059\u3002<\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcDFSP (1,373\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 33.49%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u308c\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u5b9f\u884c\u3059\u308b\u305f\u3081\u306bPowerShell\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u5178\u578b\u7684\u306a\u4f8b\u3067\u3059\u3002Google\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u304a\u3088\u3073\u5b9f\u884c\u65b9\u6cd5\u3092\u691c\u7d22\u3059\u308b\u3068\u5f97\u3089\u308c\u308b\u3001\u57fa\u672c\u7684\u3067\u6587\u5b57\u901a\u308a\u306e\u7d50\u679c\u3067\u3059\u3002\u305d\u306e\u305f\u3081\u3001\u771f\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u30b7\u30f3\u30d7\u30eb\u306a\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3068\u3057\u3066\u52d5\u4f5c\u3059\u308b\u3001base64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u306e\u6c4e\u7528\u5206\u985e\u3068\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-15.png\" \/><\/p>\n<p>\u4ee5\u524d\u306b\u6307\u6458\u3057\u305f\u3068\u304a\u308a\u3001\u3053\u306e\u30ab\u30c6\u30b4\u30ea\u306b\u4e00\u81f4\u3059\u308b\u307b\u3068\u3093\u3069\u3059\u3079\u3066\u306e\u691c\u51fa\u304c\u3001Cerber\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306e\u30de\u30af\u30ed\u3092\u4ecb\u3057\u3066\u3053\u306ePowerShell\u30b3\u30de\u30f3\u30c9\u3092\u8d77\u52d5\u3059\u308bMicrosoft Word\u6587\u66f8\u306b\u30ea\u30f3\u30af\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u89b3\u5bdf\u3055\u308c\u305f\u72ec\u81ea\u306e\u30d1\u30bf\u30fc\u30f3\u306e1\u3064\u306f\u3001\u305d\u308c\u3089\u306eURI\u30d1\u30bf\u30fc\u30f3\u306b\u52a0\u3048\u3001\u74b0\u5883\u5909\u6570\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3053\u3068\u3067\u3057\u305f\u3002<\/p>\n<p>Cerber\u7528\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-16.png\" \/><\/p>\n<p>PowerShell Empire (293\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 7.15%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u306e\u5834\u5408\u3001\u30b5\u30f3\u30d7\u30eb\u306fPowerShell Empire\u306eEncryptedScriptDropper\u3092\u4f7f\u7528\u3057\u3066\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30ea\u30e2\u30fc\u30c8\u3067\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001\u57cb\u3081\u8fbc\u307e\u308c\u305fXOR\u30ad\u30fc\u3067\u305d\u308c\u3092\u5fa9\u53f7\u5316\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-17.png\" \/><\/p>\n<p>\u3053\u306e\u4f8b\u3067\u306f\u3001XOR\u30ad\u30fc\u306f\u300c0192023a7bbd73250516f069df18b500\u300d\u3067\u3001\u53d6\u5f97\u3055\u308c\u305f\u30b9\u30af\u30ea\u30d7\u30c8\uff08\u305d\u306e\u30ad\u30fc\u3067\u5fa9\u53f7\u5316\u3055\u308c\u305f\u3082\u306e\uff09\u306fPowerShell Empire\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8 \u30b9\u30c6\u30fc\u30b8\u30e3\u00a0<a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/master\/data\/agent\/stager_hop.ps1\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u30b9\u30af\u30ea\u30d7\u30c8<\/a>\u3067\u3059\u3002\u3053\u308c\u306f\u3001C2\u30b5\u30fc\u30d0\u3078\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u3092POST\u3057\u3001\u305d\u306e\u5f8c\u3001\u6697\u53f7\u5316\u3055\u308c\u305f\u30b9\u30c6\u30fc\u30b81 Empire\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-18.png\" \/><\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcDFSP 2X (81\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 1.98%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u308c\u306f\u524d\u51fa\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3068\u540c\u3058\u3067\u3059\u304c\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u884c\u3046\u305f\u3081\u306b\u5225\u306ePowerShell\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u3082\u540c\u69d8\u306b\u3001\u3059\u3079\u3066Cerber\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u6587\u66f8\u306b\u30ea\u30f3\u30af\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-19.png\" \/><\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcDFSP DPL (24\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.59%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>DownloadFile -&gt; Start-Process\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3082\u30461\u3064\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3067\u3001\u30b5\u30f3\u30d7\u30eb \u30bb\u30c3\u30c8\u5185\u306b\u306f\u7570\u306a\u308b2\u3064\u306e\u4e9c\u7a2e\u304c\u3042\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u591a\u304f\u306fBartalex\u306b\u95a2\u9023\u3059\u308b\u52d5\u4f5c\u306b\u4e00\u81f4\u3057\u3066\u3044\u305f\u305f\u3081\u3001\u3053\u306e\u3088\u304f\u77e5\u3089\u308c\u305fOffice\u30de\u30af\u30ed \u30b8\u30a7\u30cd\u30ec\u30fc\u30bf\u306b\u5909\u66f4\u304c\u52a0\u3048\u3089\u308c\u305f\u3053\u3068\u3092\u793a\u5506\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u672a\u77ed\u7e2e \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-20.png\" \/><\/p>\n<p>\u77ed\u7e2e\u5f62 \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-21.png\" \/><\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcIEXDS (19\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.46%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u308c\u306f\u3001PowerShell\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u304a\u3088\u3073\u5b9f\u884c\u3059\u308b\u65b9\u6cd5\u3092\u691c\u7d22\u3059\u308b\u3068\u983b\u7e41\u306b\u30dd\u30c3\u30d7\u30a2\u30c3\u30d7\u3055\u308c\u308b\u5225\u306e\u72ec\u7279\u306a\u30b9\u30bf\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3067\u3059\u3002\u52b9\u679c\u7684\u306b\u3001\u30b3\u30fc\u30c9\u306f\u5358\u306b\u30ea\u30e2\u30fc\u30c8\u3067PowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001\u305d\u308c\u3092Invoke-Expression\u3067\u5b9f\u884c\u3057\u307e\u3059\u3002\u7d50\u679c\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u4e92\u3044\u306b\u307e\u3063\u305f\u304f\u7570\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u304c\u3042\u308a\u3001\u95a2\u9023\u306f\u306a\u3044\u3088\u3046\u3067\u3057\u305f\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e2\u3064\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u300cInvoke-TwitterBot\u300d\u30b9\u30af\u30ea\u30d7\u30c8\u3001\u3064\u307e\u308a\u3001\u300cShmooCon IX\u3067\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305fTwitter\u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u3088\u3063\u3066\u5236\u5fa1\u3055\u308c\u3066\u3044\u308b\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u30dc\u30c3\u30c8\u300d\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-22.png\" \/><\/p>\n<p>BITSTransfer (11\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.27%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>PowerShell\u3092\u4ecb\u3057\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u5225\u306e\u30e1\u30ab\u30cb\u30ba\u30e0\u306f\u3001BitsTransfer\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u305f\u3082\u306e\u3067\u3059\u3002\u30d0\u30c3\u30af\u30b0\u30e9\u30a6\u30f3\u30c9 \u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30c8\u8ee2\u9001\u30b5\u30fc\u30d3\u30b9(BITS)\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3067\u306f\u305d\u308c\u307b\u3069\u983b\u7e41\u306b\u306f\u76ee\u306b\u3057\u307e\u305b\u3093\u304c\u3001HTTP\u306a\u3069\u306e\u4ed6\u306e\u65e2\u77e5\u306e\u8ee2\u9001\u30b5\u30fc\u30d3\u30b9\u3068\u540c\u69d8\u306e\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u7570\u306a\u308b\u65b9\u6cd5\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u653b\u6483\u8005\u306f\u7279\u5b9a\u306e\u76e3\u8996\u3092\u56de\u907f\u3057\u3001BITS\u304c\u4ed6\u306e\u5e2f\u57df\u5e45\u4f7f\u7528\u306b\u5f71\u97ff\u3057\u306a\u3044\u3088\u3046\u306b\u8ee2\u9001\u3092\u6291\u5236\u3059\u308b\u3068\u3044\u3046\u4e8b\u5b9f\u3092\u5229\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u524d\u306e<a href=\"https:\/\/blog.paloaltonetworks.com\/2017\/01\/unit42-farming-malicious-documents-unravel-ransomware\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u30d6\u30ed\u30b0<\/a>\u3067\u3001\u4e00\u6642\u671fBITS\u3092\u4f7f\u7528\u3057\u3066\u3044\u308bCerber\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u306e\u4e9c\u7a2e\u304c\u691c\u51fa\u3055\u308c\u3001\u3053\u308c\u3089\u306e11\u500b\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u3046\u306110\u500b\u304cCerber\u306b\u3064\u306a\u304c\u308bMicrosoft Word\u6587\u66f8\u3067\u3042\u3063\u305f\u3053\u3068\u3092\u8ff0\u3079\u307e\u3057\u305f\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-23.png\" \/><\/p>\n<p>TXT C2 (10\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.24%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u306e\u5834\u5408\u3001\u653b\u6483\u8005\u306fPowerShell\u3092\u4f7f\u7528\u3057\u3066\u3001\u30c9\u30e1\u30a4\u30f3\u306eTXT\u30ec\u30b3\u30fc\u30c9\u306b\u5bfe\u3059\u308bDNS\u30af\u30a8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002TXT\u30ec\u30b3\u30fc\u30c9\u306b\u306f\u3001\u5225\u306ePowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u305d\u306e\u5f8c\u3001\u5b9f\u884c\u3059\u308b\u305f\u3081\u306bInvoke-Expression\u306b\u6e21\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-24.png\" \/><\/p>\n<p>\u8fd4\u3055\u308c\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u898b\u308b\u3068\u3001\u3053\u306e\u521d\u671f\u30eb\u30c3\u30af\u30a2\u30c3\u30d7\u306e\u767a\u751f\u5f8c\u3001\u305d\u308c\u81ea\u4f53\u3092\u4e0d\u5909\u30eb\u30fc\u30d7\u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30eb\u30fc\u30d7\u3067\u306f\u3001\u30c9\u30e1\u30a4\u30f3\u306eTXT\u30ec\u30b3\u30fc\u30c9\u3092\u30af\u30a8\u30ea\u3057\u3001\u305d\u306e\u5f8cbase64\u30c7\u30b3\u30fc\u30c9\u3057\u3066\u7d50\u679c\u3092\u5b9f\u884c\u3059\u308b\u3068\u3044\u3046\u52d5\u4f5c\u304c\u7d99\u7d9a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-25.png\" \/><\/p>\n<p>\u3053\u308c\u306b\u3088\u3063\u3066\u3001\u653b\u6483\u8005\u306f\u3001\u4fb5\u5bb3\u3057\u305f\u30b7\u30b9\u30c6\u30e0\u3068\u3084\u308a\u53d6\u308a\u3059\u308b\u6e96\u5099\u304c\u6574\u3063\u305f\u6642\u70b9\u3067\u3001\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb \u30c1\u30e3\u30cd\u30eb\u3092\u78ba\u7acb\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>Microsoft\u306eJohn Lambert\u6c0f\u304c\u3001\u6700\u8fd1\u3053\u306e\u4e9c\u7a2e\u306b\u3064\u3044\u3066<a href=\"https:\/\/twitter.com\/JohnLaTwC\/status\/831963320915685377\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u30c4\u30a3\u30fc\u30c8<\/a>\u3057\u3001\u4fb5\u5165\u30c6\u30b9\u30c8\u6642\u306b\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u3082\u306e\u3068\u3057\u3066\u7279\u5b9a\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u624b\u6cd5\u306e\u5225\u306e\u4f8b\u304c\u3001\u4fb5\u5165\u30c6\u30b9\u30c8\u7528\u306e<a href=\"https:\/\/github.com\/samratashok\/nishang\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">Nishang<\/a>\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3067\u898b\u3064\u304b\u308b\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcProxy (9\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.22%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u306e\u4e9c\u7a2e\u306f\u3001PowerShell\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u30e6\u30fc\u30b6\u30fc\u306e\u8a2d\u5b9a\u6e08\u307f\u306e\u30d7\u30ed\u30ad\u30b7\u3068\u8a8d\u8a3c\u60c5\u5831\u3092\u660e\u793a\u7684\u306b\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u308c\u306e\u6ce8\u76ee\u3059\u3079\u304d\u70b9\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3092\u5024\u3068\u3057\u3066Web\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u300cu\u300d\u30d1\u30e9\u30e1\u30fc\u30bf\u306b\u6e21\u3057\u3066\u3044\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u308c\u306f\u4e00\u822c\u306e\u300c\u30c1\u30a7\u30c3\u30af\u30a4\u30f3\u300d\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3067\u3042\u308b\u305f\u3081\u3001\u653b\u6483\u8005\u306f\u611f\u67d3\u76f8\u624b\u3092\u628a\u63e1\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u308c\u4ee5\u964d\u306e\u3084\u308a\u53d6\u308a\u3059\u308b\u65b9\u6cd5\u3092\u3055\u3089\u306b\u64cd\u4f5c\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3067\u304d\u307e\u3059(\u305f\u3068\u3048\u3070\u3001\u65e2\u77e5\u306e\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30e6\u30fc\u30b6\u30fc\u540d\u306e\u5834\u5408\u306f\u3055\u3089\u306a\u308b\u63a5\u7d9a\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b)\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-26.png\" \/><\/p>\n<p>Meterpreter RHTTP (6\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.15%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u306e\u624b\u6cd5\u306f\u3001PowerShell Empire\u3084PowerSploit\u306a\u3069\u306e\u30c4\u30fc\u30eb\u3067\u4f7f\u7528\u3055\u308c\u305fInvoke-Shellcode\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u53d6\u5f97\u3057\u3001\u305d\u306e\u5f8c\u3001\u30ea\u30d0\u30fc\u30b9HTTPS Meterpreter\u30b7\u30a7\u30eb\u3092\u751f\u6210\u3059\u308b\u305f\u3081\u306e\u95a2\u6570\u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p>1\u500b\u3092\u9664\u304d\u3059\u3079\u3066\u306e\u30b5\u30f3\u30d7\u30eb\u304c\u3001\u6b63\u5f0f\u306a\u30ea\u30dd\u30b8\u30c8\u30ea\u3092\u901a\u3058\u3066\u76f4\u63a5\u3001\u307e\u305f\u306f\u5206\u5c90\u3057\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u901a\u3058\u3066\u3001GitHub\u304b\u3089\u30b3\u30fc\u30c9\u3092\u53d6\u5f97\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>GitHub \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-27.png\" \/><\/p>\n<p>GitHub\u4ee5\u5916 \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-28.png\" \/><\/p>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcKraken (5\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.12%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u79c1\u306f\u3053\u308c\u3092\u300cKraken\u300d\u3068\u547c\u3093\u3067\u3044\u307e\u3059\u304c\u3001\u5358\u306b\u3001\u305d\u308c\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u308b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u540d\u524d(\u300cKraken.jpg\u300d)\u3060\u304b\u3089\u3067\u3059\u3002\u305f\u3060\u3057\u3001\u3053\u308c\u306f\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fcDFSP\u3067\u898b\u3089\u308c\u308b\u3082\u306e\u3068\u985e\u4f3c\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u76f8\u9055\u306e1\u3064\u306f\u3001\u300c$env\u300d\u5909\u6570\u3092\u76f4\u63a5\u4f7f\u7528\u3059\u308b\u4ee3\u308f\u308a\u306b\u3001System.IO.Path\u3092\u4f7f\u7528\u3057\u3066\u3001$TEMP\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306e\u30d1\u30b9\u3092\u53d6\u5f97\u3057\u3066\u3044\u308b\u70b9\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-29.png\" \/><\/p>\n<p>AppLocker Bypass (4\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.12%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u3053\u306e\u624b\u6cd5\u306f\u3001PowerShell\u3092\u4f7f\u7528\u3057\u3066\u3001regsvr32\u30c4\u30fc\u30eb\u3092\u5b9f\u884c\u3057\u3001Microsoft Windows AppLocker\u3092\u30d0\u30a4\u30d1\u30b9\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u624b\u6cd5\u306f\u3001Casey Smith\u6c0f (<a href=\"https:\/\/twitter.com\/subTee\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">@subTee<\/a>)\u306b\u3088\u3063\u3066<a href=\"https:\/\/subt0x10.blogspot.com\/2016\/04\/bypass-application-whitelisting-script.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u767a\u898b<\/a>\u3055\u308c\u3001regsvr32\u3092\u4ecb\u3057\u3066COM\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u767b\u9332\u89e3\u9664\u3059\u308b\u3068\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u308b\u3068\u3044\u3046\u4e8b\u5b9f\u3092\u60aa\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-30.png\" \/><\/p>\n<p>\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30da\u30a4\u30ed\u30fc\u30c9<\/p>\n<p>PowerShell\u30b3\u30fc\u30c9\u306e\u4e3b\u306a\u76ee\u7684\u306f\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306a\u3069\u306e\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u8d77\u52d5\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n<p>Shellcode Inject (1,147\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 27.98%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>Unicorn (611\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 14.90%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>SET (199\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 4.85%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>Unicorn Modified (14\u500b\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.34%\u306e\u30ab\u30d0\u30fc\u7387)<\/p>\n<p>\u79c1\u306f\u3001\u3059\u3067\u306b\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u624b\u6cd5\u306eSET\u304a\u3088\u3073Magic Unicorn\u306e\u5b9f\u88c5\u4f8b\u3092\u793a\u3057\u305f\u3068\u304d\u306b\u3001\u3053\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u4f7f\u7528\u3059\u308b\u3059\u3079\u3066\u306e\u4e9c\u7a2e\u3092\u4e00\u584a\u306b\u307e\u3068\u3081\u308b\u3053\u3068\u3092\u6c7a\u3081\u307e\u3057\u305f\u3002\u4ee5\u4e0b\u306f\u3001\u300cShellcode Inject\u300d\u4e9c\u7a2e\u304b\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3001Matt Graeber\u6c0f\u306e\u5143\u306e\u6295\u7a3f\u3092\u30b3\u30d4\u30fc\u3057\u305f\u3082\u306e\u3067\u3059\u3002SET\u30b3\u30fc\u30c9\u3068Magic Unicorn\u30b3\u30fc\u30c9\u306e\u985e\u4f3c\u70b9\u304c\u3059\u3050\u306b\u308f\u304b\u308b\u306f\u305a\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-31.png\" \/><\/p>\n<p>Cerber\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u306f\u3001Microsoft Word\u6587\u66f8\u3067\u898b\u3064\u304b\u3063\u305fEncodedCommand\u306e\u5927\u534a\u3092\u5360\u3081\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u308c\u3089\u306e4\u3064\u306e\u4e9c\u7a2e\u306f\u3001EXE\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u8d77\u52d5\u3055\u308c\u305f\u307b\u307c\u5168\u4f53\u3092\u5360\u3081\u308b\u3082\u306e\u3068\u540c\u3058\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30b3\u30fc\u30c9\u306e\u9aa8\u5b50\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002\u305d\u308c\u3089\u306f\u4ee5\u4e0b\u306e\u9806\u5e8f\u3067DLL\u304b\u3089\u95a2\u6570\u3092\u30a4\u30f3\u30dd\u30fc\u30c8\u3057\u307e\u3059\u3002<\/p>\n<p>\u201ckernel32.dll\u201d VirtualAlloc<\/p>\n<p>\u201ckernel32.dll\u201d CreateThread<\/p>\n<p>\u201cmsvcrt.dll\u201d memset<\/p>\n<p>\u305d\u306e\u5f8c\u3001\u300c0x\u300d16\u9032\u8868\u8a18\u3092\u4f7f\u7528\u3057\u3066\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u30d0\u30a4\u30c8\u306e\u914d\u5217\u306b\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u6b21\u306b\u3001VirtualAlloc\u3092\u547c\u3073\u51fa\u3057\u3066\u3001RWX\u30e1\u30e2\u30ea\u306e4,096\u30d0\u30a4\u30c8\u4ee5\u4e0a\u306e\u30da\u30fc\u30b8\u3092\u5272\u308a\u5f53\u3066\u3001memset\u3067\u30d0\u30a4\u30c8\u914d\u5217\u3092\u30e1\u30e2\u30ea\u306b\u30b3\u30d4\u30fc\u3057\u3001\u6700\u5f8c\u306b\u3001CreateThread\u3067\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306b\u5b9f\u884c\u3092\u79fb\u3057\u307e\u3059\u3002<\/p>\n<p>1,971\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u3046\u3061\u30011,211\u4ef6\u306e\u30e6\u30cb\u30fc\u30af\u306a\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u3042\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u305d\u306e\u3046\u3061\u306e50%\u4ee5\u4e0a\u304c\u305d\u306e\u4ed6\u306e\u653b\u6483\u3067\u3082\u518d\u5229\u7528\u3055\u308c\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306e\u307b\u3068\u3093\u3069\u306fMetasploit\u3092\u5229\u7528\u3057\u3066\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u751f\u6210\u3057\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u6307\u5b9a\u3092\u884c\u3048\u306a\u3044\u5834\u5408\u306f\u3001\u30ea\u30d0\u30fc\u30b9Meterpreter\u30b7\u30a7\u30eb\u3092\u901a\u5e38\u306f\u6d3b\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u3001\u4e0b\u8a18\u306e\u884c\u306fMagic Unicorn\u306e\u30b3\u30fc\u30c9\u3067\u3001MSF\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u6307\u5b9a\u65b9\u6cd5\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-32.png\" \/><\/p>\n<p>\u4ee5\u4e0b\u306f\u3001\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u3001\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u3001\u30a8\u30f3\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3092\u542b\u3080\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u751f\u6210\u3059\u308b\u305f\u3081\u306e\u30b3\u30fc\u30c9\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-33.png\" \/><\/p>\n<p>\u3082\u30461\u3064\u306e\u8208\u5473\u6df1\u3044\u70b9\u3068\u3057\u3066\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u9577\u3055\u3092\u8abf\u3079\u308b\u3068\u3001\u4e0a\u4f4d2\u3064\u306e\u30b3\u30fc\u30c9\u306e\u9577\u3055\u306f294\u30d0\u30a4\u30c8\u3068312\u30d0\u30a4\u30c8\u3067\u3001\u305d\u308c\u305e\u308c846\u4ef6\u3068544\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u6709\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u305d\u306e\u5f8c\u306f\u30b5\u30f3\u30d7\u30eb\u6570\u304c\u6025\u6fc0\u306b\u6e1b\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"68%\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"39%\">\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u306e\u9577\u3055(\u30d0\u30a4\u30c8)<\/td>\n<td width=\"60%\">\u30ab\u30a6\u30f3\u30c8<\/td>\n<\/tr>\n<tr>\n<td width=\"39%\">294<\/td>\n<td width=\"60%\">846<\/td>\n<\/tr>\n<tr>\n<td width=\"39%\">312<\/td>\n<td width=\"60%\">544<\/td>\n<\/tr>\n<tr>\n<td width=\"39%\">337<\/td>\n<td width=\"60%\">145<\/td>\n<\/tr>\n<tr>\n<td width=\"39%\">303<\/td>\n<td width=\"60%\">131<\/td>\n<\/tr>\n<tr>\n<td width=\"39%\">285<\/td>\n<td width=\"60%\">46<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u8208\u5473\u6df1\u3044\u306e\u306f\u3001\u9001\u4fe1\u3055\u308c\u3066\u304f\u308b\u81a8\u5927\u306a\u91cf\u306e\u540c\u3058\u9577\u3055\u306e\u30b7\u30b0\u30ca\u30eb\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u653b\u6483\u8005\u304c\u540c\u3058\u30c4\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u3066\u540c\u3058\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u751f\u6210\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u5506\u3057\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001C2\u306e\u53ef\u5909\u9577\u306eURL\u306b\u5bfe\u3057\u3001\u3053\u3053\u3067\u306f4\u30d0\u30a4\u30c8IP\u306a\u3069\u3001\u307b\u3068\u3093\u3069\u5909\u5316\u3092\u4ed8\u3051\u3089\u308c\u306a\u3044\u9577\u3055\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30d6\u30ed\u30b0\u3067\u306f\u3001\u3053\u308c\u3089\u306e\u4e9c\u7a2e\u306e\u9055\u3044\u3092\u5206\u985e\u3057\u3066\u3044\u307e\u3059\u3002\u4ee5\u4e0b\u306b\u3001\u7279\u5b9a\u306e\u4e9c\u7a2e\u3092\u8b58\u5225\u3059\u308b\u305f\u3081\u306e\u6b63\u898f\u8868\u73fe\u306b\u3088\u308b\u30af\u30a8\u30ea\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<p>\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u633f\u5165<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-34.png\" \/><\/p>\n<p>Unicorn<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-35.png\" \/><\/p>\n<p>\u8a2d\u5b9a<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-36.png\" \/><\/p>\n<p>\u5909\u66f4\u3055\u308c\u305fUnicorn<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-37.png\" \/><\/p>\n<p>Powerfun Reverse (100\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 2.44%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)\u3001<\/p>\n<p>Powerfun Bind (2\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.05%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>\u30b3\u30fc\u30c9\u5b9f\u884c\u306e\u5225\u306e\u4e9c\u7a2e\u306f\u3001 Powerfun\u306e\u5185\u90e8\u3067\u691c\u51fa\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u5177\u4f53\u7684\u306b\u306f\u3001\u653b\u6483\u8005\u306f Metasploit\u306e\u300cwindows\/powershell_reverse_tcp\u300d\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u300cpowershell_bind_tcp\u300d\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5229\u7528\u3057\u3066\u3001\u30bf\u30fc\u30b2\u30c3\u30c8 \u30b7\u30b9\u30c6\u30e0\u306e\u5bfe\u8a71\u5f0f\u30b7\u30a7\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u30ea\u30d0\u30fc\u30b9 \u30da\u30a4\u30ed\u30fc\u30c9\u306fbase64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u3001System.Diagnostics.Process\u3092\u4f7f\u7528\u3057\u3066\u30d0\u30c3\u30af\u30b0\u30e9\u30a6\u30f3\u30c9 \u30d7\u30ed\u30bb\u30b9\u7d4c\u7531\u3067\u8d77\u52d5\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u30ea\u30d0\u30fc\u30b9 \u30da\u30a4\u30ed\u30fc\u30c9 \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-38.png\" \/><\/p>\n<p>\u30d0\u30a4\u30f3\u30c9 \u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001System.Net.Sockets\u3067\u30ea\u30b9\u30cb\u30f3\u30b0\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u3001TCP\u30ea\u30b9\u30ca\u30fc\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002TCPClient\u3001\u304a\u3088\u3073\u53d7\u3051\u53d6\u3063\u305f\u30c7\u30fc\u30bf\u306b\u3088\u3063\u3066\u3001PowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u304b\u3089Invoke-Expression\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u30d0\u30a4\u30f3\u30c9 \u30da\u30a4\u30ed\u30fc\u30c9 \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-39.png\" \/><\/p>\n<p>Powerfun Bind (19\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.46%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>PowerWorm\u306f\u30012014\u5e74\u306bTrendMicro\u304c\u30d6\u30ed\u30b0\u4e0a\u3067\u5831\u544a\u3057\u305f\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u3067\u3001\u4ed6\u306eMicrosoft Office DOC(X)\/XLS(X)\u30d5\u30a1\u30a4\u30eb\u3092\u611f\u67d3\u3055\u305b\u308b\u3053\u3068\u3067\u62e1\u6563\u3057\u307e\u3059\u3002PowerShell\u30b3\u30fc\u30c9\u306f\u3001 \u6b63\u898f\u306e\u30b3\u30de\u30f3\u30c9\u9593\u306b\u300c\u30b8\u30e3\u30f3\u30af\u300d\u30c7\u30fc\u30bf\u3092\u914d\u7f6e\u3059\u308b\u3053\u3068\u3067\u96e3\u8aad\u5316\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-40.png\" \/><\/p>\n<p>\u82e5\u5e72\u30af\u30ea\u30fc\u30f3\u30a2\u30c3\u30d7\u3055\u308c\u305f\u3082\u306e \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-41.png\" \/><\/p>\n<p>\u3053\u306e\u30b3\u30fc\u30c9\u3067\u306f\u3001DNS TXT\u30ec\u30b3\u30fc\u30c9\u306e\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9URL\u3092\u30d5\u30a7\u30c3\u30c1\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001Tor\u3068Polipo\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u4f7f\u7528\u3057\u3066\u3001Invoke-Expression\u306b\u6e21\u3055\u308c\u308bPowerShell\u306e\u65b0\u3057\u3044\u30b3\u30de\u30f3\u30c9\u3092\u7d99\u7d9a\u7684\u306b\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002Matt Graeber\u306f\u3001 \u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5168\u6a5f\u80fd\u3092<a href=\"https:\/\/www.exploit-monday.com\/2014\/04\/powerworm-analysis.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u975e\u5e38\u306b\u3046\u307e\u304f<\/a>\u5206\u6790\u3057\u3066\u304a\u308a\u3001\u57fa\u76e4\u3068\u306a\u3063\u3066\u3044\u308bPowerShell\u306e\u96e3\u8aad\u5316\u3092\u89e3\u9664\u3057\u305f\u3001\u30b3\u30e1\u30f3\u30c8\u4ed8\u304d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Veil Stream (7\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.17%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>\u3053\u308c\u306f\u3001\u300cPowerfun Reverse\u300d\u4e9c\u7a2e\u306e\u30c6\u30af\u30cb\u30c3\u30af\u306b\u985e\u4f3c\u3057\u3066\u3044\u307e\u3059\u3002PowerShell\u30b3\u30fc\u30c9\u306f\u3001base64\u6587\u5b57\u5217\u304b\u3089\u30e1\u30e2\u30ea\u306b\u633f\u5165\u3055\u308c\u3001\u5b9f\u969b\u306e\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9 \u30da\u30a4\u30ed\u30fc\u30c9\u3092\u8d77\u52d5\u3059\u308bInvoke-Expression\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u30b3\u30fc\u30c9\u306e\u30ec\u30a4\u30a2\u30a6\u30c8\u306f\u3001<a href=\"https:\/\/github.com\/Veil-Framework\/Veil-Evasion\/blob\/master\/modules\/payloads\/powershell\/shellcode_inject\/virtual.py\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">Veil Framework<\/a>\u306e\u5b9f\u88c5\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-42.png\" \/><\/p>\n<h4>\u6301\u7d9a\u6027<\/h4>\n<p>PowerShell\u30b3\u30fc\u30c9\u306f\u3001\u4e3b\u306b\u30db\u30b9\u30c8\u4e0a\u3067\u6301\u7d9a\u6027\u3092\u78ba\u7acb\u3059\u308b\u305f\u3081\u306b\u7279\u5b9a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>Scheduled Task COM (11\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.27%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>\u3053\u306e\u4e9c\u7a2e\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u30d0\u30a4\u30ca\u30ea\u3092\u5b9f\u884c\u3059\u308b\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u5316\u3057\u305f\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3059\u308b\u3053\u3068\u3067\u3001\u6301\u7d9a\u6027\u30e1\u30ab\u30cb\u30ba\u30e0\u3092\u4f5c\u6210\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u767a\u4fe1\u5143\u3067\u3042\u308bPE\u30d5\u30a1\u30a4\u30eb\u306f\u300cminecraft.exe\u300d\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u3001\u307b\u3068\u3093\u3069\u306e\u5834\u5408\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b\u3053\u306ePowerShell\u30b3\u30de\u30f3\u30c9\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u3053\u306e\u30bf\u30a4\u30d7\u306e\u6a5f\u80fd\u306f\u3001\u767a\u4fe1\u5143\u3067\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u306b\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3059\u308b\u3088\u308a\u3082\u3001PowerShell\u306b\u6e21\u3059\u307b\u3046\u304c\u5bb9\u6613\u3060\u304b\u3089\u3067\u3059\u3002<\/p>\n<p>\u4e3b\u306b\u6563\u898b\u3055\u308c\u308b\u30c6\u30af\u30cb\u30c3\u30af\u306f\u3001<a href=\"https:\/\/blog.paloaltonetworks.com\/2015\/08\/retefe-banking-trojan-targets-sweden-switzerland-and-japan\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">Retefe\u30d0\u30f3\u30ad\u30f3\u30b0\u578b\u30c8\u30ed\u30a4\u306e\u6728\u99ac<\/a>\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-43.png\" \/><\/p>\n<p>VB Task (10\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.24%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>PowerShell\u30b3\u30fc\u30c9\u306e\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u3001EncodedCommand\u3092\u4f7f\u7528\u3057\u3066PowerShell\u3092\u5b9f\u884c\u3059\u308bPE\u304b\u3089\u306e\u3082\u306e\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u305d\u306e\u5f8c\u3067VBScript\u3092\u4f5c\u6210\u3057\u3001\u305d\u308c\u3092\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u5316\u3057\u305f\u30bf\u30b9\u30af\u3068\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002\u5b9f\u884c\u3055\u308c\u305fVBSript\u306f\u3001\u611f\u67d3\u3055\u305b\u308b\u305f\u3081\u306b\u5225\u306ePowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-44.png\" \/><\/p>\n<p>DynAmite Launcher (6\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.15%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)\u3001<\/p>\n<p>DynAmite KL (1\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.02%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>DynAmite\u306f\u300c\u30de\u30eb\u30a6\u30a7\u30a2\u4f5c\u6210\u30c4\u30fc\u30eb\u30ad\u30c3\u30c8\u300d\u3067\u3001\u30de\u30eb\u30a6\u30a7\u30a2 \u30c4\u30fc\u30eb\u306e\u6a19\u6e96\u7684\u306a\u6a5f\u80fd\u306e\u4e00\u90e8\u3068\u3057\u3066\u8a8d\u8b58\u3055\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-45.png\" \/><\/p>\n<p>\u3053\u308c\u306b\u3088\u308a\u3001\u5fc5\u8981\u306a\u6a5f\u80fd\u3092\u6df7\u5408\u3055\u305b\u3066\u7d44\u307f\u5408\u308f\u305b\u308b\u3053\u3068\u304c\u3067\u304d\u3001PowerShell\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3060\u3051\u3067\u7279\u5b9a\u306e\u30bf\u30b9\u30af\u3092\u9042\u884c\u3067\u304d\u308bPE\u30e9\u30c3\u30d1\u30fc\u304c\u751f\u6210\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30ad\u30c3\u30c8\u306b\u3088\u3063\u3066\u751f\u6210\u3055\u308c\u305f\u30b3\u30fc\u30c9\u306e\u5927\u90e8\u5206\u306f\u3001\u516c\u958b\u30c4\u30fc\u30eb\u304b\u3089\u53d6\u5f97\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u304c\u3001\u305d\u306e\u5909\u6570\u540d\u3068\u5834\u6240\u306f\u7570\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u300cDynAmite Launcher\u300d\u306e\u4e9c\u7a2e\u306f\u3001\u6301\u7d9a\u6027\u306e\u5074\u9762\u3082\u6709\u3057\u3066\u304a\u308a\u3001\u3053\u308c\u306f\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u5316\u3057\u305f\u30bf\u30b9\u30af\u306e\u4f5c\u6210\u306b\u3088\u308a\u78ba\u7acb\u3055\u308c\u307e\u3059\u3002\u7570\u306a\u308b\u30d0\u30fc\u30b8\u30e7\u30f3\u304a\u3088\u3073\u69cb\u6210\u304b\u3089\u306e3\u3064\u306e\u7570\u306a\u308b\u53cd\u5fa9\u30b3\u30fc\u30c9\u3092\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-46.png\" \/><\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-47.png\" \/><\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-48.png\" \/><\/p>\n<p>\u300cDynAmite KL\u300d\u4e9c\u7a2e\u306e\u5834\u5408\u3001\u30ad\u30c3\u30c8\u306e\u30ad\u30fc\u30ed\u30ac\u30fc\u7b87\u6240\u306b\u306a\u308a\u307e\u3059\u304c\u3001\u305d\u306e\u30b3\u30fc\u30c9\u306fPowerSploit\u95a2\u6570<a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/commit\/717950d00c7cc352efe8b05c3db84d0e6250474c#diff-8a834e13c96d5508df5ee11bc92c82dd\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">Get-Keystrokes<\/a>\u306e\u53e4\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u304b\u3089\u76f4\u63a5\u501f\u7528\u3057\u305f\u3082\u306e\u306b\u306a\u308a\u307e\u3059\u3002\u4ee5\u4e0b\u306f\u30012\u3064\u306e\u30b3\u30fc\u30c9\u306b\u304a\u3051\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u8a72\u5f53\u7b87\u6240\u3092\u6bd4\u8f03\u3057\u305f\u3082\u306e\u3067\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u5909\u6570\u3068\u30bf\u30a4\u30d7\u306e\u5834\u6240\u304cDynAmite\u306b\u3088\u3063\u3066\u3069\u306e\u3088\u3046\u306b\u5909\u66f4\u3055\u308c\u308b\u304b\u3092\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>Get-Keystrokes \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-49.png\" \/><\/p>\n<p>\u95a2\u6570DynAKey \u2013<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-50.png\" \/><\/p>\n<h4>\u305d\u306e\u4ed6\u306e\u30c6\u30af\u30cb\u30c3\u30af<\/h4>\n<p>AMSI Bypass (8\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.20%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>Antimalware Scan Interface (AMSI)\u306f\u3001Microsoft\u304cWindows 10\u3067\u30ea\u30ea\u30fc\u30b9\u3057\u305f\u65b0\u3057\u3044\u6a5f\u80fd\u3067\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3068\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9\u88fd\u54c1\u3068\u306e\u9593\u306e\u901a\u4fe1\u3092\u5bb9\u6613\u306b\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u96e3\u8aad\u5316\u304c\u89e3\u9664\u3055\u308c\u3001Web\u30b5\u30a4\u30c8\u304b\u3089\u30ea\u30e2\u30fc\u30c8\u306b\u53d6\u308a\u8fbc\u307e\u308c\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3(\u3053\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u3067\u306fPowerShell)\u304c\u5b9f\u884c\u6642\u306b\u53d7\u3051\u53d6\u3063\u3066\u304b\u3089\u3001AMSI \u3092\u4ecb\u3057\u3066\u30b9\u30ad\u30e3\u30f3\u7528\u306b\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9\u306b\u6e21\u3059\u3053\u3068\u304c\u7406\u60f3\u7684\u3067\u3059\u3002\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u304c\u6709\u5bb3\u3067\u3042\u308b\u3068\u5224\u65ad\u3057\u305f\u5834\u5408\u306f\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c\u304c\u30d6\u30ed\u30c3\u30af\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>#YAOMG (Yet Another of Matt Graebers)<\/p>\n<p>Matt Graeber\u304c\u30ea\u30ea\u30fc\u30b9\u3057\u305f1\u884c\u306e<a href=\"https:\/\/twitter.com\/mattifestation\/status\/735261120487772160\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">\u30c4\u30a4\u30fc\u30c8<\/a>\u306b\u306f\u3001\u300camsiInitFailed\u300d\u3092\u300cTrue\u300d\u306b\u5909\u66f4\u3059\u308b\u3060\u3051\u3067AMSI\u3092\u3069\u306e\u3088\u3046\u306b\u30d0\u30a4\u30d1\u30b9\u3067\u304d\u308b\u304b\u304c\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u30ed\u30fc\u30c9\u304c\u5931\u6557\u3057\u305f\u304b\u306e\u3088\u3046\u306b\u898b\u3048\u3001\u3053\u306e\u30c1\u30a7\u30c3\u30af\u306f\u5b9f\u8cea\u7684\u306b\u30b9\u30ad\u30c3\u30d7\u3055\u308c\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-51.png\" \/><\/p>\n<p>\u3053\u306e\u30b3\u30fc\u30c9\u306e\u30b7\u30b0\u30cd\u30c1\u30e3\u306f\u3001PowerShell Empire\u306eXOR\u30eb\u30fc\u30c1\u30f3\u3067\u4f7f\u7528\u3055\u308c\u308bEncryptedScriptDropper\u3068\u985e\u4f3c\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u95a2\u9023\u6027\u306e\u3042\u308b\u30b3\u30fc\u30c9\u3067\u3042\u308b\u304b\u3001\u501f\u7528\u3055\u308c\u305f\u30b3\u30fc\u30c9\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>PowerSploit GTS (3\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.07%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>\u3053\u308c\u306f\u3001\u5225\u306e\u30c4\u30fc\u30eb\u304b\u3089\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u4f7f\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u7fa4\u3067\u3001\u3053\u306e\u5834\u5408\u306f\u3001<a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Exfiltration\/Get-TimedScreenshot.ps1\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-pulling-back-curtains-encodedcommand-powershell-attacks: section:\u5206\u6790\u524d\u306e\u30c7\u30fc\u30bf\/\u7d71\u8a08\u60c5\u5831\">PowerSploit Get-TimedScreenshot<\/a>\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9\u306f\u3001Drawing.Bitmap\u3092\u4f7f\u7528\u3057\u30662\u79d2\u6bce\u306b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-52.png\" \/><\/p>\n<p>\u3053\u308c\u3089\u306e\u653b\u6483\u30bf\u30a4\u30d7\u3067\u306f\u3001PowerShell\u30b3\u30fc\u30c9\u306f\u3001 \u653b\u6483\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u5168\u822c\u7684\u306a\u30c4\u30fc\u30eb\u7fa4\u3092\u88dc\u5f37\u3059\u308b\u6a5f\u80fd\u306b\u904e\u304e\u307e\u305b\u3093\u3002\u3059\u306a\u308f\u3061\u3001\u653b\u6483\u8005\u304c\u5fc5\u8981\u306a\u6a5f\u80fd\u3092\u958b\u767a\u3059\u308b\u307e\u3067\u306e\u6642\u9593\u3092\u8cb7\u3046\u305f\u3081\u306e\u6a5f\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u5834\u5408\u3001Microsoft Excel\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306b\u3001 PowerShell\u30b3\u30fc\u30c9\u3092\u30c7\u30b3\u30fc\u30c9\u3059\u308b\u95a2\u6570\u3092\u6700\u521d\u306b\u8d77\u52d5\u3059\u308b\u30de\u30af\u30ed\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u3053\u306e\u95a2\u6570\u306b\u3088\u3063\u3066\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u53d6\u5f97\u304c\u958b\u59cb\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u9593\u306b2\u756a\u76ee\u306e\u95a2\u6570\u304c\u547c\u3073\u51fa\u3055\u308c\u3001\u6b8b\u308a\u306e\u653b\u6483\u3092\u51e6\u7406\u3059\u308bPE\u30d5\u30a1\u30a4\u30eb\u304c\u30c7\u30b3\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure style=\"width: 899px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-53.png\" alt=\"\u56f37 Excel\u30de\u30af\u30ed\u306b\u3088\u308b\u57cb\u3081\u8fbc\u307fPowershell\u30b9\u30af\u30ea\u30d7\u30c8\u3068PE\u30d5\u30a1\u30a4\u30eb\u306e\u30c7\u30b3\u30fc\u30c9\" width=\"899\" height=\"264\" \/><figcaption class=\"wp-caption-text\">\u56f37 Excel\u30de\u30af\u30ed\u306b\u3088\u308b\u57cb\u3081\u8fbc\u307fPowershell\u30b9\u30af\u30ea\u30d7\u30c8\u3068PE\u30d5\u30a1\u30a4\u30eb\u306e\u30c7\u30b3\u30fc\u30c9<\/figcaption><\/figure>\n<p>Remove AV (2\u4ef6\u306e\u30b5\u30f3\u30d7\u30eb \u2013 0.05%\u306e\u30ab\u30d0\u30ec\u30c3\u30b8)<\/p>\n<p>\u3053\u306e\u4e9c\u7a2e\u306f\u3001PowerShell\u3092\u4f7f\u7528\u3057\u3066\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u305f\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306ex86\u30d0\u30fc\u30b8\u30e7\u30f3\u3068x64\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u5f37\u5236\u7684\u306b\u30a2\u30f3\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002Uninstall\u30ec\u30b8\u30b9\u30c8\u30ea \u30d1\u30b9\u306e\u30a8\u30f3\u30c8\u30ea\u306b\u5bfe\u3057\u3066\u7e70\u308a\u8fd4\u3057\u51e6\u7406\u3092\u884c\u3046\u3053\u3068\u3067\u3001\u300c*AVG*\u300d\u3092\u542b\u3080\u9805\u76ee\u3092\u691c\u51fa\u3057\u3001\u5404\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3092\u6697\u9ed9\u7684\u306b\u30a2\u30f3\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-54.png\" \/><\/p>\n<h4>\u3088\u304f\u77e5\u3089\u308c\u3066\u3044\u308b\u4e9c\u7a2e<\/h4>\n<p>\u3067\u304d\u308b\u3060\u3051\u591a\u304f\u306e\u4e9c\u7a2e\u3092\u7279\u5b9a\u3057\u305f\u5f8c\u306b\u6b8b\u3063\u305f\u306e\u306f100\u4ef6\u306e\u300c\u672a\u77e5\u300d\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002\u3053\u308c\u3089\u306f\u901a\u5e38\u3001\u4e0a\u8a18\u306e\u30c6\u30af\u30cb\u30c3\u30af\u3067\u8a18\u8ff0\u3055\u308c\u3066\u3044\u308b\u30ab\u30b9\u30bf\u30e0\u306e\u30b9\u30d4\u30f3\u306b\u306a\u308a\u307e\u3059\u3002\u3088\u304f\u77e5\u3089\u308c\u3066\u3044\u308b\u3044\u304f\u3064\u304b\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u7c21\u5358\u306b\u8aac\u660e\u3059\u308b\u3053\u3068\u3067\u3001\u3053\u306e\u5206\u985e\u4f5c\u696d\u3092\u7de0\u3081\u304f\u304f\u308a\u305f\u3044\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<h4>\u96a0\u308c\u305f\u30e1\u30c3\u30bb\u30fc\u30b8<\/h4>\n<p>\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001PowerShell\u3092\u4ecb\u3057\u3066\u57fa\u672c\u7684\u306a\u65e5\u4ed8\u30c1\u30a7\u30c3\u30af\u3092\u884c\u3044\u307e\u3059\u3002\u307e\u305f\u3001\u73fe\u5728\u306e\u65e5\u6642\u3068\u30b3\u30fc\u30c9\u5185\u306e\u65e5\u6642\u3092\u6bd4\u8f03\u3057\u307e\u3059\u3002\u73fe\u5728\u306e\u65e5\u6642\u304c\u30b3\u30fc\u30c9\u5185\u306e\u65e5\u6642\u3088\u308a\u3082\u5f8c\u306e\u5834\u5408\u306f\u3001\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3002\u30b3\u30fc\u30c9\u306e\u7d42\u308f\u308a\u306b\u306f\u3001\u304a\u305d\u3089\u304f\u300c\u30cf\u30c3\u30ab\u30fc\u300d\u30b0\u30eb\u30fc\u30d7\u306b\u5bfe\u3059\u308b\u30b3\u30e1\u30f3\u30c8\u5316\u3055\u308c\u305f\u30b3\u30fc\u30eb\u30a2\u30a6\u30c8\u304c\u6b8b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-55.png\" \/><\/p>\n<p>\u6b21\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u96a0\u308c\u305f\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u6b8b\u3055\u308c\u305f\u30b3\u30fc\u30c9\u3092\u793a\u3059\u3082\u30461\u3064\u306e\u4f8b\u3067\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-56.png\" \/><\/p>\n<p>\u5206\u6790\u5bfe\u8c61\u306e\u30b3\u30fc\u30c9\u306f\u3001GitHub\u304b\u3089\u30ea\u30e2\u30fc\u30c8\u3067\u53d6\u5f97\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d6\u30ed\u30b0\u306e\u57f7\u7b46\u6642\u306b\u304a\u3044\u3066\u3001\u3053\u306e\u30b3\u30fc\u30c9\u306fPowerShell\u30d7\u30ed\u30bb\u30b9\u3092kill\u3057\u3066\u3001\u300cHello SOC\/IR team!\u00a0 :-)\u300d\u3092\u8868\u793a\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u306f\u6570\u591a\u304f\u306e\u300cTest\u300d\u304c\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u305f\u3081\u3001\u3053\u308c\u306f\u4fb5\u5165\u30c6\u30b9\u30c8\u304b\u8d64\u30c1\u30fc\u30e0\u306b\u3088\u308b\u6f14\u7fd2\u3067\u3042\u308b\u53ef\u80fd\u6027\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<figure style=\"width: 899px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-57.png\" alt=\"\u56f38 JavaScript\u30d5\u30a1\u30a4\u30eb\u306b\u3088\u308bpowershell\u306ekill\u3068SOC\/IR\u30c1\u30fc\u30e0\u3078\u306e\u6328\u62f6\" width=\"899\" height=\"450\" \/><figcaption class=\"wp-caption-text\">\u56f38 JavaScript\u30d5\u30a1\u30a4\u30eb\u306b\u3088\u308bpowershell\u306ekill\u3068SOC\/IR\u30c1\u30fc\u30e0\u3078\u306e\u6328\u62f6<\/figcaption><\/figure>\n<p>\u30d7\u30ed\u30bb\u30b9\u306ekill<\/p>\n<p>\u3053\u308c\u306f\u3001\u653b\u6483\u5168\u822c\u3067PowerShell\u3092\u4f7f\u7528\u3057\u3066\u7279\u5b9a\u306e\u76ee\u7684\u3092\u9054\u6210\u3059\u308b\u305f\u3081\u306e\u5225\u306e\u4f8b\u3067\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9\u306f\u3001\u4e00\u822c\u7684\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u5206\u6790\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u308b\u8907\u6570\u306e\u30d7\u30ed\u30bb\u30b9\u3092kill\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-58.png\" \/><\/p>\n<p>\u96e3\u8aad\u5316\u306e\u30ec\u30a4\u30e4\u30fc<\/p>\n<p>\u5143\u306e\u30de\u30af\u30ed\u304c\u307b\u307c\u540c\u3058\u3067\u3042\u308b\u305f\u3081\u3001\u3053\u306e\u6700\u5f8c\u306e\u4f8b\u306f\u300cPowerSploit GTS\u300d\u306e\u4e9c\u7a2e\u3067\u793a\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u3068\u95a2\u9023\u3057\u3066\u3044\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u304c\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u305d\u308c\u4ee5\u5916\u306e\u30b3\u30fc\u30c9\u7b87\u6240\u304c\u307e\u3063\u305f\u304f\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p>\u3053\u306e\u7279\u5b9a\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u306f\u3001\u653b\u6483\u3092\u5b9f\u884c\u3059\u308b\u306e\u306b\u8907\u6570\u306e\u96e3\u8aad\u5316\u30ec\u30a4\u30e4\u30fc\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<p>\u30ec\u30a4\u30e4\u30fc1 \u2013<\/p>\n<p>Microsoft Excel\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306b\u306f\u3001\u30bb\u30eb\u304b\u3089base64\u306e\u30a8\u30f3\u30b3\u30fc\u30c9 \u30c7\u30fc\u30bf\u3092\u53d6\u308a\u8fbc\u3093\u3067\u3001PowerShell\u306e EncodedCommand\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u5b9f\u884c\u6642\u306b\u305d\u306e\u30c7\u30fc\u30bf\u3092\u6e21\u3059\u30de\u30af\u30ed\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-59.png\" \/><\/p>\n<p>\u30ec\u30a4\u30e4\u30fc2 \u2013<\/p>\n<p>\u30c7\u30b3\u30fc\u30c9\u3055\u308c\u305fbase64\u306f\u3001char\u5024\u306b\u5909\u63db\u3055\u308c\u308bint\u5024\u306e\u9577\u3044\u914d\u5217\u3067\u3001\u5225\u306ePowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3068\u3057\u3066\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-60.png\" \/><\/p>\n<p>\u30ec\u30a4\u30e4\u30fc3 \u2013<\/p>\n<p>\u30c7\u30b3\u30fc\u30c9 \u30c7\u30fc\u30bf\u306f\u3001\u3055\u307e\u3056\u307e\u306a\u30c6\u30af\u30cb\u30c3\u30af\u3092\u6d3b\u7528\u3057\u3066\u96e3\u8aad\u5316\u3092\u884c\u3044\u307e\u3059\u3002\u6700\u521d\u306e\u30c6\u30af\u30cb\u30c3\u30af\u306f\u3001\u4ed6\u306e\u6587\u5b57\u306e\u9593\u306b\u3001\u5b9f\u884c\u6642\u306b\u306f\u7121\u8996\u3055\u308c\u308b\u30d0\u30c3\u30af\u30c6\u30a3\u30c3\u30af (`)\u3092\u633f\u5165\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u306b\u304a\u3051\u308b\u30ab\u30ec\u30c3\u30c8(^)\u306e\u633f\u5165\u3068\u540c\u69d8\u306e\u30c6\u30af\u30cb\u30c3\u30af\u3067\u3059\u3002\u3053\u306e\u5834\u5408\u306f\u3001\u304b\u308f\u308a\u306bPowerShell\u30b3\u30fc\u30c9\u5185\u3067\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u307e\u305f\u3001\u3042\u308b\u6587\u5b57\u5217\u3092\u30e9\u30f3\u30c0\u30e0\u5316\u3055\u308c\u305f\u30ea\u30b9\u30c8\u306b\u5206\u5272\u3057\u305f\u5f8c\u3001\u500b\u3005\u306e\u5024\u3092\u547c\u3073\u51fa\u3057\u3066\u5143\u306e\u6587\u5b57\u5217\u3092\u518d\u69cb\u7bc9\u3059\u308b\u3068\u3044\u3046\u3001\u4ed6\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u8a00\u8a9e\u3067\u3088\u304f\u898b\u3089\u308c\u308b\u30c6\u30af\u30cb\u30c3\u30af\u3082\u6d3b\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-61.png\" \/><\/p>\n<p>\u30b3\u30fc\u30c9\u306e\u30af\u30ea\u30fc\u30f3\u30a2\u30c3\u30d7\u3001\u304a\u3088\u3073\u6587\u5b57\u5217\u306e\u69cb\u7bc9\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u3068\u3044\u3046\u3053\u3068\u306f\u3001\u30b3\u30fc\u30c9\u304c\u30ea\u30e2\u30fc\u30c8\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u3066\u3001Invoke-Expression\u306b\u6e21\u3055\u308c\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-62.png\" \/><\/p>\n<h2>\u7d50\u8ad6<\/h2>\n<p>PowerShell\u306f\u3001\u653b\u5b88\u3092\u4f75\u305b\u6301\u3064\u3001\u591a\u69d8\u306a\u6a5f\u80fd\u3092\u5099\u3048\u305f\u5805\u7262\u306a\u30b9\u30af\u30ea\u30d7\u30c8 \u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3067\u3059\u3002\u3053\u306e\u30d6\u30ed\u30b0\u3092\u304a\u8aad\u307f\u306b\u306a\u308b\u3053\u3068\u3067\u3001\u30de\u30eb\u30a6\u30a7\u30a2 \u30c4\u30fc\u30eb\u3084\u653b\u6483\u3067\u63a1\u7528\u3055\u308c\u3066\u3044\u308b\u73fe\u5728\u306e\u30c6\u30af\u30cb\u30c3\u30af\u306b\u3064\u3044\u3066\u3054\u7406\u89e3\u9802\u3051\u305f\u306e\u306a\u3089\u3070\u5e78\u3044\u3067\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u898b\u308b\u3068\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u306e\u307b\u3068\u3093\u3069\u304c\u672a\u3060\u306b\u516c\u958b\u30c4\u30fc\u30eb\u306b\u983c\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u9a5a\u304f\u307b\u3069\u306e\u3053\u3068\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002PowerShell\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u304c\u8abf\u67fb\u3055\u308c\u3001\u305d\u306e\u7406\u89e3\u304c\u6df1\u307e\u308b\u306b\u3064\u308c\u3001\u3053\u306e\u6280\u8853\u3092\u5229\u7528\u3057\u305f\u653b\u6483\u306f\u307e\u3059\u307e\u3059\u591a\u69d8\u5316\u3059\u308b\u3082\u306e\u3068\u4e88\u60f3\u3055\u308c\u307e\u3059\u3002\u73fe\u6642\u70b9\u3067\u306f\u3001PowerShell\u306f\u3001\u4ed6\u306e\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u5185\u3067\u4e00\u822c\u7684\u306b\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u95a2\u6570\u3092\u7c21\u5358\u306b\u5b9f\u884c\u3059\u308b\u305f\u3081\u306e\u30c4\u30fc\u30eb\u3068\u3057\u3066\u4e3b\u306b\u5229\u7528\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u304c\u3001\u300c\u79fb\u8ee2\u300d\u30d5\u30a7\u30fc\u30ba\u304b\u3089\u300c\u9769\u65b0\u300d\u30d5\u30a7\u30fc\u30ba\u3078\u306e\u79fb\u884c\u306b\u4f34\u3063\u3066\u3001\u4eca\u5f8c\u306f\u3088\u308a\u30cd\u30a4\u30c6\u30a3\u30d6\u306a\u6a5f\u80fd\u3092\u6d3b\u7528\u3057\u3066\u3044\u304f\u3053\u3068\u304c\u4e88\u60f3\u3055\u308c\u307e\u3059\u3002<\/p>\n<h3>\u89b3\u5bdf\u3055\u308c\u305fC2\u307e\u305f\u306f\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9 \u30b5\u30a4\u30c8<\/h3>\n<p>Downloader DFSP<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-63.png\" \/><\/p>\n<p>PowerShell Empire<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-64.png\" \/><\/p>\n<p>Downloader DFSP 2X<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-65.png\" \/><\/p>\n<p>Downloader DFSP DPL<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-66.png\" \/><\/p>\n<p>Downloader IEXDS<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-67.png\" \/><\/p>\n<p>BITSTransfer<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-68.png\" \/><\/p>\n<p>TXT C2<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-69.png\" \/><\/p>\n<p>Downloader Proxy<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-70.png\" \/><\/p>\n<p>Downloader Kraken<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-71.png\" \/><\/p>\n<p>PowerWorm<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-72.png\" \/><\/p>\n<p>AMSI Bypass<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-73.png\" \/><\/p>\n<p>Meterpreter RHTTP<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-74.png\" \/><\/p>\n<p>\u96e3\u8aad\u5316\u306e\u30ec\u30a4\u30e4\u30fc<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-75.png\" \/><\/p>\n<p>SHA1\u30cf\u30c3\u30b7\u30e5\u30bf\u30b0<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/82578\/pulling-back-curtains-encodedcommand-powershell-attacks-76.png\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 PowerShell\u306f\u904e\u53bb\u6570\u5e74\u9593\u3067\u4eba\u6c17\u3092\u7372\u5f97\u3057\u7d9a\u3051\u3066\u3044\u307e\u3059\u304c\u3001\u305d\u308c\u306f\u3053\u306e\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u304c\u767a\u9054\u3057\u7d9a\u3051\u3066\u3044\u308b\u304b\u3089\u3067\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001PowerShell\u3092\u591a\u304f\u306e\u653b\u6483\u3067\u898b\u304b\u3051\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u3066\u3082\u5c11\u3057\u3082\u9a5a\u304f\u3053\u3068\u3067\u306f\u3042\u308a\u307e\u305b\u3093<\/p>\n","protected":false},"author":135,"featured_media":106755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4321,1974,4428],"tags":[5546,5523],"product_categories":[],"coauthors":[422],"class_list":["post-106758","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research","category-malware-ja","category-threat-research-ja","tag-microsoft","tag-powershell-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f<\/title>\n<meta name=\"description\" content=\"\u6982\u8981\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-10T13:00:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-24T08:51:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jeff White\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f","description":"\u6982\u8981","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","og_locale":"ja_JP","og_type":"article","og_title":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f","og_description":"\u6982\u8981","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","og_site_name":"Unit 42","article_published_time":"2017-03-10T13:00:45+00:00","article_modified_time":"2020-04-24T08:51:33+00:00","og_image":[{"width":650,"height":300,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","type":"image\/jpeg"}],"author":"Jeff White","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/"},"author":{"name":"Jeff White","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/32ecb81b6d2fc5ba9e630880df6a8184"},"headline":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f","datePublished":"2017-03-10T13:00:45+00:00","dateModified":"2020-04-24T08:51:33+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/"},"wordCount":778,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","keywords":["Microsoft","Powershell"],"articleSection":["Threat Research","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/","name":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","datePublished":"2017-03-10T13:00:45+00:00","dateModified":"2020-04-24T08:51:33+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/32ecb81b6d2fc5ba9e630880df6a8184"},"description":"\u6982\u8981","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2020\/04\/unit42-web-banner-650x300-1.jpg","width":650,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"EncodedCommand\u306b\u3088\u308bPowerShell\u653b\u6483\u3092\u66b4\u304f"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/32ecb81b6d2fc5ba9e630880df6a8184","name":"Jeff White","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Jeff White"},"description":"Principal threat researcher, enterprise R&amp;D, FWaaP, Palo Alto Networks","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/jeff-white\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/135"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=106758"}],"version-history":[{"count":2,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106758\/revisions"}],"predecessor-version":[{"id":106760,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106758\/revisions\/106760"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/106755"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=106758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=106758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=106758"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=106758"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=106758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}