memory.raw<\/code>\u30d5\u30a1\u30a4\u30eb\u3002
\u306a\u3093\u3060\u304b\u308f\u304b\u3089\u306a\u3044\u304c\u3001\u3068\u308a\u3042\u3048\u305a\u30e1\u30e2\u30ea\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af\u3068\u8a00\u3048\u3070Volatility<\/a>\u3068\u3044\u3046\u3053\u3068\u3067\u3084\u3063\u3066\u307f\u308b\u3002<\/p>\n\n\n\n$ vol3 -f memory.raw windows.info\nVolatility 3 Framework 2.4.2\nProgress: 100.00 PDB scanning finished\nVariable Value\n\nKernel Base 0xf80648600000\nDTB 0x1ae000\nSymbols file:\/\/\/home\/tkito\/volatility3\/volatility3\/symbols\/windows\/ntkrnlmp.pdb\/797E613DB16DB6C0E57795A0CB03F471-1.json.xz\nIs64Bit True\nIsPAE False\nlayer_name 0 WindowsIntel32e\nmemory_layer 1 FileLayer\nKdVersionBlock 0xf806492099b8\nMajor\/Minor 15.22621\nMachineType 34404\nKeNumberProcessors 4\nSystemTime 2023-04-18 08:45:26\nNtSystemRoot C:\\Windows\nNtProductType NtProductWinNt\nNtMajorVersion 10\nNtMinorVersion 0\nPE MajorOperatingSystemVersion 10\nPE MinorOperatingSystemVersion 0\nPE Machine 34404\nPE TimeDateStamp Tue Aug 10 18:00:02 1982\n<\/pre><\/div>\n\n\nWindows 10\u3068\u3044\u3046\u3053\u3068\u3067\u307b\u3063\u3068\u4e00\u5b89\u5fc3\u3002Windows\/Linux\/Mac\u3058\u3083\u306a\u304b\u3063\u305f\u3089\u3069\u3046\u3057\u3088\u3046\u304b\u3068\u3002<\/p>\n\n\n\n
Windows\u3068\u308f\u304b\u3063\u305f\u306e\u3067\u3001\u602a\u3057\u3044\u3084\u3064\u304c\u3044\u306a\u3044\u304b\u898b\u3066\u3044\u3053\u3046\u3002<\/p>\n\n\n
\n$ vol3 -f memory.raw windows.pstree\nVolatility 3 Framework 2.4.2\nProgress: 100.00 PDB scanning finished\nPID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime\n\n...snip...\n\n*** 748 640 winlogon.exe 0xd38576750080 3 - 1 False 2023-04-18 08:36:17.000000 N\/A\n**** 952 748 fontdrvhost.ex 0xd385768630c0 5 - 1 False 2023-04-18 08:36:18.000000 N\/A\n**** 4344 748 userinit.exe 0xd38577cc1080 0 - 1 False 2023-04-18 08:36:24.000000 2023-04-18 08:36:54.000000\n***** 4384 4344 explorer.exe 0xd38577cd9080 71 - 1 False 2023-04-18 08:36:24.000000 N\/A\n****** 5472 4384 OneDrive.exe 0xd38579656080 22 - 1 False 2023-04-18 08:36:45.000000 N\/A\n****** 2468 4384 VBoxTray.exe 0xd3857998a080 13 - 1 False 2023-04-18 08:36:44.000000 N\/A\n****** 4484 4384 SecurityHealth 0xd3857997e080 2 - 1 False 2023-04-18 08:36:43.000000 N\/A\n****** 2788 4384 cmd.exe 0xd385741eb140 2 - 1 False 2023-04-18 08:37:55.000000 N\/A\n******* 5536 2788 winpmem_mini_x 0xd3857af020c0 3 - 1 False 2023-04-18 08:45:12.000000 N\/A\n******* 2900 2788 conhost.exe 0xd385741ed140 4 - 1 False 2023-04-18 08:37:55.000000 N\/A\n****** 4688 4384 regedit.exe 0xd38571e42140 3 - 1 False 2023-04-18 08:39:38.000000 N\/A\n****** 6772 4384 cmd.exe 0xd3857ae980c0 2 - 1 False 2023-04-18 08:44:16.000000 N\/A\n******* 1460 6772 conhost.exe 0xd38579426080 6 - 1 False 2023-04-18 08:44:16.000000 N\/A\n******* 2068 6772 powershell.exe 0xd3857a35e080 20 - 1 False 2023-04-01 08:44:54.000000 N\/A\n**** 724 748 LogonUI.exe 0xd3857698d1c0 0 - 1 False 2023-04-18 08:36:18.000000 2023-04-18 08:36:31.000000\n**** 1028 748 dwm.exe 0xd3857694c080 18 - 1 False 2023-04-18 08:36:18.000000 N\/A\n<\/pre><\/div>\n\n\nexplorer.exe\u306e\u5b50\u30d7\u30ed\u30bb\u30b9\u3092\u898b\u3066\u3044\u304f\u3002
OneDrive.exe<\/code>\u3084VBoxTray.exe<\/code>\u3001SecurityHealth(Systray.exe)<\/code>\u306f\u7279\u306b\u5909\u306a\u3082\u306e\u3067\u306f\u306a\u3044\u3002
cmd.exe<\/code>\u304b\u3089\u306ewinpmem_mini_x<\/code>\u306f\u3053\u306e\u30e1\u30e2\u30ea\u30a4\u30e1\u30fc\u30b8\u3092\u53d6\u5f97\u3057\u305fWinPmem<\/a>\u306e\u30d7\u30ed\u30bb\u30b9\u3067\u3042\u308d\u3046\u3002
\u6b8b\u308bregedit.exe\u3068cmd.exe\u304b\u3089\u306epowershell.exe\u306f\u554f\u984c\u306a\u3044\u3068\u306f\u8a00\u3048\u306a\u3044\u306e\u3067\u3001\u3053\u306e\u8fba\u3092\u8a73\u3057\u304f\u898b\u3066\u3044\u3063\u305f\u65b9\u304c\u3088\u3055\u305d\u3046\u3002
regedit.exe\u306fGUI\u306a\u306e\u3067\u5f8c\u56de\u3057\u306b\u3057\u3066\u3001powershell.exe\u306b\u3064\u3044\u3066\u8a73\u3057\u304f\u77e5\u308b\u305f\u3081\u3001\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3092\u53d6\u5f97\u3057\u3066\u307f\u308b\u3002<\/p>\n\n\n\n\u203bMarkdown\u3067\u30e1\u30e2\u53d6\u3063\u3066\u305f\u3089Windows Defender\u306b\u6012\u3089\u308c\u305f\u306e\u3067\u3001\u3053\u3053\u304b\u3089\u306f\u753b\u50cf\u3067\u3002<\/p>\n\n\n
\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-1.png\")
<\/a><\/figure>\n<\/div>\n\n\n\u660e\u3089\u304b\u306b\u602a\u3057\u3044\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3002\u4ee5\u4e0b\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u306e\u7c21\u5358\u306a\u89e3\u8aac\u3002<\/p>\n\n\n\n
\npOwERsHEll<\/code>\n\n- Windows\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3067\u306f\u5927\u6587\u5b57\u5c0f\u6587\u5b57\u3092\u533a\u5225\u3057\u306a\u3044\u306e\u3067\u8981\u3059\u308b\u306b
powershell<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n-eP bYpASs ( = -ep bypass)<\/code>\n\n-ep<\/code>\u306f-ExecutionPolicy<\/code>\u306e\u7565\u3002Bypass<\/code>\u3067\u4f55\u306e\u5236\u7d04\u3082\u306a\u304f\u5b9f\u884c\u3067\u304d\u308b\u3002
\u8a73\u3057\u304f\u306f\u5b9f\u884c\u30dd\u30ea\u30b7\u30fc\u306b\u3064\u3044\u3066 – PowerShell | Microsoft Learn<\/a>\u3092\u53c2\u7167\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n-e JgAg...<\/code>\n\n-e<\/code>\u306f\u4ee5\u964d\u306e\u6587\u5b57\u5217\u3092Base64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30b3\u30de\u30f3\u30c9\u5217\u3068\u307f\u306a\u3059\u3002\u8981\u3059\u308b\u306b\u5f8c\u308d\u306e\u6587\u5b57\u5217\u3092Base64\u3067\u3067\u30b3\u30fc\u30c9\u3059\u308c\u3070\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u30b3\u30de\u30f3\u30c9\u304c\u51fa\u3066\u304f\u308b\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n\u3068\u3044\u3046\u308f\u3051\u3067Base64\u30c7\u30b3\u30fc\u30c9\u3057\u3066\u307f\u308b\u3002<\/p>\n\n\n
\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-2-1024x606.png\")
<\/a><\/figure>\n<\/div>\n\n\n$PSHOME<\/code>\u306f\u901a\u5e38\u306e\u74b0\u5883\u3060\u3068'C:\\Windows\\System32\\WindowsPowerShell\\v1.0'<\/code>\u306a\u306e\u3067\u3001$PsHOme[4]+$psHoME[34]+'X'<\/code>\u306f'iex'<\/code>\u306b\u306a\u308b\u3002
iex<\/code>\u306fInvoke-Expression<\/code>\u306e\u30a8\u30a4\u30ea\u30a2\u30b9\u3067\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u3068\u3057\u3066\u6e21\u3055\u308c\u305f\u6587\u5b57\u5217\u3092PowerShell\u30b3\u30de\u30f3\u30c9\u3068\u3057\u3066\u5b9f\u884c\u3059\u308b\u30b3\u30de\u30f3\u30c9\u30ec\u30c3\u30c8\u3067\u3042\u308b\u3002<\/p>\n\n\n\n<\u4f59\u8ac7>
\u3053\u3053\u3067\u3001\u3053\u306e\u6b21\u306e\u30b9\u30c6\u30c3\u30d7\u306b\u9032\u3080\u305f\u3081\u306biex\u306e\u5f8c\u308d\u306e\u30b3\u30fc\u30c9\u3067\u3084\u3063\u3066\u3044\u308b\u3053\u3068\u3092CyberChef\u3067\u518d\u73fe\u3057\u3088\u3046\u3068”From Base64″\u2192”Raw Deflate”\u3067\u3084\u308d\u3046\u3068\u3057\u3066\u3082\u3046\u307e\u304f\u3044\u304b\u306a\u304f\u3066\u4e00\u6557\u3002\u6b63\u3057\u304f\u306fDeflate\u3067\u306f\u306a\u304fInflate\u3002Deflate\u3067\u5c55\u958b\u3068\u601d\u3044\u8fbc\u3093\u3067\u3057\u307e\u3063\u3066\u8ca0\u3051\u3002
<\/\u4f59\u8ac7><\/p>\n\n\n\n
iex<\/code>\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306f\u6587\u5b57\u5217\u306a\u306e\u3067\u3001iex<\/code>\u306e\u5f8c\u308d\u3092\u5b9f\u884c\u3059\u308c\u3070\u6587\u5b57\u5217\u304c\u51fa\u3066\u304f\u308b\u306f\u305a\u3067\u3042\u308b\u3002\u3068\u3044\u3046\u308f\u3051\u3067PowerShell\u306b\u5165\u308c\u3066\u5b9f\u884c\u3055\u305b\u308c\u3070\u3088\u3044\u3002\u306a\u304a\u3001\u3053\u306e\u30b9\u30c6\u30c3\u30d7\u306e\u307fWindows Defender\u3067\u30d6\u30ed\u30c3\u30af\u3055\u308c\u308b\u306e\u3067\u3001\u3053\u306e\u624b\u6cd5\u3067\u3084\u308a\u305f\u3044\u5834\u5408\u306f\u5229\u3042\u308a\u30bf\u30a4\u30e0\u4fdd\u8b77\u3092\u30aa\u30d5\u306b\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002
CyberChef\u3067\u3061\u3083\u3093\u3068Inflate\u3092\u9078\u3093\u3067\u3044\u308c\u3070\u305d\u3063\u3061\u3067\u3082\u3088\u3044\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-5-830x1024.png\")
<\/a><\/figure>\n<\/div>\n\n\n\u308f\u304b\u308a\u306b\u304f\u3044\u304creaDtoEND()<\/code>\u306e\u6b21\u306e\u884c\u304b\u3089\u304c\u51fa\u529b\u3067\u3042\u308b\u3002
\u5192\u982d\u306e$vErbOsePrEFeReNcE<\/code>\u306f'SilentlyContinue'<\/code>\u306a\u306e\u3067\u3001$vErbOsePrEFeReNcE.TosTrIng()[1,3]+'X'-jOiN''<\/code>\u306f'iex'<\/code>\u306b\u306a\u308b\u3002
\u307e\u305fiex<\/code>\u306a\u306e\u3067\u540c\u3058\u3088\u3046\u306b\u3059\u308b\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-4-819x1024.png\")
<\/a><\/figure>\n<\/div>\n\n\n\u4eca\u5ea6\u306f\u672b\u5c3e\u306biex<\/code>\u304c\u51fa\u3066\u3044\u308b\u3002\u305d\u306e\u524d\u306b\u30d1\u30a4\u30d7(|<\/code>)\u304c\u3042\u308b\u306e\u3067\u3001\u524d\u534a\u3067\u6587\u5b57\u5217\u3092\u51fa\u529b\u3057\u3066\u305d\u308c\u3092iex<\/code>\u306b\u98df\u308f\u305b\u308b\u3068\u3044\u3046\u3053\u3068\u3067\u69cb\u9020\u306f\u5909\u308f\u3089\u306a\u3044\u3002
\u307e\u305f\u3001\u5192\u982d\u306b\u6761\u4ef6\u5206\u5c90\u304c\u3042\u308b\u3002\u7279\u306b\u96e3\u3057\u3044\u3082\u306e\u3067\u306f\u306a\u304f\u300c\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u304c’RICSEC’\u3067\u3042\u308b\u5834\u5408\u306b\u4ee5\u4e0b\u306e\u51e6\u7406\u3092\u3059\u308b\u300d\u3068\u3044\u3046\u3060\u3051\u3067\u3042\u308b\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u52d5\u7684\u89e3\u6790\u3057\u3088\u3046\u3068\u3059\u308b\u5834\u5408\u306b\u5f15\u3063\u639b\u304b\u308a\u305d\u3046\u306a\u304f\u3089\u3044\u304b\u3002<\/p>\n\n\n
![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-6.png\")
<\/a><\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-7.png\")
<\/a><\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/emeth.jp\/diary\/wp-content\/uploads\/2023\/04\/image-9.png\")
<\/a><\/figure>\n<\/div>\n\n\n