{"id":130258,"date":"2023-09-26T23:00:41","date_gmt":"2023-09-27T06:00:41","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=130258"},"modified":"2024-07-30T17:50:48","modified_gmt":"2024-07-31T00:50:48","slug":"stately-taurus-attacks-se-asian-government","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/","title":{"rendered":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e"},"content":{"rendered":"<h2><a id=\"post-130258-_50qt2dixcmnj\"><\/a><strong>\u6982\u8981<\/strong><\/h2>\n<p>\u4e2d\u301c\u9ad8\u306e\u78ba\u5ea6\u3067 Stately Taurus \u3067\u3042\u308b\u3068\u8003\u3048\u3089\u308c\u308b\u9ad8\u5ea6\u6301\u7d9a\u7684\u8105\u5a01 (APT) \u30b0\u30eb\u30fc\u30d7\u304c\u3001\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u3092\u6a19\u7684\u3068\u3057\u3001\u591a\u6570\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u4fb5\u5165\u306b\u95a2\u4e0e\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u4fb5\u5165\u306f\u9045\u304f\u3068\u3082 2021 \u5e74\u7b2c 2 \u56db\u534a\u671f\u4ee5\u964d\u30012023 \u5e74\u7b2c 3 \u56db\u534a\u671f\u306b\u304b\u3051\u3066\u884c\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u306e\u89b3\u6e2c\u3068\u5206\u6790\u306b\u3088\u308c\u3070\u3001\u3053\u306e\u653b\u6483\u8005\u306f\u4fb5\u5bb3\u5148\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u6a5f\u5fae\u306a\u6587\u66f8\u3092\u306f\u3058\u3081\u3068\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u53ce\u96c6\u30fb\u6f0f\u51fa\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306e<a href=\"https:\/\/unit42.paloaltonetworks.jp\/analysis-of-three-attack-clusters-in-se-asia\" target=\"_blank\" rel=\"noopener\">\u4fb5\u5bb3\u3055\u308c\u305f\u74b0\u5883\u3092\u8abf\u67fb\u3059\u308b<\/a>\u306a\u304b\u3067\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u898b\u3064\u3051\u3001\u672c\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3 \u30af\u30e9\u30b9\u30bf\u30fc\u3092 CL-STA-0044 \u3068\u3057\u3066\u8b58\u5225\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3 \u30af\u30e9\u30b9\u30bf\u30fc\u3092\u5206\u6790\u3057\u305f\u3068\u3053\u308d\u3001\u4fb5\u5bb3\u5148\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u306b\u5805\u7262\u3067\u6c38\u7d9a\u7684\u306a\u8db3\u5834\u3092\u78ba\u4fdd\u3057\u3001\u540c\u653f\u5e9c\u306b\u52e4\u52d9\u3059\u308b\u95a2\u5fc3\u306e\u5bfe\u8c61\u3068\u306a\u308b\u4eba\u7269\u306b\u95a2\u3057\u3001\u6a5f\u5fae\u60c5\u5831\u306e\u7a83\u53d6\u3092\u8a66\u307f\u3066\u3044\u305f\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u4e2d\u301c\u9ad8\u306e\u78ba\u5ea6\u3067\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u4e2d\u56fd\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4 \u30b0\u30eb\u30fc\u30d7 Stately Taurus \u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u3068\u7d50\u8ad6\u3057\u3066\u3044\u307e\u3059\u3002\u540c\u30b0\u30eb\u30fc\u30d7\u306f\u3001Mustang Panda\u3001BRONZE PRESIDENT\u3001TA416\u3001RedDelta\u3001Earth Preta \u306a\u3069\u306e\u5225\u540d\u3067\u3082\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002Unit 42\u306f\u9577\u5e74\u306b\u308f\u305f\u308a\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u6771\u5357\u30a2\u30b8\u30a2\u5730\u57df\u3068\u305d\u306e\u5468\u8fba\u306e\u6a19\u7684\u306b\u5bfe\u3057\u3066\u60c5\u5831\u53ce\u96c6\u3092\u884c\u3063\u3066\u3044\u308b\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n<p>\u4eca\u56de\u306e\u5e30\u5c5e\u306f\u3001ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u306a\u3069\u3001\u307b\u304b\u306e\u65e2\u77e5\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u3067\u306f\u95a2\u9023\u6027\u3092\u8868\u7acb\u3063\u3066\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u3001\u7279\u7570\u304b\u3064\u7a00\u306a\u30c4\u30fc\u30eb\u306e\u5229\u7528\u306b\u3088\u3063\u3066\u88cf\u4ed8\u3051\u3089\u308c\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<p>\u672c\u7a3f\u306f\u540c\u30af\u30e9\u30b9\u30bf\u30fc\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u89e3\u8aac\u3057\u3001\u3053\u306e APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u7528\u3059\u308b\u30c4\u30fc\u30eb\u3084\u30a2\u30d7\u30ed\u30fc\u30c1\u3092\u7d39\u4ecb\u3057\u3001\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u6642\u7cfb\u5217\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002\u9632\u5fa1\u5074\u304c\u91cd\u8981\u306a\u60c5\u5831\u3092\u53d6\u5f97\u3057\u305f\u308a\u3001\u56fd\u5bb6\u652f\u63f4\u578b\u306e\u9ad8\u5ea6\u3067\u6301\u7d9a\u7684\u306a\u8105\u5a01\u306e\u8ffd\u8de1\u3059\u308b\u3055\u3044\u3001\u672c\u7a3f\u3092\u304a\u5f79\u7acb\u3066\u3044\u305f\u3060\u3051\u308c\u3070\u5e78\u3044\u3067\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001<a href=\"#post-130258-_mf3k1d3b3om7\">\u7d50\u8ad6<\/a>\u3067\u8ff0\u3079\u308b\u3088\u3046\u306b\u3001 Advanced WildFire\u3001Advanced URL Filtering\u3001DNS Security\u3001Cortex XDR\u3001Cortex XSIAM \u3092\u901a\u3058\u3001\u672c\u7a3f\u3067\u89e3\u8aac\u3059\u308b\u8105\u5a01\u304b\u3089\u306e\u4fdd\u8b77\u3092\u53d7\u3051\u3089\u308c\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">Unit 42 \u30a4\u30f3\u30b7\u30c7\u30f3\u30c8 \u30ec\u30b9\u30dd\u30f3\u30b9 \u30c1\u30fc\u30e0<\/a>\u306f\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u8105\u5a01\u3092\u306f\u3058\u3081\u3001\u3055\u307e\u3056\u307e\u306a\u8105\u5a01\u3078\u306e\u500b\u5225\u5bfe\u5fdc\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%; height: 24px;\">\n<thead>\n<tr style=\"height: 24px;\">\n<td style=\"width: 35%; height: 24px;\"><b>\u95a2\u9023\u3059\u308b Unit 42 \u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\n<td style=\"width: 100%; height: 24px;\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/category\/government-ja\/\" target=\"_blank\" rel=\"noopener\"><b>Government<\/b><\/a>, <strong><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/apts-ja\/\" target=\"_blank\" rel=\"noopener\">APTs<\/a><\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 35%;\"><b>Stately Taurus \u306e\u5225\u540d<\/b><\/td>\n<td style=\"width: 100%;\"><b><span style=\"font-weight: 400;\">Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta<\/span><\/b><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-130258-_4w39xp2eevtx\"><\/a><strong>\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u6642\u7cfb\u5217<\/strong><\/h2>\n<figure id=\"attachment_130106\" aria-describedby=\"caption-attachment-130106\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130106 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-1-1-ja.png\" alt=\"\u753b\u50cf 1 \u306f CL-STA-0044 \u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u6642\u7cfb\u5217\u3067\u3059\u30022021 \u5e74\u306e\u7b2c 1 \u56db\u534a\u671f\u306b\u59cb\u307e\u308a\u30012022 \u5e74\u306e\u7b2c 2 \u56db\u534a\u671f\u3001\u7b2c 3 \u56db\u534a\u671f\u3001\u7b2c 4 \u56db\u534a\u671f\u30012023 \u5e74\u306e\u7b2c 1 \u56db\u534a\u671f\u304b\u3089\u7b2c 3 \u56db\u534a\u671f\u307e\u3067\u7d9a\u3044\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"385\" \/><figcaption id=\"caption-attachment-130106\" class=\"wp-caption-text\">\u56f31. CL-STA-0044 \u306e\u6642\u7cfb\u5217<\/figcaption><\/figure>\n<h2><a id=\"post-130258-_z4kcskcif3h6\"><\/a><strong>CL-STA-0044 \u306e\u8a73\u7d30<\/strong><\/h2>\n<h3><a id=\"post-130258-_l1c5ysal9fvf\"><\/a>\u5075\u5bdf<\/h3>\n<p>CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u3001\u4fb5\u5bb3\u5148\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3078\u306e\u7406\u89e3\u3092\u6df1\u3081\u308b\u305f\u3081\u3001\u611f\u67d3\u74b0\u5883\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3001\u7a3c\u50cd\u4e2d\u306e\u30db\u30b9\u30c8\u3084\u958b\u3044\u3066\u3044\u308b\u30dd\u30fc\u30c8\u3001\u65e2\u5b58\u306e\u30c9\u30e1\u30a4\u30f3 \u30e6\u30fc\u30b6\u30fc\u3084\u30c9\u30e1\u30a4\u30f3 \u30b0\u30eb\u30fc\u30d7\u3092\u63a2\u7d22\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u3053\u306e\u653b\u6483\u8005\u304c\u76ee\u6a19\u9054\u6210\u306b\u3080\u3051\u3001\u3044\u304f\u3064\u304b\u306e\u7570\u306a\u308b\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li><strong>LadonGo<\/strong>: LadonGo \u306f\u3001\u4e2d\u56fd\u8a9e\u8a71\u8005\u306e\u958b\u767a\u8005\u304c\u4f5c\u6210\u3057\u305f\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u306e\u30b9\u30ad\u30e3\u30f3 \u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3067\u3059\u3002\u653b\u6483\u8005\u306f LadonGo \u3092\u4f7f\u3044\u3001<span style=\"font-family: 'courier new', courier, monospace;\">smbscan<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">pingscan<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">sshscan<\/span> \u306a\u3069\u306e\u30b3\u30de\u30f3\u30c9\u3067\u7a3c\u50cd\u4e2d\u306e\u30db\u30b9\u30c8\u3084\u958b\u3044\u3066\u3044\u308b\u30dd\u30fc\u30c8\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<li><strong>NBTScan<\/strong>: NBTScan \u306f IP \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066 NetBIOS \u540d\u306e\u60c5\u5831\u3092\u53d6\u5f97\u3059\u308b\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u3059\u3002<\/li>\n<li><strong>AdFind:<\/strong> AdFind \u306f\u3001Active Directory \u304b\u3089\u60c5\u5831\u3092\u53ce\u96c6\u3067\u304d\u308b\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3 \u30af\u30a8\u30ea\u30fc \u30c4\u30fc\u30eb\u3067\u3059\u3002\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u30c4\u30fc\u30eb\u540d\u3092 a.logs \u306b\u5909\u66f4\u3057\u3001AdFind \u306e\u7d50\u679c\u3092\u4ee5\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3057\u305f (\u56f3 2)\u3002\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">Domain_users_light.txt<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">Domain_computers_light.txt<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">Domain_groups_light.txt<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u306f\u300cPenetration Testing Methodology References (\u30da\u30cd\u30c8\u30ec\u30fc\u30b7\u30e7\u30f3\u30c6\u30b9\u30c8\u306e\u65b9\u6cd5\u8ad6\u306e\u30ea\u30d5\u30a1\u30ec\u30f3\u30b9)\u300d\u3068\u3044\u3046\u3042\u308b <a href=\"https:\/\/github.com\/threatexpress\/pasties\/blob\/master\/pasties.md\" target=\"_blank\" rel=\"noopener\">GitHub \u30da\u30fc\u30b8<\/a> \u3067\u3057\u304b\u8a00\u53ca\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<figure id=\"attachment_130110\" aria-describedby=\"caption-attachment-130110\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130110 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-2-1.png\" alt=\"\u753b\u50cf 2 \u306f Cortex XDR \u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u30c0\u30a4\u30a2\u30b0\u30e9\u30e0\u306f AdFind \u306e\u8a66\u884c\u3092 Cortex XDR \u304c\u9632\u6b62\u3057\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"394\" \/><figcaption id=\"caption-attachment-130110\" class=\"wp-caption-text\">\u56f32. Cortex XDR \u304c AdFind \u306b\u3088\u308b\u30c9\u30e1\u30a4\u30f3 \u30e6\u30fc\u30b6\u30fc\u8a73\u7d30\u306e\u30c0\u30f3\u30d7\u8a66\u884c\u3092\u9632\u6b62\u3057\u305f\u3088\u3046\u3059<\/figcaption><\/figure>\n<ul>\n<li><strong>Impacket:<\/strong> <a href=\"https:\/\/attack.mitre.org\/software\/S0357\/\" target=\"_blank\" rel=\"noopener\">Impacket<\/a> \u30b3\u30ec\u30af\u30b7\u30e7\u30f3\u306b\u306f\u3001\u30ea\u30e2\u30fc\u30c8\u5b9f\u884c\u3001Kerberos \u653b\u6483\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u30c0\u30f3\u30d7\u306a\u3069\u306b\u95a2\u9023\u3059\u308b\u6a5f\u80fd\u3092\u5099\u3048\u305f\u591a\u304f\u306e\u30c4\u30fc\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u56f3 3 \u306f\u3053\u308c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f Impacket \u3067\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u95a2\u9023\u306e\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3001\u30de\u30b7\u30f3\u3084\u30e6\u30fc\u30b6\u30fc\u3092\u691c\u51fa\u3057\u3001\u30ea\u30e2\u30fc\u30c8 \u30de\u30b7\u30f3\u4e0a\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306b\u30af\u30a8\u30ea\u30fc\u3092\u5b9f\u884c\u3057\u3066\u3001\u6f0f\u51fa\u306e\u5bfe\u8c61\u306b\u3059\u3079\u304d\u30d5\u30a1\u30a4\u30eb\u3092\u63a2\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<\/ul>\n<figure id=\"attachment_130112\" aria-describedby=\"caption-attachment-130112\" style=\"width: 759px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130112 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-3-1.png\" alt=\"\u753b\u50cf 3 \u306f\u3001Impacket (Python \u30e2\u30b8\u30e5\u30fc\u30eb) \u7d4c\u7531\u3067\u5b9f\u884c\u3055\u308c\u305f\u5075\u5bdf\u30b3\u30de\u30f3\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u5408\u8a08 6 \u3064\u306e\u30b3\u30de\u30f3\u30c9\u304c\u3042\u308a\u3001\u4e00\u90e8\u306e\u60c5\u5831\u306f\u5272\u611b\u3055\u308c\u3066\u3044\u307e\u3059\u3002 \" width=\"759\" height=\"287\" \/><figcaption id=\"caption-attachment-130112\" class=\"wp-caption-text\">\u56f33. Impacket \u7d4c\u7531\u3067\u5b9f\u884c\u3055\u308c\u305f\u5075\u5bdf\u30b3\u30de\u30f3\u30c9<\/figcaption><\/figure>\n<h3><a id=\"post-130258-_4nkwtc7sylud\"><\/a>\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u7a83\u53d6<\/h3>\n<p>Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001CL-STA-0044 \u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u3001\u8907\u6570\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u7a83\u53d6\u6280\u8853\u3092\u4f7f\u3044\u3001\u3055\u307e\u3056\u307e\u306a\u30db\u30b9\u30c8\u3084 Active Directory \u304b\u3089\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u30c0\u30f3\u30d7\u3057\u3088\u3046\u3068\u3057\u305f\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li><strong>Hdump<\/strong>: \u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">Hdump.exe<\/span> (\u540d\u524d\u306f <span style=\"font-family: 'courier new', courier, monospace;\">h64.exe \u306b<\/span>\u5909\u66f4\u3055\u308c\u3066\u3044\u305f) \u3092\u5c55\u958b\u30fb\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002<span style=\"font-family: 'courier new', courier, monospace;\">Hdump.exe<\/span> \u306f\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u7a83\u53d6\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u3067\u3001\u4e2d\u56fd\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u4f7f\u7528\u304c<a href=\"https:\/\/valhalla.nextron-systems.com\/info\/rule\/Winnti_APT_Hdump_Tool\" target=\"_blank\" rel=\"noopener\">\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306b\u3088\u308a\u78ba\u8a8d\u3055\u308c\u3066<\/a>\u3044\u307e\u3059\u3002\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f Hdump \u306b <span style=\"font-family: 'courier new', courier, monospace;\">-a<\/span> (dump all) \u30d5\u30e9\u30b0\u3092\u6307\u5b9a\u3057\u3066\u3001\u30e1\u30e2\u30ea\u30fc\u304b\u3089\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u30c0\u30f3\u30d7\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<\/ul>\n<p>\u56f3 4 \u306f\u3001Hdump \u306e\u30d8\u30eb\u30d7 \u30e1\u30cb\u30e5\u30fc\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130116\" aria-describedby=\"caption-attachment-130116\" style=\"width: 490px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130116 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-4-1.png\" alt=\"\u753b\u50cf 4 \u306f\u3001Hdump \u30b3\u30de\u30f3\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u306b\u306f\u3001print (\u51fa\u529b)\u3001dump user hashes (\u30e6\u30fc\u30b6\u30fc \u30cf\u30c3\u30b7\u30e5\u306e\u30c0\u30f3\u30d7)\u3001dump cache hash (\u30ad\u30e3\u30c3\u30b7\u30e5 \u30cf\u30c3\u30b7\u30e5\u306e\u30c0\u30f3\u30d7) \u306a\u3069\u306e\u9805\u76ee\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"490\" height=\"265\" \/><figcaption id=\"caption-attachment-130116\" class=\"wp-caption-text\">\u56f34. Hdump \u306e\u30d8\u30eb\u30d7 \u30e1\u30cb\u30e5\u30fc<\/figcaption><\/figure>\n<ul>\n<li><strong>Mimikatz:<\/strong> \u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u30e6\u30fc\u30b6\u30fc \u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u6f0f\u51fa\u3057\u3088\u3046\u3068\u3057\u3066\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u53ce\u96c6\u30c4\u30fc\u30eb MimiKatz (\u540d\u524d\u306f <span style=\"font-family: 'courier new', courier, monospace;\">l.doc<\/span> \u306b\u306a\u3063\u3066\u3044\u305f) \u3092\u4f7f\u3044\u3001\u8907\u6570\u56de <span style=\"font-family: 'courier new', courier, monospace;\">lssas.exe<\/span> \u306e\u30e1\u30e2\u30ea\u30fc\u3092\u30c0\u30f3\u30d7\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<li><strong>DCSync:<\/strong> \u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u3001\u88ab\u5bb3\u8005\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u3067\u3001\u653b\u6483\u8005\u304c\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc (DC) \u3092\u30b7\u30df\u30e5\u30ec\u30fc\u30c8\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b MimiKatz \u306e DCSync \u6a5f\u80fd\u3092\u4f7f\u3044\u3001\u6b63\u898f\u306e DC \u304b\u3089\u30e6\u30fc\u30b6\u30fc \u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u53d6\u5f97\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u5f7c\u3089\u306f\u53ce\u96c6\u3057\u305f\u60c5\u5831\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">log.txt<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<\/ul>\n<figure id=\"attachment_130120\" aria-describedby=\"caption-attachment-130120\" style=\"width: 506px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130120 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-5-1.png\" alt=\"\u753b\u50cf 5 \u306f\u3001DCSync \u30b3\u30de\u30f3\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"506\" height=\"55\" \/><figcaption id=\"caption-attachment-130120\" class=\"wp-caption-text\">\u56f35. DCSync \u30b3\u30de\u30f3\u30c9<\/figcaption><\/figure>\n<ul>\n<li><strong>Ntds.dit \u30d5\u30a1\u30a4\u30eb\u306e\u7a83\u53d6:<\/strong> Active Directory \u30c7\u30fc\u30bf\u3092\u76d7\u3080\u305f\u3081\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">Vssadmin<\/span> \u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066 DC \u4e0a\u306e <span style=\"font-family: 'courier new', courier, monospace;\">C:\\<\/span> \u306e\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc\u3092\u4f5c\u6210\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u5f7c\u3089\u306f\u3001\u3053\u306e\u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc\u304b\u3089 <span style=\"font-family: 'courier new', courier, monospace;\">Ntds.dit<\/span> \u30d5\u30a1\u30a4\u30eb\u3092\u53d6\u5f97\u3057\u3066\u3044\u307e\u3057\u305f (\u56f3 6)\u3002<\/li>\n<\/ul>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Ntds.dit<\/span> \u30d5\u30a1\u30a4\u30eb\u306f Active Directory \u30c7\u30fc\u30bf\u3092\u4fdd\u5b58\u3059\u308b\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u3067\u3001\u3053\u3053\u306b\u306f\u30e6\u30fc\u30b6\u30fc \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3001\u30b0\u30eb\u30fc\u30d7\u3001\u30b0\u30eb\u30fc\u30d7 \u30e1\u30f3\u30d0\u30fc\u30b7\u30c3\u30d7\u3001(\u305d\u3057\u3066\u6700\u3082\u91cd\u8981\u306a) \u30d1\u30b9\u30ef\u30fc\u30c9 \u30cf\u30c3\u30b7\u30e5\u306b\u95a2\u3059\u308b\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u307e\u305f\u3001\u30d6\u30fc\u30c8 \u30ad\u30fc\u3092\u542b\u3080 <span style=\"font-family: 'courier new', courier, monospace;\">SYSTEM<\/span> \u30d5\u30a1\u30a4\u30eb\u3082\u76d7\u3093\u3067\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30d6\u30fc\u30c8 \u30ad\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">Ntds.dit<\/span>\u30d5\u30a1\u30a4\u30eb\u306e\u6697\u53f7\u5316\u89e3\u9664\u306b\u5fc5\u8981\u3068\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130124\" aria-describedby=\"caption-attachment-130124\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130124 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-6-1.png\" alt=\"\u753b\u50cf 6 \u306f Ntds.dit \u30d5\u30a1\u30a4\u30eb\u3092\u76d7\u3080\u305f\u3081\u306b\u4f7f\u308f\u308c\u305f\u30b3\u30de\u30f3\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u5408\u8a08 4 \u884c\u3042\u308a\u3001\u4e00\u90e8\u306e\u60c5\u5831\u306f\u5272\u611b\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"196\" \/><figcaption id=\"caption-attachment-130124\" class=\"wp-caption-text\">\u56f36. <span style=\"font-family: 'courier new', courier, monospace;\">Ntds.dit<\/span> \u30d5\u30a1\u30a4\u30eb\u306e\u7a83\u53d6<\/figcaption><\/figure>\n<h3><a id=\"post-130258-_rf5ej4wt4bm3\"><\/a>\u65e2\u5b58\u306e\u30a6\u30a4\u30eb\u30b9\u5bfe\u7b56\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u60aa\u7528<\/h3>\n<p>\u79c1\u305f\u3061\u306f\u3001CL-STA-0044 \u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u3001\u4fb5\u5bb3\u5148\u306e\u74b0\u5883\u3067\u65e2\u5b58\u306e\u30a6\u30a4\u30eb\u30b9\u5bfe\u7b56\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u60aa\u7528\u3057\u3066\u3044\u308b\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u5f7c\u3089\u306f ESET \u306e Remote Administrator Agent (\u30ea\u30e2\u30fc\u30c8\u7ba1\u7406\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8) \u3092\u60aa\u7528\u3057\u3001\u30ea\u30e2\u30fc\u30c8\u30db\u30b9\u30c8\u4e0a\u3067\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u305f\u308a\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u308a\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u5f7c\u3089\u306f <span style=\"font-family: 'courier new', courier, monospace;\">ERAAgent.exe<\/span> \u30d7\u30ed\u30bb\u30b9\u3092\u4f7f\u3063\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Temp\\ra-run-command-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.bat<\/span> ( <span style=\"font-family: 'courier new', courier, monospace;\">xxx<\/span> \u306e\u90e8\u5206\u306f\u4e71\u6570\u3084\u6587\u5b57\u3067\u7f6e\u304d\u63db\u3048\u3089\u308c\u308b) \u3068\u3044\u3046\u547d\u540d\u898f\u5247\u3067 .bat \u30d5\u30a1\u30a4\u30eb\u3092\u5b9f\u884c\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e <span style=\"font-family: 'courier new', courier, monospace;\">.bat<\/span> \u30d5\u30a1\u30a4\u30eb\u306f\u5075\u5bdf\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3001\u8ffd\u52a0\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u3093\u3067\u3044\u307e\u3057\u305f (\u56f3 7)\u3002\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306f ESET \u306e <a href=\"https:\/\/forum.eset.com\/topic\/22559-run-command-task-filename-is-now-randomized\/\" target=\"_blank\" rel=\"noopener\">Run Command<\/a> \u30bf\u30b9\u30af\u304c\u958b\u59cb\u3059\u308b\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3092\u62c5\u3063\u3066\u3044\u305f\u3088\u3046\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130130\" aria-describedby=\"caption-attachment-130130\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130130 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-7-1.png\" alt=\"\u753b\u50cf 7 \u306f Cortex XDR \u306e\u30c4\u30ea\u30fc \u30c0\u30a4\u30a2\u30b0\u30e9\u30e0\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u4e0d\u5be9\u306a\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u9632\u6b62\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"332\" \/><figcaption id=\"caption-attachment-130130\" class=\"wp-caption-text\">\u56f37. Cortex XDR \u304c <span style=\"font-family: 'courier new', courier, monospace;\">ERAAgent.exe<\/span> \u306b\u3088\u308b\u4e0d\u5be9\u306a\u52d5\u4f5c\u3092\u9632\u6b62\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<h3><a id=\"post-130258-_6g7zygn20w8t\"><\/a>\u30a2\u30af\u30bb\u30b9\u306e\u7dad\u6301: Web \u30b7\u30a7\u30eb\u3068\u30d0\u30c3\u30af\u30c9\u30a2<\/h3>\n<p>CL-STA-0044 \u30af\u30e9\u30b9\u30bf\u30fc\u306e\u80cc\u5f8c\u306b\u3044\u305f\u653b\u6483\u8005\u306f\u3001\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u4e2d\u3001\u8907\u6570\u306e\u65b9\u6cd5\u3092\u4f7f\u3063\u3066\u4fb5\u5bb3\u5148\u306e\u74b0\u5883\u3067\u8db3\u5834\u3092\u7dad\u6301\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u306a\u304b\u306b\u306f\u8907\u6570\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3084 Web \u30b7\u30a7\u30eb\u306e\u4f7f\u7528\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-130258-_c9p5ma76cer7\"><\/a>\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u3044 ToneShell \u306e\u4e9c\u7a2e<\/h4>\n<p>CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u653b\u6483\u8005\u304c\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u4f7f\u3063\u305f\u4eba\u6c17\u30d0\u30c3\u30af\u30c9\u30a2\u306e 1 \u3064\u304c\u3001ToneShell \u3068\u547c\u3070\u308c\u308b\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u4e9c\u7a2e\u3067\u3059\u3002<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\" target=\"_blank\" rel=\"noopener\">Trend Micro<\/a> \u304c Stately Taurus \u304c\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u4f7f\u3063\u3066\u3044\u305f\u3053\u3068\u3092\u5831\u544a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u307e\u3067\u306e ToneShell \u306f\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u304c\u5831\u544a\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u308c\u3068\u306f\u3061\u304c\u3044\u3001\u3053\u306e\u65b0\u305f\u306a\u4e9c\u7a2e\u306e\u5168\u6a5f\u80fd\u306f\u3001\u9023\u643a\u3057\u3066\u52d5\u304f 3 \u3064\u306e DLL \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304b\u3089\u306a\u308a\u305f\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5404 DLL \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306b\u306f\u7570\u306a\u308b\u76ee\u7684\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li><strong>\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8:<\/strong> \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u6c38\u7d9a\u5316\u3068\u3079\u3064\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306e\u30c7\u30a3\u30b9\u30af\u3078\u306e\u30c9\u30ed\u30c3\u30d7\u3092\u62c5\u5f53\u3057\u307e\u3059\u3002<\/li>\n<li><strong>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7528\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8:<\/strong> \u30b3\u30de\u30f3\u30c9 &amp; \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb (C2) \u901a\u4fe1\u3092\u62c5\u5f53\u3057\u307e\u3059\u3002<\/li>\n<li><strong>\u6a5f\u80fd\u7528\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8:<\/strong> \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u3055\u307e\u3056\u307e\u306a\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3092\u62c5\u5f53\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u3055\u3089\u306b ToneShell \u306e\u5404\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f DLL \u30b5\u30a4\u30c9\u30ed\u30fc\u30c7\u30a3\u30f3\u30b0\u3092\u4ecb\u3057\u3066\u3079\u3064\u306e\u6b63\u898f\u30d7\u30ed\u30bb\u30b9\u306b\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u9593\u306e\u5185\u90e8\u901a\u4fe1\u306f\u30d1\u30a4\u30d7\u3092\u4f7f\u3063\u3066\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u304c\u306a\u3044\u3053\u306e\u4e9c\u7a2e\u3068\u3001\u4ee5\u524d\u5831\u544a\u306e\u3042\u3063\u305f\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u4f7f\u3046\u4e9c\u7a2e\u3068\u3092\u6bd4\u8f03\u3059\u308b\u3068 (\u56f3 8)\u3001\u6587\u5b57\u5217\u4e0a\u3082\u30b3\u30fc\u30c9\u30d9\u30fc\u30b9\u3084\u6a5f\u80fd\u306e\u9762\u3067\u3082\u660e\u3089\u304b\u306a\u91cd\u8907\u304c\u898b\u3089\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u6587\u5b57\u5217\u306f\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u7248\u306e\u4e9c\u7a2e\u3067\u306f\u3001\u30b9\u30bf\u30c3\u30af\u306e\u6587\u5b57\u5217\u3068\u3057\u3066\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130134\" aria-describedby=\"caption-attachment-130134\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130134 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-8-1.png\" alt=\"\u753b\u50cf 8 \u306f\u591a\u6570\u306e\u30b3\u30fc\u30c9\u304b\u3089\u306a\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30b3\u30fc\u30c9\u306e\u6587\u5b57\u306f\u8584\u3044\u9752\u3001\u6fc3\u3044\u9752\u3001\u7dd1\u3067\u8272\u5206\u3051\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u4e0a\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u30b3\u30fc\u30c9 \u30bb\u30af\u30b7\u30e7\u30f3\u306f\u3001ToneShell ShellCode Variant (ToneShell \u306e \u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u7248) \u3067\u3001\u4e0b\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u306e\u304c ToneShell DLL Variant (ToneShell \u306e DLL \u7248\u4e9c\u7a2e) \u3067\u3059\u3002\u3053\u306e\u56f3\u306f\u4e21\u8005\u306b\u91cd\u8907\u304c\u898b\u3089\u308c\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"342\" \/><figcaption id=\"caption-attachment-130134\" class=\"wp-caption-text\">\u56f38. ToneShell \u306b\u898b\u3089\u308c\u308b\u6587\u5b57\u5217\u4e0a\u306e\u91cd\u8907<\/figcaption><\/figure>\n<h5><a id=\"post-130258-_u73gj9xcql77\"><\/a>\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h5>\n<p>\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 (<span style=\"font-family: 'courier new', courier, monospace;\">nw.dll<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">nw_elf.dll<\/span>) \u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">PwmTower.exe<\/span> \u5185\u306b\u30b5\u30a4\u30c9\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">PwmTower.exe<\/span> \u306f Trend Micro \u306e\u30d1\u30b9\u30ef\u30fc\u30c9 \u30de\u30cd\u30fc\u30b8\u30e3\u30fc\u3068\u3044\u3046\u65e2\u77e5\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30c4\u30fc\u30eb\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u3059\u3002<\/p>\n<p>\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f\u3001\u30d7\u30ed\u30bb\u30b9\u306e\u3082\u3064\u6a29\u9650\u306b\u5fdc\u3058\u3066\u3055\u307e\u3056\u307e\u306a\u7a2e\u985e\u306e\u6c38\u7d9a\u5316\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u6a29\u9650\u304c\u5341\u5206\u306a\u3089\u3001\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f\u6b21\u306e 2 \u7a2e\u985e\u306e\u6c38\u7d9a\u6027\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">DISMsrv<\/span> (<span style=\"font-family: 'courier new', courier, monospace;\">Dism Images Servicing Utility Service<\/span>) \u3068\u3044\u3046\u540d\u524d\u306e\u30b5\u30fc\u30d3\u30b9<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">TabletPCInputServices<\/span> \u307e\u305f\u306f <span style=\"font-family: 'courier new', courier, monospace;\">TabletInputServices<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb \u30bf\u30b9\u30af<\/li>\n<\/ul>\n<p>\u6a29\u9650\u304c\u4e0d\u8db3\u3057\u3066\u3044\u308c\u3070\u3001\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f\u5225\u306e 2 \u7a2e\u985e\u306e\u6c38\u7d9a\u6027\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">TabletPCInputServices<\/span> \u307e\u305f\u306f <span style=\"font-family: 'courier new', courier, monospace;\">TabletInputServices<\/span> \u3068\u3044\u3046\u540d\u524d\u306e Run \u30ec\u30b8\u30b9\u30c8\u30ea\u30fc \u30ad\u30fc<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">TabletPCInputServices<\/span> \u307e\u305f\u306f <span style=\"font-family: 'courier new', courier, monospace;\">TabletInputServices<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb \u30bf\u30b9\u30af<\/li>\n<\/ul>\n<p>\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304c\u30b5\u30fc\u30d3\u30b9\u3068\u3057\u3066\u5b9f\u884c\u3055\u308c\u308b\u3068\u3001\u3079\u3064\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u30c7\u30a3\u30b9\u30af\u306b\u30c9\u30ed\u30c3\u30d7\u3057\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h5><a id=\"post-130258-_6i9cb9h3q8s4\"><\/a>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h5>\n<p>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 (<span style=\"font-family: 'courier new', courier, monospace;\">rw32core.dll<\/span>) \u306f <span style=\"font-family: 'courier new', courier, monospace;\">Brcc32.exe<\/span> \u306b\u30b5\u30a4\u30c9\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">Brcc32.exe<\/span> \u306f\u30a2\u30d7\u30ea\u958b\u767a\u30c4\u30fc\u30eb Embarcadero \u306e\u30ea\u30bd\u30fc\u30b9 \u30b3\u30f3\u30d1\u30a4\u30e9\u30fc\u3067\u3059\u3002<\/p>\n<p>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f C2 \u901a\u4fe1\u306b <span style=\"font-family: 'courier new', courier, monospace;\">www.uvfr4ep[.]com<\/span> \u3068\u3044\u3046\u30c9\u30e1\u30a4\u30f3\u3092\u4f7f\u3044\u307e\u3059\u3002\u3064\u3065\u3044\u3066\u3001\u30d1\u30a4\u30d7\u3092\u4f7f\u3063\u3066\u6a5f\u80fd\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3068\u901a\u4fe1\u3057\u3001C2 \u304b\u3089\u53d7\u3051\u53d6\u3063\u305f\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h5><a id=\"post-130258-_oj0dpelbmdb6\"><\/a>\u6a5f\u80fd\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h5>\n<p>\u6a5f\u80fd\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 (<span style=\"font-family: 'courier new', courier, monospace;\">secur32.dll<\/span>) \u306f <span style=\"font-family: 'courier new', courier, monospace;\">Consent.exe<\/span> \u5185\u306b\u30b5\u30a4\u30c9\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">Consent.exe<\/span> \u306f Windows \u306e\u30d0\u30a4\u30ca\u30ea\u30fc\u306e 1 \u3064\u3067\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u304b\u3089\u306f\u300cConsent UI for administrative applications. (\u7ba1\u7406\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u540c\u610f UI)\u300d\u3068\u3057\u3066\u8b58\u5225\u3055\u308c\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<p>\u3053\u306e\u6a5f\u80fd\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u3053\u3068\u3092\u884c\u3048\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c<\/li>\n<li>\u30d5\u30a1\u30a4\u30eb \u30b7\u30b9\u30c6\u30e0\u3068\u306e\u3084\u308a\u3068\u308a<\/li>\n<li>\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3068\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9<\/li>\n<li>\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0<\/li>\n<li>\u753b\u9762\u306e\u30ad\u30e3\u30d7\u30c1\u30e3\u30fc<\/li>\n<\/ul>\n<p>\u56f3 9 \u306f ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130138\" aria-describedby=\"caption-attachment-130138\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130138 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-9-1-ja.png\" alt=\"\u753b\u50cf 9 \u306f ToneShell \u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc\u306e\u30c0\u30a4\u30a2\u30b0\u30e9\u30e0\u3067\u3059\u3002\u3053\u306e\u30d7\u30ed\u30bb\u30b9\u306f\u6c38\u7d9a\u5316\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3001\u6a5f\u80fd\u306e\u9806\u306b\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\" width=\"600\" height=\"313\" \/><figcaption id=\"caption-attachment-130138\" class=\"wp-caption-text\">\u56f39. ToneShell \u306e\u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc<\/figcaption><\/figure>\n<h4><a id=\"post-130258-_7nz5ywwnh2mj\"><\/a>Web \u30b7\u30a7\u30eb<\/h4>\n<p>\u653b\u6483\u8005\u306f\u3001\u3055\u307e\u3056\u307e\u306a\u30d0\u30c3\u30af\u30c9\u30a2\u7d4c\u7531\u3067\u88ab\u5bb3\u8005\u306e\u74b0\u5883\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u7dad\u6301\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001China Chopper Web \u30b7\u30a7\u30eb\u7d4c\u7531\u3067\u30a2\u30af\u30bb\u30b9\u3092\u7dad\u6301\u3059\u308b\u3053\u3068\u3082\u3042\u308a\u307e\u3057\u305f\u3002\u305f\u3068\u3048\u3070\u3001\u30d0\u30c3\u30af\u30c9\u30a2\u306e 1 \u3064\u304c\u3046\u307e\u304f\u52d5\u304b\u305a\u3001\u611f\u67d3\u5148\u306e\u30db\u30b9\u30c8\u4e0a\u3067\u30af\u30e9\u30c3\u30b7\u30e5\u3057\u305f\u3088\u3046\u306b\u898b\u3048\u308b\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u304c\u3042\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u5bfe\u7b56\u3068\u3057\u3066\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f Web \u30b7\u30a7\u30eb\u306b\u3088\u308b\u30a2\u30af\u30bb\u30b9\u3092\u4f7f\u3044\u3001\u3046\u307e\u304f\u52d5\u3044\u3066\u3044\u306a\u3044\u30d0\u30c3\u30af\u30c9\u30a2\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c8\u3092\u884c\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-130258-_7uvsnsru0pwz\"><\/a>Cobalt Strike<\/h4>\n<p>Web \u30b7\u30a7\u30eb\u3067\u306e\u30a2\u30af\u30bb\u30b9\u306b\u52a0\u3048\u3001\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u30d0\u30c3\u30af\u30c9\u30a2\u306e\u52d5\u4f5c\u306b\u554f\u984c\u304c\u3042\u308b\u611f\u67d3\u30db\u30b9\u30c8\u306b Cobalt Strike \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3092\u914d\u5e03\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u5f7c\u3089\u306f Cobalt Strike \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">libcurl.dll<\/span> \u3068\u3044\u3046\u540d\u524d\u3067\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u653b\u6483\u8005\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b DLL \u30b5\u30a4\u30c9\u30ed\u30fc\u30c7\u30a3\u30f3\u30b0\u306b\u3088\u308a\u6b63\u898f\u30d7\u30ed\u30bb\u30b9\u3067\u3042\u308b <span style=\"font-family: 'courier new', courier, monospace;\">GUP.exe<\/span> \u3092\u60aa\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30d7\u30ed\u30bb\u30b9\u306f Notepad++ \u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u3059\u3002<\/p>\n<p>\u5c55\u958b\u5f8c\u3059\u3050\u306b Cobalt Strike \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u306f\u524a\u9664\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u3046\u3057\u305f\u5c55\u958b\u3068\u524a\u9664\u3092\u884c\u3063\u305f\u7406\u7531\u3068\u3057\u3066\u3001\u3046\u307e\u304f\u52d5\u304b\u306a\u3044\u30d0\u30c3\u30af\u30c9\u30a2\u306e\u30c8\u30e9\u30d6\u30eb\u30b7\u30e5\u30fc\u30c8\u306e\u305f\u3081\u306b\u3001Cobalt Strike \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3092\u4e00\u6642\u7684\u306a\u6a5f\u80fd\u306e\u8ffd\u52a0\u7528\u306b\u5c0e\u5165\u3057\u305f\u3053\u3068\u304c\u8003\u3048\u3089\u308c\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-130258-_weddp29hf8ed\"><\/a>ShadowPad<\/h4>\n<p>CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u4f55\u5ea6\u304b <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.shadowpad\" target=\"_blank\" rel=\"noopener\">ShadowPad \u30d0\u30c3\u30af\u30c9\u30a2<\/a>\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002ShadowPad \u306f\u3001\u5c11\u306a\u304f\u3068\u3082 2015 \u5e74\u4ee5\u6765\u3001\u4e2d\u56fd\u306e\u8907\u6570\u306e\u653b\u6483\u8005\u304c\u4f7f\u3063\u3066\u3044\u308b\u30e2\u30b8\u30e5\u30fc\u30eb\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3001<a href=\"https:\/\/assets.sentinelone.com\/c\/Shadowpad?x=P42eqA#page=1\" target=\"_blank\" rel=\"noopener\">PlugX \u306e\u5f8c\u7d99\u3068\u8003\u3048\u3089\u308c\u3066\u3044\u307e\u3059<\/a>\u3002PlugX \u3082\u4e2d\u56fd\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306b\u4eba\u6c17\u306e\u3042\u308b\u30e2\u30b8\u30e5\u30fc\u30eb\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u306e 1 \u3064\u3067\u3059\u3002<\/p>\n<p>\u653b\u6483\u8005\u306f DLL \u30b5\u30a4\u30c9\u30ed\u30fc\u30c7\u30a3\u30f3\u30b0\u306b\u3088\u3063\u3066 ShadowPad \u30e2\u30b8\u30e5\u30fc\u30eb (<span style=\"font-family: 'courier new', courier, monospace;\">log.dll<\/span>) \u3092\u6b63\u898f\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb (<span style=\"font-family: 'courier new', courier, monospace;\">BDReinit.exe<\/span>\uff09\u5185\u306b\u30ed\u30fc\u30c9\u3057\u3066\u3044\u307e\u3057\u305f\u3002<span style=\"font-family: 'courier new', courier, monospace;\">BDReinit.exe<\/span> \u3068\u3044\u3046\u306e\u306f Bitdefender Crash Handler \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30c4\u30fc\u30eb\u306e 1 \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u3059 (\u540d\u524d\u306f <span style=\"font-family: 'courier new', courier, monospace;\">net.exe<\/span> \u306b\u5909\u66f4\u3055\u308c\u3066\u3044\u307e\u3057\u305f) \u3002<span style=\"font-family: 'courier new', courier, monospace;\">log.dll<\/span> \u306f\u3001\u30e1\u30e2\u30ea\u30fc\u306b\u30ed\u30fc\u30c9\u3055\u308c\u305f\u5f8c\u3001\u30b7\u30a7\u30eb\u30b3\u30fc\u30c9\u3092\u5fa9\u53f7\u3057\u3066\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u3001\u540c\u3058\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b <span style=\"font-family: 'courier new', courier, monospace;\">log.dll.dat<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u691c\u7d22\u3057\u307e\u3059\u3002<\/p>\n<p>\u305d\u306e\u5f8c\u3001ShadowPad \u306f\u30b3\u30fc\u30c9\u3092\u751f\u6210\u3057\u3001\u305d\u308c\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">wmplayer.exe<\/span> \u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3057\u307e\u3059\u3002\u7d9a\u3044\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">wmplayer.exe<\/span> \u304c\u30b3\u30fc\u30c9\u3092\u751f\u6210\u3057\u3001\u305d\u308c\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">dllhost.exe<\/span> \u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3057\u307e\u3059 (\u56f3 10)\u3002\u3053\u306e\u52d5\u4f5c\u306b\u3064\u3044\u3066\u306f\u3001Elastic Security Lab \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304c\u904e\u53bb\u306b<a href=\"https:\/\/www.elastic.co\/security-labs\/update-to-the-REF2924-intrusion-set-and-related-campaigns\" target=\"_blank\" rel=\"noopener\">\u89e3\u8aac\u3057\u3066\u3044\u307e\u3059<\/a>\u3002<\/p>\n<p>ShadowPad \u306f\u3001\u540d\u524d\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">net.exe<\/span> \u306b\u5909\u66f4\u3055\u308c\u305f <span style=\"font-family: 'courier new', courier, monospace;\">BDReinit.exe<\/span> \u7528\u306b <span style=\"font-family: 'courier new', courier, monospace;\">DataCollectionPublisingService<\/span> (<span style=\"font-family: 'courier new', courier, monospace;\">DapSvc<\/span>) \u30b5\u30fc\u30d3\u30b9\u3092\u4f7f\u3063\u3066\u6c38\u7d9a\u6027\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u56f3 10 \u306f ShadowPad \u306e\u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130140\" aria-describedby=\"caption-attachment-130140\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130140 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-10-1.png\" alt=\"\u753b\u50cf 10 \u306f Cortex XDR \u306e\u30c0\u30a4\u30a2\u30b0\u30e9\u30e0\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002ShadowPad \u306e\u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc\u306b\u306f\u3001\u300cProduct: BitDefender\u3001Description: BitDefender Crash Handler\u3001Original Name: BDReinit.exe\u300d\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"247\" \/><figcaption id=\"caption-attachment-130140\" class=\"wp-caption-text\">\u56f310. ShadowPad \u306e\u30d7\u30ed\u30bb\u30b9 \u30c4\u30ea\u30fc<\/figcaption><\/figure>\n<h3><a id=\"post-130258-_23w5hx5rebg0\"><\/a>\u9ad8\u5ea6\u306b\u6a19\u7684\u3092\u7d5e\u3063\u305f\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u4e3b\u5c0e\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3<\/h3>\n<h4><a id=\"post-130258-_ty2orwpchc62\"><\/a>\u7279\u5b9a\u500b\u4eba\u306e\u6a19\u7684\u5316<\/h4>\n<p>\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306e\u884c\u52d5\u3092\u5206\u6790\u3057\u305f\u3068\u3053\u308d\u3001CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u3001\u88ab\u5bb3\u8005\u3089\u306b\u5bfe\u3057\u304b\u306a\u308a\u306e\u6570\u306e\u8adc\u5831\u6d3b\u52d5\u3092\u884c\u3063\u3066\u3044\u305f\u3053\u3068\u304c\u793a\u5506\u3055\u308c\u307e\u3059\u3002Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u8907\u6570\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306b\u304a\u3044\u3066\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u65e2\u77e5\u306e <a href=\"https:\/\/lolbas-project.github.io\/\" target=\"_blank\" rel=\"noopener\">Lolbin<\/a> \u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u306e <a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows-server\/administration\/windows-commands\/wevtutil\" target=\"_blank\" rel=\"noopener\">wevtutil<\/a> \u3092\u4f7f\u3044\u3001\u88ab\u5bb3\u7d44\u7e54\u3067\u50cd\u304f\u500b\u4eba\u306e\u7279\u5b9a\u306e\u30e6\u30fc\u30b6\u30fc\u540d\u306b\u3064\u3044\u3066\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3066\u3044\u305f\u3088\u3046\u3059\u3092\u89b3\u6e2c\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u653b\u6483\u8005\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Windows \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30ed\u30b0\u306e\u30a4\u30d9\u30f3\u30c8 ID 4624<\/span>\u3092\u691c\u7d22\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30a4\u30d9\u30f3\u30c8 ID \u306f\u3001\u30ed\u30b0\u30a4\u30f3\u8a66\u884c\u306e\u6210\u529f\u3092\u8a18\u9332\u3059\u308b\u30a4\u30d9\u30f3\u30c8\u3067\u3059\u3002\u5f7c\u3089\u306f\u307e\u305f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Windows \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30ed\u30b0 \u30a4\u30d9\u30f3\u30c8 ID 4672<\/span> \u3082\u691c\u7d22\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u3061\u3089\u306e\u30ed\u30b0 ID \u306f\u3001\u65b0\u305f\u306a\u30ed\u30b0\u30a4\u30f3 \u30bb\u30c3\u30b7\u30e7\u30f3\u3078\u306e\u6a5f\u5fae\u306a\u6a29\u9650\u5272\u308a\u5f53\u3066\u3092\u8a18\u9332\u3059\u308b\u30a4\u30d9\u30f3\u30c8\u3067\u3059\u3002<\/p>\n<p>\u653b\u6483\u8005\u306f\u3053\u308c\u3089\u306e\u30ed\u30b0 \u30a4\u30d9\u30f3\u30c8\u3092\u4f7f\u3044\u3001\u95a2\u5fc3\u306e\u5bfe\u8c61\u3068\u306a\u3063\u3066\u3044\u308b\u7279\u5b9a\u30e6\u30fc\u30b6\u30fc\u304c\u3069\u306e\u30de\u30b7\u30f3\u306b\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u3044\u308b\u304b\u3092\u8abf\u3079\u3001\u3069\u306e\u30db\u30b9\u30c8\u540d\u306b\u95a2\u5fc3\u3092\u3082\u3064\u3079\u304d\u304b\u3092\u7279\u5b9a\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u653b\u6483\u8005\u306f\u5f8c\u3067\u3053\u308c\u3089\u306e\u30de\u30b7\u30f3\u3092\u4fb5\u5bb3\u3057\u3001\u305d\u3053\u304b\u3089\u6a5f\u5bc6\u30c7\u30fc\u30bf\u3092\u53ce\u96c6\u3057\u3066\u6f0f\u51fa\u3055\u305b\u308b\u3064\u3082\u308a\u3067\u3057\u305f\u3002\u56f3 11 \u306f\u3001\u6210\u529f\u3057\u305f\u30ed\u30b0\u30a4\u30f3\u8a66\u884c\u3092\u691c\u7d22\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u305f wevtutil \u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130142\" aria-describedby=\"caption-attachment-130142\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130142 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-11-1.png\" alt=\"\u753b\u50cf 11 \u306f\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u6210\u529f\u3057\u305f\u30ed\u30b0\u30a4\u30f3\u8a66\u884c\u3092\u691c\u7d22\u3059\u308b wevtutil \u3067\u3059\u3002\" width=\"900\" height=\"85\" \/><figcaption id=\"caption-attachment-130142\" class=\"wp-caption-text\">\u56f311. wevtutil \u3067\u6210\u529f\u3057\u305f\u30ed\u30b0\u30a4\u30f3\u8a66\u884c\u3092\u691c\u7d22<\/figcaption><\/figure>\n<h3><a id=\"post-130258-_jrmp1zadwhmb\"><\/a>\u6f0f\u51fa<\/h3>\n<p>\u3053\u306e\u653b\u6483\u3092\u901a\u3058\u3001\u653b\u6483\u8005\u306f\u4fb5\u5bb3\u3057\u305f\u30de\u30b7\u30f3\u304b\u3089\u591a\u304f\u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3084\u6a5f\u5fae\u60c5\u5831\u3092\u7a83\u53d6\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u6f0f\u51fa\u306e\u524d\u306b\u30a2\u30af\u30bf\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">rar.exe<\/span> \u3092\u4f7f\u3063\u3066\u6c17\u306b\u306a\u3063\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30fc\u30ab\u30a4\u30d6\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u56f3 12 \u306f\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u4f55\u5ea6\u304b\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u3092\u691c\u7d22\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u3042\u3063\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u5f7c\u3089\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u5168\u4f53\u3092\u30a2\u30fc\u30ab\u30a4\u30d6\u3057\u305f\u3053\u3068\u3082\u3042\u308a\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_130144\" aria-describedby=\"caption-attachment-130144\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130144 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-12-1.png\" alt=\"\u753b\u50cf 12 \u306f Cortex XDR \u306e\u753b\u9762\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u306e\u30a2\u30fc\u30ab\u30a4\u30d6\u3067\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"179\" \/><figcaption id=\"caption-attachment-130144\" class=\"wp-caption-text\">\u56f312. \u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u3092\u30a2\u30fc\u30ab\u30a4\u30d6\u3057\u3066\u3044\u308b<\/figcaption><\/figure>\n<p>\u653b\u6483\u8005\u306f\u3055\u307e\u3056\u307e\u306a\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u30c7\u30fc\u30bf\u6f0f\u51fa\u3092\u958b\u59cb\u3057\u307e\u3057\u305f\u3002\u4fb5\u5bb3\u6e08\u307f\u306e\u30db\u30b9\u30c8\u4e0a\u3067\u306f ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u3092\u4f7f\u3063\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">rar.exe<\/span> \u304c\u5b9f\u884c\u3055\u308c\u307e\u3057\u305f\u3002\u307e\u3060\u4fb5\u5bb3\u3055\u308c\u3066\u3044\u306a\u3044\u30db\u30b9\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u305f\u3081\u3001\u5f7c\u3089\u306f Impacket \u3084 RemCom \u306a\u3069\u306e\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8\u304b\u3089 <span style=\"font-family: 'courier new', courier, monospace;\">rar.exe<\/span> \u3092\u5b9f\u884c\u3057\u3066\u3044\u307e\u3057\u305f\u3002RemCom \u306f\u30ea\u30e2\u30fc\u30c8\u306b\u3042\u308b Windows \u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30d7\u30ed\u30bb\u30b9\u3092\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u306e\u30ea\u30e2\u30fc\u30c8 \u30b7\u30a7\u30eb\u306a\u3044\u3057 telnet \u306e\u4ee3\u66ff\u30c4\u30fc\u30eb\u3067\u3059\u3002<\/p>\n<p>\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u95a2\u5fc3\u306e\u5bfe\u8c61\u3068\u306a\u3063\u305f\u30db\u30b9\u30c8\u4e0a\u3067\u30d5\u30a1\u30a4\u30eb \u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u62c5\u5f53\u3059\u308b\u30b9\u30af\u30ea\u30d7\u30c8 (<span style=\"font-family: 'courier new', courier, monospace;\">autorun.vbs<\/span>) \u7528\u306b\u6c38\u7d9a\u6027\u3092\u4f5c\u6210\u3057\u3066\u3044\u307e\u3057\u305f (\u56f3 13)\u3002\u305d\u308c\u306b\u3042\u305f\u3063\u3066\u3001\u5f7c\u3089\u306f\u3053\u306e VBS \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30b9\u30bf\u30fc\u30c8\u30a2\u30c3\u30d7 \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306b\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u30de\u30b7\u30f3\u306e\u96fb\u6e90\u304c\u30aa\u30f3\u306b\u306a\u308b\u305f\u3073\u3001VBS \u30b9\u30af\u30ea\u30d7\u30c8\u304c\u5b9f\u884c\u3055\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u3053\u3068\u306f\u3001\u3053\u308c\u304c\u4e00\u5ea6\u9650\u308a\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3067\u306f\u306a\u304f\u3001\u5f53\u8a72\u88ab\u5bb3\u8005\u304b\u3089\u7d99\u7d9a\u7684\u306b\u60c5\u5831\u3092\u5165\u624b\u3059\u308b\u3068\u3044\u3046\u653b\u6483\u8005\u306e\u76ee\u6a19\u3092\u793a\u5506\u3057\u3066\u3044\u305f\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130146\" aria-describedby=\"caption-attachment-130146\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130146 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-13-1.png\" alt=\"\u753b\u50cf 13 \u306f Cortex XDR \u306e\u30c0\u30a4\u30a2\u30b0\u30e9\u30e0\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u56f3\u306f\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u62c5\u5f53\u3059\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u305f\u3081\u306b\u4f5c\u6210\u3055\u308c\u305f\u6c38\u7d9a\u6027\u3067\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"169\" \/><figcaption id=\"caption-attachment-130146\" class=\"wp-caption-text\">\u56f313. \u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u62c5\u5f53\u3059\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u305f\u3081\u306b\u6c38\u7d9a\u6027\u3092\u4f5c\u6210<\/figcaption><\/figure>\n<p>\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30fc\u30ab\u30a4\u30d6\u5f8c\u3001\u30a2\u30af\u30bf\u30fc\u304c 2 \u3064\u306e\u6f0f\u51fa\u624b\u6cd5\u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3059\u304c\u89b3\u6e2c\u3055\u308c\u307e\u3057\u305f\u30021 \u3064\u3081\u306f\u3001curl \u3068 ftp \u3092\u4f7f\u3044\u3001\u30d5\u30a1\u30a4\u30eb\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">ftp.1fichier[.]com<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30af\u30e9\u30a6\u30c9 \u30b9\u30c8\u30ec\u30fc\u30b8 \u30b5\u30a4\u30c8\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u65b9\u6cd5\u3067\u3059\u3002<\/p>\n<p>2 \u3064\u3081\u306f\u3001\u30d5\u30a1\u30a4\u30eb \u30db\u30b9\u30c6\u30a3\u30f3\u30b0 \u30b5\u30fc\u30d3\u30b9\u306e Dropbox \u306b\u30a2\u30fc\u30ab\u30a4\u30d6 \u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u65b9\u6cd5\u3067\u3059 (\u56f3 14)\u3002\u3053\u308c\u306f\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u3088\u304f\u4f7f\u3046\u6f0f\u51fa\u624b\u6cd5\u3067\u3059\u3002Dropbox \u30b5\u30fc\u30d3\u30b9\u306f\u5408\u6cd5\u7684\u306b\u4f7f\u308f\u308c\u3066\u3044\u308b\u4eba\u6c17\u30b5\u30fc\u30d3\u30b9\u306a\u306e\u3067\u3001\u305d\u3053\u304b\u3089\u60aa\u610f\u306e\u3042\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3059\u308b\u306e\u306f\u3080\u305a\u304b\u3057\u3044\u305f\u3081\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130148\" aria-describedby=\"caption-attachment-130148\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130148 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/09\/word-image-130090-14-1.png\" alt=\"\u753b\u50cf 14 \u306f\u4f55\u884c\u3082\u3042\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u56f3\u3067\u306f\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u30a2\u30fc\u30ab\u30a4\u30d6 \u30d5\u30a1\u30a4\u30eb\u3092 Dropbox \u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u3053\u3068\u3067\u30c7\u30fc\u30bf\u306e\u6f0f\u51fa\u3092\u884c\u3063\u3066\u3044\u307e\u3059\u3002\" width=\"600\" height=\"75\" \/><figcaption id=\"caption-attachment-130148\" class=\"wp-caption-text\">\u56f314. Dropbox \u3092\u4f7f\u3063\u305f\u30c7\u30fc\u30bf\u306e\u6f0f\u51fa<\/figcaption><\/figure>\n<p>\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u60aa\u610f\u3092\u3082\u3063\u3066\u6b63\u898f\u88fd\u54c1\u3092\u60aa\u7528\u30fb\u8ee2\u7528\u3059\u308b\u306e\u306f\u73cd\u3057\u3044\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u60aa\u7528\u3055\u308c\u305f\u6b63\u898f\u88fd\u54c1\u5074\u306b\u5fc5\u305a\u3057\u3082\u306a\u306b\u304b\u554f\u984c\u3084\u60aa\u610f\u304c\u3042\u308b\u3068\u3044\u3046\u3053\u3068\u306f\u610f\u5473\u3057\u307e\u305b\u3093\u306e\u3067\u305d\u306e\u70b9\u306f\u3054\u6ce8\u610f\u304f\u3060\u3055\u3044\u3002<\/p>\n<h2><a id=\"post-130258-_tq1dor2kohe0\"><\/a><strong>\u5e30\u5c5e<\/strong><\/h2>\n<p>\u5165\u624b\u3067\u304d\u305f\u60c5\u5831\u3092\u5206\u6790\u3057\u305f\u7d50\u679c\u3001\u79c1\u305f\u3061\u306f\u3001CL-STA-0044 \u306e\u4e00\u90e8\u3068\u3057\u3066\u89b3\u6e2c\u3055\u308c\u305f\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u3001APT \u30b0\u30eb\u30fc\u30d7 Stately Taurus \u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u3001\u4e2d\u301c\u9ad8\u306e\u78ba\u5ea6\u3067\u8a55\u4fa1\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u3001Mustang Panda\u3001BRONZE PRESIDENT\u3001TA416\u3001RedDelta\u3001Earth Preta \u306a\u3069\u306e\u5225\u540d\u3067\u3082\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5e30\u5c5e\u306e\u6700\u521d\u306e\u8ef8\u3068\u306a\u308b\u306e\u306f\u3001\u540c\u30af\u30e9\u30b9\u30bf\u30fc\u304c\u4f7f\u3063\u3066\u3044\u305f\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3059\u3002CL-STA-0044 \u306e\u80cc\u5f8c\u3067\u653b\u6483\u8005\u304c\u4f7f\u3063\u3066\u3044\u308b\u4e3b\u306a\u30d0\u30c3\u30af\u30c9\u30a2\u306f\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u3044 ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u4e9c\u7a2e\u3067\u3001\u4ee5\u524d <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\" target=\"_blank\" rel=\"noopener\">Trend Micro <\/a>\u304c Stately Taurus \u306b\u3088\u308b\u540c\u30d0\u30c3\u30af\u30c9\u30a2\u306e\u4f7f\u7528\u3092\u5831\u544a\u3057\u3066\u3044\u307e\u3059\u3002ToneShell \u306f\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306e\u72ec\u81ea\u30c4\u30fc\u30eb\u306e\u3088\u3046\u3067\u3059\u3002\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u306f ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u3092\u4f7f\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u516c\u306b\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u308b\u65e2\u77e5\u306e APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306f\u307b\u304b\u306b\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>\u3053\u306e\u307b\u304b\u3001CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f ShadowPad \u30d0\u30c3\u30af\u30c9\u30a2\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002ShadowPad \u306f\u8907\u96d1\u306a\u30e2\u30b8\u30e5\u30fc\u30eb\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3001\u5c11\u306a\u304f\u3068\u3082 2015 \u5e74\u4ee5\u6765\u3001\u4e2d\u56fd\u306e\u56fd\u5bb6\u652f\u63f4\u578b\u306e\u653b\u6483\u8005\u306e\u307f\u304c\u4f7f\u3063\u3066\u304d\u305f\u3082\u306e\u3067\u3059\u3002\u3055\u3089\u306b\u3001\u4eca\u56de\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u89b3\u5bdf\u3055\u308c\u305f ShadowPad \u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3068\u52d5\u4f5c\u306b\u306f\u3001<a href=\"https:\/\/www.elastic.co\/security-labs\/update-to-the-REF2924-intrusion-set-and-related-campaigns\" target=\"_blank\" rel=\"noopener\">Elastic Security Labs \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304c\u904e\u53bb\u306b\u89e3\u8aac\u3057\u3066\u3044\u308b<\/a>\u52d5\u4f5c\u3068\u306e\u91cd\u8907\u304c\u898b\u3089\u308c\u307e\u3059\u3002\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306f\u3001\u4e2d\u56fd\u3068\u3064\u306a\u304c\u308b\u56fd\u76ca\u306e\u305f\u3081\u306b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u884c\u3063\u3066\u3044\u308b\u3068\u8003\u3048\u3089\u308c\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306e TTP \u3068\u4f3c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5e30\u5c5e\u306e 2 \u3064\u3081\u306e\u8ef8\u306f\u88ab\u5bb3\u8005\u5b66\u3067\u3059\u3002\u79c1\u305f\u3061\u306f\u3001\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u56fd\u306e\u653f\u5e9c\u90e8\u9580\u3092\u6a19\u7684\u3068\u3057\u305f CL-STA-0044 \u306b\u95a2\u9023\u3059\u308b\u6d3b\u52d5\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002Stately Taurus \u306f\u305d\u306e\u5730\u57df\u306e\u653f\u5e9c\u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u304c<a href=\"https:\/\/www.trendmicro.com\/en_ae\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\" target=\"_blank\" rel=\"noopener\">\u4ee5\u524d\u306b\u5831\u544a\u3055\u308c\u3066\u3044\u307e\u3059<\/a>\u3002<\/p>\n<p>\u7279\u7570\u306a\u30c4\u30fc\u30eb\u3068\u89b3\u6e2c\u3055\u308c\u305f\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u7d44\u307f\u5408\u308f\u305b\u304b\u3089\u3001CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f Stately Taurus APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u3044\u3046\u5f37\u3044\u7591\u3044\u304c\u751f\u3058\u307e\u3059\u3002\u3053\u306e\u7591\u3044\u306f\u3001Stately Taurus \u304c\u3088\u304f\u4f7f\u7528\u3057\u3066\u3044\u308b ToneShell \u30d0\u30c3\u30af\u30c9\u30a2\u3084\u3001\u4e2d\u56fd\u306e\u56fd\u5bb6\u652f\u63f4\u3084 APT \u3068\u95a2\u9023\u3057\u3066\u3044\u308b\u30d0\u30c3\u30af\u30c9\u30a2\u306e ShadowPad \u306e\u5c55\u958b\u3084\u3001\u88ab\u5bb3\u8005\u5b66\u306b\u57fa\u3065\u304f\u3082\u306e\u3067\u3059\u3002<\/p>\n<h2><a id=\"post-130258-_4gn4tgsayiwz\"><\/a><strong>\u7d50\u8ad6<\/strong><\/h2>\n<p>\u672c\u7a3f\u3067\u306f CL-STA-0044 \u30af\u30e9\u30b9\u30bf\u30fc\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30af\u30e9\u30b9\u30bf\u30fc\u306f\u3001\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u56fd\u306e\u653f\u5e9c\u90e8\u9580\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u89b3\u6e2c\u3055\u308c\u305f<a href=\"https:\/\/unit42.paloaltonetworks.jp\/analysis-of-three-attack-clusters-in-se-asia\" target=\"_blank\" rel=\"noopener\"> 3 \u3064\u306e\u30af\u30e9\u30b9\u30bf\u30fc<\/a>\u306e\u3046\u3061\u306e 1 \u3064\u3067\u3059\u3002\u79c1\u305f\u3061\u306f CL-STA-0044 \u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u4e2d\u301c\u9ad8\u306e\u78ba\u5ea6\u3067 Stately Taurus \u3068\u95a2\u9023\u4ed8\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u4e2d\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u9577\u671f\u7684\u306a\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u5411\u3051\u305f\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u306e\u7dad\u6301\u306b\u91cd\u304d\u3092\u7f6e\u3044\u3066\u304a\u308a\u3001\u6642\u9593\u3092\u304b\u3051\u3066\u88ab\u5bb3\u8005\u74b0\u5883\u3092\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306e\u6d3b\u52d5\u76ee\u7684\u306f\u3001\u6a5f\u5fae\u306a\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u7d99\u7d9a\u7684\u306b\u53ce\u96c6\u3057\u3001\u6f0f\u51fa\u3059\u308b\u3053\u3068\u306b\u3042\u3063\u305f\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>\u4eca\u56de\u306e\u79c1\u305f\u3061\u306e\u8abf\u67fb\u7d50\u679c\u3092\u3059\u3079\u3066\u306e\u7d44\u7e54\u306b\u6d3b\u304b\u3057\u3066\u3044\u305f\u3060\u304d\u3001\u540c\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306b\u5bfe\u3059\u308b\u9632\u5fa1\u3092\u9ad8\u3081\u3066\u3044\u305f\u3060\u304f\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-130258-_mf3k1d3b3om7\"><\/a><strong>\u4fdd\u8b77\u3068\u7de9\u548c\u7b56<\/strong><\/h2>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u306e\u304a\u5ba2\u69d8\u306b\u306f\u3001\u5f0a\u793e\u306e\u88fd\u54c1\u30fb\u30b5\u30fc\u30d3\u30b9\u3092\u901a\u3058\u3001\u524d\u8ff0\u306e\u8105\u5a01\u306b\u95a2\u9023\u3059\u308b\u4ee5\u4e0b\u306e\u5bfe\u7b56\u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30af\u30e9\u30a6\u30c9\u914d\u4fe1\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u89e3\u6790\u30b5\u30fc\u30d3\u30b9 <a href=\"https:\/\/www.paloaltonetworks.jp\/products\/secure-the-network\/wildfire\" target=\"_blank\" rel=\"noopener\">WildFire<\/a> \u306f\u65e2\u77e5\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u6b63\u78ba\u306b\u8b58\u5225\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> \u3068 <a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/dns-security\" target=\"_blank\" rel=\"noopener\">DNS Security<\/a> \u306f\u540c\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u65e2\u77e5\u306e\u30c9\u30e1\u30a4\u30f3\u3092\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u8b58\u5225\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> \u3068 <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xsiam\" target=\"_blank\" rel=\"noopener\">Cortex XSIAM<\/a>\n<ul>\n<li>\u65e2\u77e5\u306e\u60aa\u610f\u306e\u3042\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3092\u9632\u6b62\u3059\u308b\u307b\u304b\u3001\u30ed\u30fc\u30ab\u30eb\u5206\u6790\u30e2\u30b8\u30e5\u30fc\u30eb\u306b\u3082\u3068\u3065\u304f\u6a5f\u68b0\u5b66\u7fd2\u3068 <a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-threat-prevention\" target=\"_blank\" rel=\"noopener\">Behavioral Threat Protection<\/a> \u306b\u3088\u3063\u3066\u672a\u77e5\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3082\u9632\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR 3.4 \u304b\u3089\u5229\u7528\u53ef\u80fd\u306b\u306a\u3063\u305f\u65b0\u305f\u306a Credential Gathering Protection \u3092\u4f7f\u3044\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u53ce\u96c6\u3059\u308b\u30c4\u30fc\u30eb\u3084\u6280\u8853\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR \u30d0\u30fc\u30b8\u30e7\u30f3 3.4 \u3067\u65b0\u305f\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Anti-Webshell Protection \u3092\u4f7f\u3044\u3001\u8105\u5a01\u306b\u3088\u308b Web \u30b7\u30a7\u30eb\u304b\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306e\u30c9\u30ed\u30c3\u30d7\u3084\u5b9f\u884c\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Anti-Exploitation \u30e2\u30b8\u30e5\u30fc\u30eb\u3068 Behavioral Threat Protection \u3092\u4f7f\u3044\u3001 ProxyShell \u3084 ProxyLogon \u542b\u3080\u3001\u3055\u307e\u3056\u307e\u306a\u8106\u5f31\u6027\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR Pro \u306f\u632f\u308b\u821e\u3044\u5206\u6790\u306b\u3088\u308a\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u653b\u6483\u3092\u542b\u3080\u3001<a href=\"https:\/\/docs.paloaltonetworks.com\/cortex\/cortex-xdr\/cortex-xdr-analytics-alert-reference\/cortex-xdr-analytics-alert-reference\/analytics-alerts-by-required-data-source\">\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u5f8c\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3<\/a>\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u4fb5\u5bb3\u306e\u61f8\u5ff5\u304c\u3042\u308a\u5f0a\u793e\u306b\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u95a2\u3059\u308b\u3054\u76f8\u8ac7\u3092\u306a\u3055\u308a\u305f\u3044\u5834\u5408\u306f\u3001<a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u3053\u3061\u3089\u306e\u30d5\u30a9\u30fc\u30e0<\/a>\u304b\u3089\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001infojapan@paloaltonetworks.com\u307e\u3067\u30e1\u30fc\u30eb\u306b\u3066\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001\u4e0b\u8a18\u306e\u96fb\u8a71\u756a\u53f7\u307e\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044 (\u3054\u76f8\u8ac7\u306f\u5f0a\u793e\u88fd\u54c1\u306e\u304a\u5ba2\u69d8\u306b\u306f\u9650\u5b9a\u3055\u308c\u307e\u305b\u3093)\u3002<\/p>\n<ul>\n<li>\u5317\u7c73\u30d5\u30ea\u30fc\u30c0\u30a4\u30e4\u30eb\uff1a866.486.4842 (866.4.UNIT42)<\/li>\n<li>EMEA: +31.20.299.3130<\/li>\n<li>APAC: +65.6983.8730<\/li>\n<li>\u65e5\u672c: (+81) 50-1790-0200<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u3001\u30d5\u30a1\u30a4\u30eb \u30b5\u30f3\u30d7\u30eb\u3084 IoC (\u4fb5\u5bb3\u6307\u6a19) \u3092\u3075\u304f\u3080\u8abf\u67fb\u7d50\u679c\u3092 Cyber Threat Alliance (CTA: \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9) \u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u3063\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u8a73\u7d30\u306f <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a> \u306b\u3066\u3054\u78ba\u8a8d\u304f\u3060\u3055\u3044\uff61<\/p>\n<h2><a id=\"post-130258-_ydqdbjg0dngh\"><\/a><strong>IoC (\u4fb5\u5bb3\u6307\u6a19)<\/strong><\/h2>\n<h3><a id=\"post-130258-_xizwln6h76oj\"><\/a><strong>CL-STA-0044<\/strong><\/h3>\n<h3><a id=\"post-130258-_olh7p8ovu2b8\"><\/a>LadonGo<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">4a8b7cfb2e33aa079ba51166591c7a210ad8b3c7c7f242fccf8cb2e71e8e40d5<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">6868f5ce836034557e05c7ddea006a91d6fc59de7e235c9b08787bd6dbd2b837<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_i5f90t3mfyd2\"><\/a>NBTScan<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">541bac89b3a414e06b45d778f86b245675922e8b11f866c8b6a827c5d418e598<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_pmq16vg9zukt\"><\/a>AdFind<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">8445aa54adf4d666e65084909a7b989a190ec6eca2844546c2e99a8cfb832fad<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_v8wvaxkiv94m\"><\/a>Impacket<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">b000a0095a8fda38227103f253b6d79134b862a83df50315d7d9c5b537fd994b<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_sk13g9f8gi9g\"><\/a>Hdump<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">64ab1c1b19682026900d060b969ab3c3ab860988733b7e7bf3ba78a4ea0340b9<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_w46vbvoq4u17\"><\/a>MimiKatz<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">2254e3242943c0afe038baeafe8381bbff136e6d8f681f0f446bf0e458900643<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_52g8qgctb0jv\"><\/a>ToneShell \u306e\u6c38\u7d9a\u6027\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">2f5cf595ac4d6a59be78a781c5ba126c2ff6d6e5956dc0a7602e6ba8e6665694<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">0f2f0458d2f1ac4233883e96fe1f4cc6db1551cdcfdd49c43311429af03a1cd5<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">011fe9974f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">3fc4d023d96f339945683f6dc7d9e19a9a62b901bef6dc26c5918ce9508be273<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">3a429b8457ad611b7c3528e4b41e8923dd2aee32ccd2cc5cf5ff83e69c1253c2<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">f58d3d376c8e26b4ae3c2bbaa4ae76ca183f32823276e6432a945bcbc63266d9<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">46c6ee9195f3bd30f51eb6611623aad1ba17f5e0cde0b5523ab51e0c5b641dbf<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">86140e6770fbd0cc6988f025d52bb4f59c0d78213c75451b42c9f812fe1a9354<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_rh6viv77x5ke\"><\/a>ToneShell \u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">19d07dbc58b8e076cafd98c25cae5d7ac6f007db1c8ec0fae4ce6c7254b8f073<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">8e801d3a36decc5e4ce6fd3e8e45b098966aef8cbe7535ed0a789575775a68b6<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">df4ba449f30f3ed31a344931dc77233b27e06623355ece23855ee4fe8a75c267<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">345ef3fb73aa75538fdcf780d2136642755a9f20dbd22d93bee26e93fb6ab8fd<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">3a5e69786ac1c458e27d38a966425abb6fb493a41110393a4878c811557a3b5b<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_lc8539z9zwxq\"><\/a>ToneShell \u306e\u6a5f\u80fd\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">66b7983831cbb952ceeb1ffff608880f1805f1df0b062cef4c17b258b7f478ce<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">f2a6a326fb8937bbc32868965f7475f4af0f42f3792e80156cc57108fc09c034<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">dafa952aacf18beeb1ebf47620589639223a2e99fb2fa5ce2de1e7ef7a56caa0<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">52cd066f498a66823107aed7eaa4635eee6b7914acded926864f1aae59571991<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_vu5f8v8k6czk\"><\/a>Cobalt Strike<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">8129bd45466c2676b248c08bb0efcd9ccc8b684abf3435e290fcf4739c0a439f<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_6po7vusu5jow\"><\/a>ShadowPad<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">1874b20e3e802406c594341699c5863a2c07c4c79cf762888ee28142af83547f<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_gm18nht30v5m\"><\/a>RemCom<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_hqqyl8xeib0n\"><\/a>\u30a4\u30f3\u30d5\u30e9<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">www.uvfr4ep[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">Feed-5613.coderformylife[.]info<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45.64.184[.]189<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">43.254.132[.]242<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">103.27.202[.]68<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">67.53.148[.]77<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">207.246.89[.]250<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-130258-_abzy5iukl0i7\"><\/a>\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\Public\\Videos\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\Public\\Pictures\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\Public\\Music\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Help\\Help\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Vss\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Help\\mui\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Help\\en-US\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Logs\\logs\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Logs\\files\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Windows\\Help\\Corporate\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\PerfLogs\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Recovery\\<\/span><\/li>\n<\/ul>\n<h2><a id=\"post-130258-_eoura034lmtc\"><\/a>\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/h2>\n<ul>\n<li><strong>\u672c\u7a3f\u95a2\u9023\u8a18\u4e8b<\/strong>: <a href=\"https:\/\/unit42.paloaltonetworks.jp\/analysis-of-three-attack-clusters-in-se-asia\" target=\"_blank\" rel=\"noopener\">Unit 42 \u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3092\u6a19\u7684\u3068\u3059\u308b\u8907\u6570\u306e\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u767a\u898b<\/a> \u2013 \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42\n<ul>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.jp\/alloy-taurus-targets-se-asian-government\" target=\"_blank\" rel=\"noopener\">\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u57f7\u62d7\u306a\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u306b Alloy Taurus \u304c\u95a2\u4e0e<\/a> \u2013 \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<li><span class=\"s1\"><span class=\"s1\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/rare-possible-gelsemium-attach-targets-se-asia\" target=\"_blank\" rel=\"noopener\">APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Gelsemium \u3068\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u7a00\u306a\u30d0\u30c3\u30af\u30c9\u30a2 \u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u6a19\u7684\u578b\u653b\u6483\u3067\u767a\u898b<\/a><\/span><\/span> \u2013 \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.cybereason.com\/blog\/research\/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\">DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos<\/a> \u2013 Malicious Life, Cybereason<\/li>\n<li><a href=\"https:\/\/medium.com\/cycraft\/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20\">Taiwan Government Targeted by Multiple Cyberattacks in April 2020<\/a> \u2013 CryCraft Technology Corp, Medium<\/li>\n<li><a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/espionage-asia-governments\">New Wave of Espionage Activity Targets Asian Governments<\/a> \u2013 Threat Intelligence, Symantec<\/li>\n<li><a href=\"https:\/\/www.erai.com\/CustomUploads\/ca\/wp\/2015_12_wp_operation_iron_tiger.pdf\">Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors<\/a> [PDF] \u2013 TrendLabs Research Paper, Trend Micro Cybersafety Solutions Team<\/li>\n<li><a href=\"https:\/\/www.sentinelone.com\/labs\/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage\/\">ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage<\/a> \u2013 SentinelLabs<\/li>\n<li><a href=\"https:\/\/hitcon.org\/2022\/slides\/Earth-Lusca-Revealing-a-Worldwide-Cyberespionage-Operation.pdf\">Earth Lusca: Revealing a Worldwide Cyberespionage Operation<\/a> [PDF] \u2013 Joseph Chen, Trend Micro<\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\">Earth Preta Spear-Phishing Governments Worldwide<\/a> \u2013 Trend Micro<\/li>\n<li><a href=\"https:\/\/www.wired.co.uk\/article\/china-hack-emails-asean-southeast-asia\">China Is Relentlessly Hacking Its Neighbors<\/a> \u2013 WIRED UK<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 \u4e2d\u301c\u9ad8\u306e\u78ba\u5ea6\u3067 Stately Taurus \u3067\u3042\u308b\u3068\u8003\u3048\u3089\u308c\u308b\u9ad8\u5ea6\u6301\u7d9a\u7684\u8105\u5a01 (APT) \u30b0\u30eb\u30fc\u30d7\u304c\u3001\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u3092\u6a19\u7684\u3068\u3057\u3001\u591a\u6570\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u4fb5\u5165\u306b\u95a2\u4e0e\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u4fb5\u5165\u306f\u9045\u304f\u3068\u3082 2021 <\/p>\n","protected":false},"author":22,"featured_media":134316,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1974,4433,4431],"tags":[4501,4567,4957,4959,4571,4961,4573,4963,4941,4943],"product_categories":[4441,4443,4444,4448,4450,4465],"coauthors":[3808,4094,935],"class_list":["post-130258","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-ja","category-nation-state-cyberattacks-ja","category-threat-actor-groups-ja","tag-backdoor-ja","tag-bronze-president-ja","tag-cl-sta-0044-ja","tag-earth-preta-ja","tag-mustang-panda-ja","tag-reddelta-ja","tag-stately-taurus-ja","tag-ta416-ja","tag-threat-actors-ja","tag-web-shells-ja","product_categories-advanced-dns-security-ja","product_categories-advanced-url-filtering-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja","product_categories-cortex-xsiam-ja","product_categories-unit-42-incident-response-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e<\/title>\n<meta name=\"description\" content=\"APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u306f\u4fb5\u5bb3\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u306e\u6a5f\u5fae\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u6f0f\u51fa\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e\" \/>\n<meta property=\"og:description\" content=\"APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u306f\u4fb5\u5bb3\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u306e\u6a5f\u5fae\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u6f0f\u51fa\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-27T06:00:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-31T00:50:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Lior Rochberger, Tom Fakterman, Robert Falcone\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e","description":"APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u306f\u4fb5\u5bb3\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u306e\u6a5f\u5fae\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u6f0f\u51fa\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/","og_locale":"ja_JP","og_type":"article","og_title":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e","og_description":"APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u306f\u4fb5\u5bb3\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u306e\u6a5f\u5fae\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u6f0f\u51fa\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/","og_site_name":"Unit 42","article_published_time":"2023-09-27T06:00:41+00:00","article_modified_time":"2024-07-31T00:50:48+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg","type":"image\/jpeg"}],"author":"Lior Rochberger, Tom Fakterman, Robert Falcone","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/"},"author":{"name":"Robert Falcone","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1"},"headline":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e","datePublished":"2023-09-27T06:00:41+00:00","dateModified":"2024-07-31T00:50:48+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/"},"wordCount":1153,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg","keywords":["backdoor","BRONZE PRESIDENT","CL-STA-0044","Earth Preta","Mustang Panda","RedDelta","Stately Taurus","TA416","threat actors","web shells"],"articleSection":["\u30de\u30eb\u30a6\u30a7\u30a2","\u56fd\u5bb6\u652f\u63f4\u578b\u30b5\u30a4\u30d0\u30fc\u653b\u6483","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/","name":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg","datePublished":"2023-09-27T06:00:41+00:00","dateModified":"2024-07-31T00:50:48+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1"},"description":"APT \u653b\u6483\u30b0\u30eb\u30fc\u30d7 Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u6771\u5357\u30a2\u30b8\u30a2\u306e\u3042\u308b\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u6d3b\u52d5\u3092\u5c55\u958b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u30a2\u30af\u30bf\u30fc\u306b\u3088\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306b\u306f\u4fb5\u5bb3\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304b\u3089\u306e\u6a5f\u5fae\u6587\u66f8\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u6f0f\u51fa\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/06_Hactivism_Overview_1920x900.jpg","width":1920,"height":900,"caption":"Digital map of the world with continents highlighted in gold against a dark background, overlaid with various numerical data and graphs suggesting a data analysis theme."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/stately-taurus-attacks-se-asian-government\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"\u6771\u5357\u30a2\u30b8\u30a2\u653f\u5e9c\u3078\u306e\u30b5\u30a4\u30d0\u30fc\u30b9\u30d1\u30a4\u653b\u6483\u306b Stately Taurus (\u5225\u540d Mustang Panda) \u304c\u95a2\u4e0e"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1","name":"Robert Falcone","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Robert Falcone"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/robertfalcone\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=130258"}],"version-history":[{"count":8,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130258\/revisions"}],"predecessor-version":[{"id":135951,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130258\/revisions\/135951"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/134316"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=130258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=130258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=130258"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=130258"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=130258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}