{"id":130959,"date":"2023-11-05T18:03:27","date_gmt":"2023-11-06T02:03:27","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=130959"},"modified":"2024-06-19T23:13:09","modified_gmt":"2024-06-20T06:13:09","slug":"pensive-ursa-uses-upgraded-kazuar-backdoor","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/","title":{"rendered":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b"},"content":{"rendered":"<h2><a id=\"post-130959-_50qt2dixcmnj\"><\/a>\u6982\u8981<\/h2>\n<p>Pensive Ursa (\u5225\u540d Turla\u3001Uroburos) \u306e\u9032\u5316\u3092\u8ffd\u8de1\u3059\u308b\u306a\u304b\u3067\u3001Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f Kazuar \u306e\u65b0\u3057\u304f\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u3055\u308c\u305f\u4e9c\u7a2e\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002Kazuar \u306f\u5927\u304d\u304f\u3066\u5371\u967a\u306a\u30d2\u30af\u30a4\u30c9\u30ea\u3068\u3044\u3046\u9ce5\u306e\u5225\u540d\u3067\u3082\u3042\u308a\u307e\u3059\u304c\u3001\u3053\u308c\u306f\u307e\u305f\u3001Pensive Ursa \u304c\u901a\u5e38\u7b2c 2 \u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066\u4f7f\u3046\u9ad8\u5ea6\u3067\u30b9\u30c6\u30eb\u30b9\u6027\u306e\u9ad8\u3044 .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/unit42.paloaltonetworks.jp\/turla-pensive-ursa-threat-assessment\/\" target=\"_blank\" rel=\"noopener\">Pensive Ursa<\/a> \u306f\u3001\u5c11\u306a\u304f\u3068\u3082 2004 \u5e74\u304b\u3089\u6d3b\u52d5\u3057\u3066\u3044\u308b\u30ed\u30b7\u30a2\u3092\u62e0\u70b9\u3068\u3059\u308b\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u3067\u3001<a href=\"https:\/\/www.justice.gov\/usao-edny\/pr\/justice-department-announces-court-authorized-disruption-snake-malware-network\" target=\"_blank\" rel=\"noopener\">\u30ed\u30b7\u30a2\u9023\u90a6\u4fdd\u5b89\u5e81 (FSB)<\/a> \u3068\u95a2\u4fc2\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/cert.gov.ua\/article\/5213167\" target=\"_blank\" rel=\"noopener\">\u30a6\u30af\u30e9\u30a4\u30ca CERT<\/a> \u306f 2023 \u5e74 7 \u6708\u306b\u3053\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e Kazuar \u304c\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u9632\u885b\u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u5831\u544a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u4e9c\u7a2e\u306e\u80cc\u5f8c\u306b\u3044\u308b\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306f\u3001Signal \u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u3001\u30bd\u30fc\u30b9\u7ba1\u7406\u3001\u30af\u30e9\u30a6\u30c9 \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0 \u30c7\u30fc\u30bf\u306b\u542b\u307e\u308c\u308b\u6a5f\u5fae\u306a\u8cc7\u7523\u3092\u72d9\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p><a href=\"https:\/\/unit42.paloaltonetworks.jp\/unit42-kazuar-multiplatform-espionage-backdoor-api-access\/\" target=\"_blank\" rel=\"noopener\">Unit 42<\/a> \u304c 2017 \u5e74\u306b Kazuar \u3092\u767a\u898b\u3057\u3066\u4ee5\u6765\u3001\u79c1\u305f\u3061\u304c\u5b9f\u969b\u306b Kazuar \u3092\u76ee\u6483\u3057\u305f\u306e\u306f\u6570\u56de\u3060\u3051\u3067\u3001\u305d\u306e\u6a19\u7684\u306f\u4e3b\u306b\u30e8\u30fc\u30ed\u30c3\u30d1\u306e\u653f\u5e9c\u3084\u8ecd\u4e8b\u306e\u30bb\u30af\u30bf\u30fc\u306e\u7d44\u7e54\u3067\u3057\u305f\u3002<a href=\"https:\/\/thehackernews.com\/2021\/01\/researchers-find-links-between-sunburst.html\" target=\"_blank\" rel=\"noopener\">Sunburst \u30d0\u30c3\u30af\u30c9\u30a2<\/a>\u306f\u305d\u306e\u30b3\u30fc\u30c9\u306e\u985e\u4f3c\u6027\u306b\u3088\u308a Kazuar \u3068\u30ea\u30f3\u30af\u3055\u308c\u307e\u3057\u305f\u304c\u3001\u3053\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u306f\u975e\u5e38\u306b\u624b\u306e\u8fbc\u3093\u3060\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u3063\u3066\u3044\u307e\u3059\u30022020 \u5e74\u5f8c\u534a\u4ee5\u6765\u3001\u79c1\u305f\u3061\u306f\u65b0\u305f\u306a Kazuar \u306e\u30b5\u30f3\u30d7\u30eb\u3092\u91ce\u751f\u3067\u306f\u78ba\u8a8d\u3057\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\u304c\u3001\u6570\u3005\u306e\u5831\u544a\u304b\u3089\u3001Kazuar \u306f\u7d99\u7d9a\u7684\u306b\u958b\u767a\u4e2d\u3067\u3042\u308b\u3053\u3068\u304c\u793a\u5506\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>Kazuar \u306e\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u7248\u306e\u30b3\u30fc\u30c9\u304b\u3089\u306f\u3001\u3053\u306e\u4f5c\u8005\u3089\u304c\u3001Kazuar \u306e\u52d5\u4f5c\u306b\u9ad8\u3044\u30b9\u30c6\u30eb\u30b9\u6027\u3001\u691c\u51fa\u56de\u907f\u6027\u3001\u89e3\u6790\u8010\u6027\u3092\u3082\u305f\u305b\u308b\u3053\u3068\u306b\u3001\u3068\u304f\u306b\u6ce8\u529b\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u3046\u304b\u304c\u3044\u77e5\u308c\u307e\u3059\u3002\u3053\u306e\u4f5c\u8005\u3089\u306f\u3001\u9ad8\u5ea6\u306a\u5206\u6790\u9632\u6b62\u6280\u8853\u306e\u6570\u3005\u3068\u3001\u52b9\u679c\u306e\u9ad8\u3044\u6697\u53f7\u5316\u30fb\u96e3\u8aad\u5316\u624b\u6cd5\u306b\u3088\u308b\u30de\u30eb\u30a6\u30a7\u30a2 \u30b3\u30fc\u30c9\u306e\u4fdd\u8b77\u306b\u3088\u308a\u3001\u3053\u308c\u3089\u306e\u6027\u80fd\u3092\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u672c\u7a3f\u3067\u306f\u3001Kazuar \u306e\u6a5f\u80fd\u306b\u3064\u3044\u3066\u8a73\u7d30\u306a\u6280\u8853\u5206\u6790\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002\u79c1\u305f\u3061\u306f\u3001\u3053\u306e\u8abf\u67fb\u3092\u5171\u6709\u3057\u3001\u691c\u51fa\u30fb\u9632\u6b62\u30fb\u30cf\u30f3\u30c8\u306b\u95a2\u3059\u308b\u63a8\u5968\u4e8b\u9805\u3092\u63d0\u4f9b\u3059\u308b\u3053\u3068\u3067\u3001\u7d44\u7e54\u306e\u5168\u822c\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u614b\u52e2\u306e\u5f37\u5316\u306b\u8ca2\u732e\u3067\u304d\u308c\u3070\u3068\u8003\u3048\u3066\u3044\u307e\u3059\u3002\u8ffd\u52a0\u306e\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8 \u30ea\u30b9\u30c8\u306f\u3001<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\" target=\"_blank\" rel=\"noopener\">GitHub<\/a> \u30da\u30fc\u30b8\u306b\u30ea\u30f3\u30af\u3055\u308c\u305f<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067\u672c\u7a3f\u3067\u89e3\u8aac\u3057\u305f\u8105\u5a01\u304b\u3089\u306e\u4fdd\u8b77\u3068\u7de9\u548c\u3092\u53d7\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>Advanced Threat Prevention \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3\u3092\u6709\u52b9\u306b\u3057\u305f\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e C2 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u9632\u6b62\u306b\u5f79\u7acb\u3061\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">Unit 42 \u30a4\u30f3\u30b7\u30c7\u30f3\u30c8 \u30ec\u30b9\u30dd\u30f3\u30b9 \u30c1\u30fc\u30e0<\/a>\u306f\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u8105\u5a01\u3092\u306f\u3058\u3081\u3001\u3055\u307e\u3056\u307e\u306a\u8105\u5a01\u3078\u306e\u500b\u5225\u5bfe\u5fdc\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>Cortex XDR \u304a\u3088\u3073 XSIAM \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306f\u3001\u672c\u7a3f\u3067\u89e3\u8aac\u3057\u305f\u8105\u5a01\u3092\u691c\u51fa\u30fb\u9632\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/resources\/datasheets\/advanced-wildfire\" target=\"_blank\" rel=\"noopener\">Advanced WildFire<\/a> \u306f\u3053\u306e\u65b0\u305f\u306a Kazuar \u306e\u4e9c\u7a2e\u306e\u767a\u898b\u3092\u53d7\u3051\u3066\u6a5f\u68b0\u5b66\u7fd2\u30e2\u30c7\u30eb\u3068\u5206\u6790\u624b\u6cd5\u306e\u898b\u76f4\u3057\u3068\u66f4\u65b0\u3092\u884c\u3044\u307e\u3057\u305f\u3002<\/li>\n<\/ul>\n<table style=\"width: 100%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>\u95a2\u9023\u3059\u308b Unit 42 \u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\n<td style=\"width: 100%;\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/backdoor-ja\/\" target=\"_blank\" rel=\"noopener\"><b>Backdoors<\/b><\/a>, <strong><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/pensive-ursa-ja\/\" target=\"_blank\" rel=\"noopener\">Pensive Ursa<\/a><\/strong><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-130959-_mysdery88orh\"><\/a>Kazuar \u306e\u6982\u8981<\/h2>\n<p>Kazuar \u306f\u9ad8\u5ea6\u3067\u30b9\u30c6\u30eb\u30b9\u6027\u306e\u9ad8\u3044\u65e2\u77e5\u306e .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3059\u3002Pensive Ursa \u306f\u901a\u5e38\u3001\u3053\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u7b2c 2 \u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066\u4f7f\u3044\u3001\u307b\u304b\u306b\u540c\u30b0\u30eb\u30fc\u30d7\u304c\u3088\u304f\u4f7f\u3063\u3066\u3044\u308b\u30c4\u30fc\u30eb\u3068\u3068\u3082\u306b\u914d\u4fe1\u3057\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/cert.gov.ua\/article\/5213167\" target=\"_blank\" rel=\"noopener\">\u30a6\u30af\u30e9\u30a4\u30ca CERT <\/a>\u304c\u5831\u544a\u3057\u305f\u6700\u8fd1\u306e\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u306f\u3001\u307b\u304b\u306e\u65b0\u305f\u306a\u30c4\u30fc\u30eb (Capibar \u3068\u3044\u3046\u7b2c 1 \u6bb5\u968e\u7528\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u306a\u3069) \u306b\u304f\u308f\u3048\u3001Kazuar \u306e\u591a\u6bb5\u968e\u914d\u4fe1\u30e1\u30ab\u30cb\u30ba\u30e0\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u6700\u8fd1\u306e\u4e9c\u7a2e\uff08\u6570\u5e74\u9593\u306e\u4f11\u6b62\u671f\u9593\u3092\u7d4c\u3066\u91ce\u751f\u3067\u51fa\u73fe\uff09\u3092\u6280\u8853\u5206\u6790\u3057\u305f\u3068\u3053\u308d\u3001\u30b3\u30fc\u30c9\u306e\u69cb\u9020\u3084\u6a5f\u80fd\u304c\u5927\u5e45\u306b\u6539\u5584\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>\u672c\u7a3f\u3067\u306f\u3001\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u304b\u3063\u305f\u4ee5\u4e0b\u306e\u6a5f\u80fd\u306b\u3064\u3044\u3066\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li><a href=\"#post-130959-_lz74dc7im8ye\">\u5305\u62ec\u7684\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0<\/a>: \u5e83\u7bc4\u306a\u30c7\u30fc\u30bf\u3092\u53ce\u96c6<\/li>\n<li><a href=\"#post-130959-_5higatyq4hy\">\u30af\u30e9\u30a6\u30c9\u305d\u306e\u307b\u304b\u306e\u6a5f\u5fae\u306a\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304b\u3089\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb (\u8cc7\u683c\u60c5\u5831) \u7a83\u53d6<\/a>: \u30af\u30e9\u30a6\u30c9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3 \u30a2\u30ab\u30a6\u30f3\u30c8\u3001\u30bd\u30fc\u30b9\u7ba1\u7406\u3001Signal \u30e1\u30c3\u30bb\u30fc\u30b8\u30f3\u30b0 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u7a83\u53d6<\/li>\n<li><a href=\"#post-130959-_tf1renih7nn9\">\u62e1\u5f35\u30b3\u30de\u30f3\u30c9 \u30bb\u30c3\u30c8<\/a>: \u5408\u8a08\u3067 45 \u7a2e\u985e\u306e\u30b3\u30de\u30f3\u30c9\u5b9f\u884c\u3092\u30b5\u30dd\u30fc\u30c8\u3002\u5bfe\u8c61\u30b3\u30de\u30f3\u30c9\u306f\u3079\u3064\u306e Kazuar \u30ce\u30fc\u30c9\u304b\u3089\u53d7\u3051\u53d6\u308b\u304b\u3001\u30b3\u30de\u30f3\u30c9 &amp; \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb (C2) \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u53d7\u3051\u53d6\u308b<\/li>\n<li><a href=\"#post-130959-_9pmase4f3klc\">\u30bf\u30b9\u30af\u81ea\u52d5\u5316\u306e\u5f37\u5316<\/a>: \u4e00\u9023\u306e\u81ea\u52d5\u30bf\u30b9\u30af\u3092\u653b\u6483\u8005\u304c\u30aa\u30f3\/\u30aa\u30d5\u5207\u308a\u66ff\u3048\u53ef\u80fd\u306b<\/li>\n<li><a href=\"#post-130959-_iyihiznxpnx1\">\u3055\u307e\u3056\u307e\u306a\u6697\u53f7\u5316\u30b9\u30ad\u30fc\u30e0<\/a>: \u3055\u307e\u3056\u307e\u306a\u6697\u53f7\u5316\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3068\u30b9\u30ad\u30fc\u30e0\u3092\u5b9f\u88c5<\/li>\n<li><a href=\"#post-130959-_epngo2omwiwz\">\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9<\/a><strong>: <\/strong>\u8907\u6570\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9\u306b\u3088\u308a\u3001Kazuar \u3092\u3055\u307e\u3056\u307e\u306a\u30d7\u30ed\u30bb\u30b9\u304b\u3089\u5b9f\u884c\u3057\u305f\u308a\u3001\u3055\u307e\u3056\u307e\u306a\u6a5f\u80fd\u3092\u5b9f\u884c\u3057\u305f\u308a\u3067\u304d\u308b<\/li>\n<\/ul>\n<p>\u5c11\u306a\u304f\u3068\u3082 2018 \u5e74\u4ee5\u964d\u3001Kazuar \u306e\u4e9c\u7a2e\u306f\u96e3\u8aad\u5316\u624b\u6cd5\u3092\u5909\u66f4\u3057\u3001\u30b3\u30f3\u30d1\u30a4\u30eb\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3092\u7cfb\u7d71\u7684\u306b\u5909\u66f4\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u4e00\u90e8\u306e\u4e9c\u7a2e\u306f ConfuserEx \u96e3\u8aad\u5316\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u6587\u5b57\u5217\u3092\u6697\u53f7\u5316\u3057\u3001\u305d\u306e\u307b\u304b\u306e\u4e9c\u7a2e\u306f\u30ab\u30b9\u30bf\u30e0 \u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u672c\u7a3f\u3067\u5206\u6790\u3057\u305f Kazuar \u306e\u4e9c\u7a2e\u3067\u306f\u3001\u4f5c\u6210\u8005\u306f\u3055\u3089\u306b\u4e00\u6b69\u9032\u3093\u3067\u3001\u6587\u5b57\u5217\u6697\u53f7\u5316\u306e\u305f\u3081\u306e\u8907\u6570\u306e\u30ab\u30b9\u30bf\u30e0 \u30e1\u30bd\u30c3\u30c9\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u4ee5\u524d\u306e\u4e9c\u7a2e\u3068\u306f\u7570\u306a\u308a\u3001\u4f5c\u6210\u8005\u306f Windows \u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3059\u308b\u3053\u3068\u3060\u3051\u306b\u91cd\u70b9\u3092\u7f6e\u3044\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u6ce8: \u79c1\u305f\u3061\u306e Kazuar \u306e\u30b3\u30fc\u30c9\u5206\u6790\u3067\u306f <a href=\"https:\/\/github.com\/dnSpy\/dnSpy\" target=\"_blank\" rel=\"noopener\">dnSpy<\/a> \u3092\u4f7f\u3063\u3066\u30b3\u30fc\u30c9\u3092\u7d71\u5408\u958b\u767a\u74b0\u5883 (IDE) \u306b\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3057\u3001\u30ab\u30b9\u30bf\u30e0 \u30b9\u30af\u30ea\u30d7\u30c8\u3067\u6587\u5b57\u5217\u3092\u5fa9\u53f7\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30c4\u30fc\u30eb\u3067\u500b\u5225\u306e <span style=\"font-family: 'courier new', courier, monospace;\">.cs<\/span> \u30d5\u30a1\u30a4\u30eb\u3092\u7de8\u96c6\u3057\u3001\u4e00\u90e8\u306e\u30e1\u30bd\u30c3\u30c9\u540d\u3092\u610f\u5473\u306e\u3042\u308b\u540d\u524d\u306b\u7de8\u96c6\u3057\u3066\u3042\u308a\u307e\u3059\u3002\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306b\u767b\u5834\u3059\u308b\u30e1\u30bd\u30c3\u30c9\u540d\u306f\u305d\u306e\u7de8\u96c6\u5f8c\u306e\u3082\u306e\u3067\u3059\u3002<\/p>\n<h2><a id=\"post-130959-_eopk6woftiue\"><\/a>\u6700\u65b0\u306e Kazuar \u4e9c\u7a2e\u306e\u8a73\u7d30\u306a\u6280\u8853\u5206\u6790<\/h2>\n<h3><a id=\"post-130959-_4q5bpbmsxy9d\"><\/a>\u30e1\u30bf\u30c7\u30fc\u30bf<\/h3>\n<p><a href=\"https:\/\/securelist.com\/sunburst-backdoor-kazuar\/99981\/\" target=\"_blank\" rel=\"noopener\">\u307b\u304b\u306e\u7814\u7a76\u6a5f\u95a2\u304b\u3089\u306e<\/a>\u5831\u544a\u306b\u3088\u308b\u3068\u3001Kazuar \u306e\u4f5c\u8005\u306f\u5c11\u306a\u304f\u3068\u3082 2018 \u5e74\u4ee5\u964d\u3001<a href=\"https:\/\/attack.mitre.org\/techniques\/T1070\/006\/\" target=\"_blank\" rel=\"noopener\">\u30b5\u30f3\u30d7\u30eb\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3092\u64cd\u4f5c\u3057\u3066<\/a>\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u65b0\u305f\u306a\u4e9c\u7a2e\u306e\u30b3\u30f3\u30d1\u30a4\u30eb\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306f <span style=\"font-family: 'courier new', courier, monospace;\">Thursday, November 20, 2008 10:11:18 AM GMT<\/span> (2008 \u5e74 11 \u6708 20 \u65e5\u6728\u66dc\u65e5 \u5348\u524d 10 \u6642 11 \u5206 18 \u79d2 (\u30b0\u30ea\u30cb\u30c3\u30b8\u6a19\u6e96\u6642)) \u3067\u3059\u3002\u307b\u304b\u306e\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u4e9c\u7a2e\u3068\u7570\u306a\u308a\u3001\u3053\u306e\u4f5c\u8005\u304c\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u507d\u9020\u306e\u3055\u3044 2008 \u5e74\u307e\u3067\u9061\u3063\u305f\u306e\u306f\u3053\u308c\u304c\u521d\u3081\u3066\u3067\u3059\u3002<\/p>\n<p>Kazuar \u306f\u307e\u305f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Agent version<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">BuildID<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Agent label<\/span> \u7528\u306b\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u3066\u30cf\u30c3\u30b7\u30e5\u5316\u3055\u308c\u305f\u8b58\u5225\u5b50\u3092\u542b\u3093\u3067\u3044\u307e\u3059\u3002\u56f3 1 \u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u308c\u3089\u306f\u4e9c\u7a2e\u306e\u8b58\u5225\u5b50\u3068\u3057\u3066\u4f7f\u3048\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130893\" aria-describedby=\"caption-attachment-130893\" style=\"width: 594px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130893 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-1.png\" alt=\"\u753b\u50cf 1 \u306f\u3001Kazuar \u30b5\u30f3\u30d7\u30eb\u306e\u69cb\u6210\u60c5\u5831\u3067\u3059\u3002Agent \u306e\u69cb\u6210\u60c5\u5831\u304c 2 \u3064\u306e\u7570\u306a\u308b\u5217\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002Configuration \u3068\u3044\u3046\u5217\u3068 Value \u3068\u3044\u3046\u5217\u304c\u3042\u308a\u307e\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"594\" height=\"151\" \/><figcaption id=\"caption-attachment-130893\" class=\"wp-caption-text\">\u56f3 1. Kazuar \u306e\u30b5\u30f3\u30d7\u30eb\u306e\u57fa\u672c\u69cb\u6210\u60c5\u5831<\/figcaption><\/figure>\n<h3><a id=\"post-130959-_cf8a70mjyo52\"><\/a>\u521d\u671f\u5316<\/h3>\n<h4><a id=\"post-130959-_xrjykplm02wk\"><\/a>\u30a2\u30bb\u30f3\u30d6\u30ea\u30fc \u30c1\u30a7\u30c3\u30af\u306e\u5b9f\u884c<\/h4>\n<p>Kazuar \u306f\u5b9f\u884c\u306e\u3055\u3044\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.reflection.assembly.location?view=net-7.0\" target=\"_blank\" rel=\"noopener\">Assembly.Location<\/a><\/span> \u30d7\u30ed\u30d1\u30c6\u30a3\u3092\u4f7f\u3063\u3066\u3001\u81ea\u8eab\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3092\u53d7\u3051\u53d6\u308a\u3001\u305d\u306e\u540d\u524d\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u56f3 2 \u306b\u793a\u3059\u3088\u3046\u306b\u3001Kazuar \u306f\u3053\u306e\u623b\u308a\u5024\u304c\u7a7a\u6587\u5b57\u5217\u306e\u5834\u5408\u306b\u306e\u307f\u3001\u5b9f\u884c\u3092\u7d99\u7d9a\u3057\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">Assembly.Location<\/span> \u30d7\u30ed\u30d1\u30c6\u30a3\u306f\u3001\u30d0\u30a4\u30c8\u914d\u5217\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u30ed\u30fc\u30c9\u3059\u308b\u5834\u5408\u306f\u7a7a\u6587\u5b57\u5217\u3092\u8fd4\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30c1\u30a7\u30c3\u30af\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u304c\u307b\u304b\u306e\u624b\u6bb5\u3084\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3067\u306f\u306a\u304f\u3001\u610f\u56f3\u3055\u308c\u305f\u30ed\u30fc\u30c0\u30fc\u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u305f\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306e\u3001\u5358\u7d14\u306a\u5f62\u5f0f\u306e\u89e3\u6790\u9632\u6b62\u30e1\u30ab\u30cb\u30ba\u30e0\u3067\u3042\u308b\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7279\u5b9a\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30cf\u30c3\u30b7\u30e5\u540d\u3068\u4e00\u81f4\u3059\u308c\u3070 Kazuar \u306f\u5b9f\u884c\u3055\u308c\u307e\u3059 (\u3053\u308c\u306b\u306f <span style=\"font-family: 'courier new', courier, monospace;\">FNV<\/span> \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u304c\u4f7f\u308f\u308c\u307e\u3059) \u3002\u3053\u306e\u52d5\u4f5c\u306f\u304a\u305d\u3089\u304f\u30c7\u30d0\u30c3\u30b0\u304c\u76ee\u7684\u3067\u3001\u4f5c\u6210\u8005\u304c\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30c7\u30d0\u30c3\u30b0\u306e\u305f\u3073\u306b\u30ed\u30fc\u30c0\u30fc\u3092\u4f7f\u308f\u305a\u306b\u3059\u3080\u3088\u3046\u306b\u3057\u3066\u3044\u308b\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130895\" aria-describedby=\"caption-attachment-130895\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130895 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-2.png\" alt=\"\u753b\u50cf 2 \u306f\u3001Kazuar \u4e9c\u7a2e\u306e\u30a2\u30bb\u30f3\u30d6\u30ea\u30fc\u540d\u304c\u30c1\u30a7\u30c3\u30af\u3055\u308c\u308b\u30b3\u30fc\u30c9\u306e\u6570\u884c\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002 \" width=\"634\" height=\"243\" \/><figcaption id=\"caption-attachment-130895\" class=\"wp-caption-text\">\u56f3 2. Kazuar \u4e9c\u7a2e\u304c\u30a2\u30bb\u30f3\u30d6\u30ea\u30fc\u540d\u3092\u78ba\u8a8d\u3057\u3066\u3044\u308b\u3068\u3053\u308d<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_kftpeznwvieo\"><\/a>\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3 \u30eb\u30fc\u30c8 \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u4f5c\u6210<\/h4>\n<p>Kazuar \u306f\u3001\u81ea\u8eab\u306e\u69cb\u6210\u3068\u30ed\u30b0 \u30c7\u30fc\u30bf\u3092\u4fdd\u5b58\u3059\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3092\u65b0\u898f\u4f5c\u6210\u3057\u307e\u3059\u3002Kazuar \u306f <span style=\"font-family: 'courier new', courier, monospace;\">%localappdata%<\/span> \u3092\u30e1\u30a4\u30f3 \u30b9\u30c8\u30ec\u30fc\u30b8 \u30d1\u30b9\u3068\u3057\u3066\u4f7f\u3044\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30d1\u30b9\u306e\u30ea\u30b9\u30c8\u304b\u3089\u30eb\u30fc\u30c8 \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3092\u6c7a\u5b9a\u3057\u307e\u3059 (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u53c2\u7167)\u3002<\/p>\n<p>Kazuar \u306f\u3001\u30de\u30b7\u30f3\u306e GUID (<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.guid?view=net-7.0\" target=\"_blank\" rel=\"noopener\">Globally Unique Identifier: \u30b0\u30ed\u30fc\u30d0\u30eb\u306b\u4e00\u610f\u306a\u8b58\u5225\u5b50<\/a>) \u3092\u4f7f\u3063\u3066\u3001\u4f7f\u3046\u30eb\u30fc\u30c8 \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3001\u30d5\u30a9\u30eb\u30c0\u30fc\u540d\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u3001\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u3092\u6c7a\u5b9a\u3057\u307e\u3059 (\u56f3 3)\u3002\u3053\u308c\u3089\u306e\u540d\u524d\u306f\u4e00\u898b\u3059\u308b\u3068\u30e9\u30f3\u30c0\u30e0\u306b\u751f\u6210\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u304c\u3001GUID \u3092\u4f7f\u3046\u3068\u3001\u540c\u4e00\u611f\u67d3\u30de\u30b7\u30f3\u4e0a\u3067\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u5b9f\u884c\u3055\u308c\u308b\u3064\u3069\u3001\u540c\u4e00\u306e\u540d\u524d\u304c\u7dad\u6301\u3055\u308c\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130897\" aria-describedby=\"caption-attachment-130897\" style=\"width: 460px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130897 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-3.png\" alt=\"\u753b\u50cf 3 \u306f\u3001\u6570\u884c\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002GUID \u3092\u4f7f\u3046\u3068\u3001Kazuar \u306f\u4f7f\u3046\u30eb\u30fc\u30c8 \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306a\u3069\u3092\u9078\u629e\u3067\u304d\u307e\u3059\u3002\" width=\"460\" height=\"169\" \/><figcaption id=\"caption-attachment-130897\" class=\"wp-caption-text\">\u56f3 3. \u30d1\u30b9\u914d\u5217\u306e\u30a4\u30f3\u30c7\u30c3\u30af\u30b9\u3092\u8fd4\u3059\u5f79\u5272\u3092\u62c5\u3046\u30e1\u30bd\u30c3\u30c9<\/figcaption><\/figure>\n<p>\u4ee5\u524d\u306e\u4e9c\u7a2e\u3068\u540c\u69d8\u306b\u3001Kazuar \u306f\u69cb\u9020\u5316\u3055\u308c\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30b9\u30ad\u30fc\u30e0\u3092\u4f7f\u3063\u3066\u3001\u30ed\u30b0 \u30d5\u30a1\u30a4\u30eb\u3084\u500b\u3005\u306e\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u3001\u30ad\u30fc\u30ed\u30ac\u30fc \u30c7\u30fc\u30bf\u306a\u3069\u306e\u30c7\u30fc\u30bf\u3092\u4fdd\u5b58\u3057\u3066\u3044\u307e\u3059\u3002\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u547d\u540d\u306f\u64ec\u4f3c\u4e71\u6570\u3067\u3001\u30cf\u30c3\u30b7\u30e5\u306b\u57fa\u3065\u3044\u3066\u9078\u629e\u3055\u308c\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u3001\u4ee5\u524d\u306e\u4e9c\u7a2e\u3067\u898b\u3089\u308c\u305f <span style=\"font-family: 'courier new', courier, monospace;\">FNV<\/span> \u30cf\u30c3\u30b7\u30e5 \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306e\u30ab\u30b9\u30bf\u30e0\u5b9f\u88c5\u3084\u3001GUID \u5024\u306b\u5bfe\u3059\u308b\u305d\u306e\u307b\u304b\u306e\u64cd\u4f5c\u306a\u3069\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u5e73\u6587\u3067\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u540d\u30ea\u30b9\u30c8\u306f\u3001<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u304b\u3089\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>\u307e\u305f\u3001\u3053\u306e\u30b3\u30fc\u30c9\u5185\u306b\u306f <span style=\"font-family: 'courier new', courier, monospace;\">wordlist<\/span> \u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u30aa\u30d7\u30b7\u30e7\u30f3 (\u73fe\u6642\u70b9\u3067\u306f\u53c2\u7167\u3055\u308c\u3066\u3044\u306a\u3044) \u304c\u3042\u308b\u3053\u3068\u3082\u7279\u7b46\u306b\u5024\u3059\u308b\u3067\u3057\u3087\u3046\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001(\u304a\u305d\u3089\u304f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3084\u30d5\u30a1\u30a4\u30eb\u540d\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30d6\u30eb\u30fc\u30c8 \u30d5\u30a9\u30fc\u30b9\u7528\u306b wordlist \u3092\u4f7f\u3063\u3066) \u4eca\u5f8c\u5b9f\u88c5\u3055\u308c\u308b\u3053\u3068\u306b\u306a\u308b\u6a5f\u80fd\u306b\u95a2\u3059\u308b\u624b\u304c\u304b\u308a\u3092\u63d0\u4f9b\u3057\u3066\u304f\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-130959-_uwyuzm7s57l0\"><\/a>\u69cb\u6210\u30d5\u30a1\u30a4\u30eb<\/h4>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30c7\u30fc\u30bf\u3092\u542b\u3080\u5225\u306e\u30e1\u30a4\u30f3\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>C2 \u30b5\u30fc\u30d0\u30fc<\/li>\n<li>\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9<\/li>\n<li>\u305d\u306e\u307b\u304b\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u7528\u306e\u69cb\u6210\u30c7\u30fc\u30bf<\/li>\n<\/ul>\n<p>\u4e0b\u306e\u56f3 4 \u306f\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u306e\u4e00\u90e8\u629c\u7c8b\u3067\u3059\u3002Kazuar \u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306e\u6697\u53f7\u5316\u624b\u6cd5\u306f<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u304b\u3089\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130899\" aria-describedby=\"caption-attachment-130899\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130899 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-4.png\" alt=\"\u753b\u50cf 4 \u306f\u3001Kazuar \u30b5\u30f3\u30d7\u30eb\u306e\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u3067\u3059\u3002\u60c5\u5831\u306e\u4e00\u90e8\u306f\u5272\u611b\u3057\u3066\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u60c5\u5831\u306b\u306f\u3001\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u60c5\u5831\u3001\u6700\u5f8c\u306e\u30b3\u30f3\u30bf\u30af\u30c8\u3001\u30c8\u30e9\u30f3\u30b9\u30dd\u30fc\u30c8\u60c5\u5831\u3001\u30ed\u30b0\u60c5\u5831\u306a\u3069\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"716\" \/><figcaption id=\"caption-attachment-130899\" class=\"wp-caption-text\">\u56f3 4. \u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_34gre5nfqdwh\"><\/a>\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u540d\u306e\u751f\u6210<\/h4>\n<p>Kazuar \u306f\u3001\u5225\u30d7\u30ed\u30bb\u30b9\u3078\u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u306e\u30c1\u30a7\u30c3\u30af\u306b\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002Kazuar \u306f\u3001\u73fe\u5728\u306e\u30d7\u30ed\u30bb\u30b9 ID \u3068\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u5024 <span style=\"font-family: 'courier new', courier, monospace;\">0x4ac882d887106b7d<\/span> \u3068\u3092 XOR \u6f14\u7b97\u3057\u3066\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u540d\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u6b21\u306b\u3001\u305d\u308c\u3092\u30de\u30b7\u30f3\u306e GUID \u3068 XOR \u6f14\u7b97\u3057\u307e\u3059 (\u56f3 5)\u3002\u3053\u306e\u3053\u3068\u306f\u3001\u540c\u4e00\u30d7\u30ed\u30bb\u30b9\u306b\u306f\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3055\u308c\u306a\u3044\u3082\u306e\u306e\u3001\u8907\u6570\u306e Kazuar \u304c\u540c\u4e00\u30c7\u30d0\u30a4\u30b9\u4e0a\u3067\u4e26\u884c\u3057\u3066\u52d5\u4f5c\u3067\u304d\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130901\" aria-describedby=\"caption-attachment-130901\" style=\"width: 490px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130901 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-5.png\" alt=\"\u753b\u50cf 5 \u306f\u3001\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u540d\u30b8\u30a7\u30cd\u30ec\u30fc\u30bf\u30fc\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"490\" height=\"203\" \/><figcaption id=\"caption-attachment-130901\" class=\"wp-caption-text\">\u56f3 5. \u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u540d\u306e\u751f\u6210<\/figcaption><\/figure>\n<h3><a id=\"post-130959-_tqcdb0a4vb14\"><\/a>\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3<\/h3>\n<h4><a id=\"post-130959-_epngo2omwiwz\"><\/a>Kazuar \u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9\u306e\u8a2d\u5b9a<\/h4>\n<p>\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306e Kazuar \u306f\u3001\u69cb\u6210\u3067\u300c\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9\u300d\u3068\u8a18\u8ff0\u3055\u308c\u3066\u3044\u308b\u5185\u5bb9\u3092\u4f7f\u3044\u307e\u3059 (\u8868 1)\u3002\u30c7\u30d5\u30a9\u30eb\u30c8 \u30e2\u30fc\u30c9\u306f <span style=\"font-family: 'courier new', courier, monospace;\">inject<\/span> \u3067\u3059\u3002<\/p>\n<table style=\"width: 101.08%;\">\n<tbody>\n<tr>\n<td style=\"text-align: center; width: 13.9712%;\"><b>\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u306e\u30e2\u30fc\u30c9\u540d<\/b><\/td>\n<td style=\"text-align: center; width: 43.049%;\"><b>\u8aac\u660e<\/b><\/td>\n<td style=\"text-align: center; width: 12.6211%;\"><b>\u30a4\u30f3\u30d0\u30a6\u30f3\u30c9 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/b><\/td>\n<td style=\"text-align: center; width: 12.1836%;\"><b>\u30a2\u30a6\u30c8\u30d0\u30a6\u30f3\u30c9 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/b><\/td>\n<td style=\"text-align: center; width: 18.009%;\"><b>\u8ffd\u52a0\u306e\u6a5f\u80fd\u30b9\u30ec\u30c3\u30c9<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">inject<\/span><\/td>\n<td style=\"width: 43.049%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30c7\u30d5\u30a9\u30eb\u30c8\u30e2\u30fc\u30c9\u3002<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">explorer.exe<\/span> \u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3059\u308b<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30d1\u30a4\u30d7\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u3092\u4f5c\u6210\u3057\u3001\u307b\u304b\u306e Kazuar \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u30d7\u30ed\u30ad\u30b7\u30fc\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b<\/span><\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 18.009%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0 \u30e2\u30cb\u30bf\u30fc<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u7a83\u8996<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30c0\u30f3\u30d7\u5bfe\u7b56<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">zombify<\/span><\/td>\n<td style=\"width: 43.049%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30e6\u30fc\u30b6\u30fc\u306e\u30c7\u30d5\u30a9\u30eb\u30c8 \u30d6\u30e9\u30a6\u30b6\u30fc\u306a\u3044\u3057 <\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">svchost.exe<\/span> \u3078\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3059\u308b<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u3092\u4f5c\u6210\u3057\u3001\u307b\u304b\u306e Kazuar \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u30d7\u30ed\u30ad\u30b7\u30fc\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b<\/span><\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">HTTP<\/span><\/td>\n<td style=\"width: 18.009%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30c0\u30f3\u30d7\u5bfe\u7b56<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">combined<\/span><\/td>\n<td style=\"width: 43.049%;\"><span style=\"font-weight: 400;\">\u30c7\u30d5\u30a9\u30eb\u30c8\u306e <\/span><span style=\"font-weight: 400;\">inject<\/span><span style=\"font-weight: 400;\"> \u30e1\u30bd\u30c3\u30c9\u304c\u5931\u6557\u3057\u305f\u5834\u5408\u3001<\/span><span style=\"font-weight: 400;\">zombify<\/span> \u3068\u540c\u3058\u30e1\u30bd\u30c3\u30c9\u7d4c\u7531\u3067\u5b9f\u884c\u3059\u308b<\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">(\u8a72\u5f53\u306a\u3057)<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">(\u8a72\u5f53\u306a\u3057)<\/span><\/td>\n<td style=\"width: 18.009%;\"><span style=\"font-weight: 400;\">(\u8a72\u5f53\u306a\u3057)<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">remote<\/span><\/td>\n<td style=\"width: 43.049%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u3092\u4f5c\u6210\u3057\u3001\u307b\u304b\u306e Kazuar \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u30d7\u30ed\u30ad\u30b7\u30fc\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b\u3002C2 \u901a\u4fe1\u306a\u3057<\/span><\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 18.009%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0 \u30e2\u30cb\u30bf\u30fc<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">single<\/span><\/td>\n<td style=\"width: 43.049%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u3092\u4f5c\u6210\u3057\u3001\u307b\u304b\u306e Kazuar \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u30d7\u30ed\u30ad\u30b7\u30fc\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u3053\u306e\u30e2\u30fc\u30c9\u3067\u306f C2 \u901a\u4fe1\u3092\u6709\u52b9\u5316\u3057\u3066 HTTP \u7d4c\u7531\u3067\u30b3\u30de\u30f3\u30c9\u3092\u53d7\u4fe1\u3067\u304d\u308b<\/span><\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u307e\u305f\u306f HTTP<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u307e\u305f\u306f HTTP<\/span><\/td>\n<td style=\"width: 18.009%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0 \u30e2\u30cb\u30bf\u30fc<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u7a83\u8996<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 13.9712%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Not in User Interactive Mode<\/span><\/td>\n<td style=\"width: 43.049%;\"><span style=\"font-weight: 400;\">Kazuar \u306e\u5b9f\u884c\u304c\u30e6\u30fc\u30b6\u30fc\u5bfe\u8a71\u30e2\u30fc\u30c9\u306e\u5834\u5408\u3002Kazuar \u3092\u30b5\u30fc\u30d3\u30b9\u3068\u3057\u3066\u5b9f\u884c\u3057\u3066\u3044\u308b\u5834\u5408\u3084\u30b5\u30fc\u30d0\u30fc\u306a\u3069\u306e GUI \u3092\u6301\u305f\u306a\u3044\u30de\u30b7\u30f3\u4e0a\u3067\u5b9f\u884c\u3059\u308b\u5834\u5408\u306b\u3053\u306e\u30e2\u30fc\u30c9\u306b\u306a\u308a\u3046\u308b<\/span><\/td>\n<td style=\"width: 12.6211%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 12.1836%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/span><\/td>\n<td style=\"width: 18.009%;\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">WMI \u30b3\u30f3\u30b7\u30e5\u30fc\u30de\u30fc<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u30c0\u30f3\u30d7\u5bfe\u7b56<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 8pt; color: #999999;\"><em>\u8868 1. Kazuar \u306e\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9\u3068\u305d\u306e\u8aac\u660e<\/em><\/span><\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">zombify<\/span> \u30e2\u30fc\u30c9\u3067\u306f\u3001Kazuar \u306f\u30e6\u30fc\u30b6\u30fc\u306e\u30c7\u30d5\u30a9\u30eb\u30c8 \u30d6\u30e9\u30a6\u30b6\u30fc\u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30e2\u30fc\u30c9\u306b\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30d6\u30e9\u30a6\u30b6\u30fc\u306e\u30af\u30a8\u30ea\u30fc\u304c\u5931\u6557\u3057\u305f\u5834\u5408\u306b\u5099\u3048\u3001\u81ea\u5206\u81ea\u8eab\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">svchost.exe<\/span> \u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3059\u308b\u30d5\u30a9\u30fc\u30eb\u30d0\u30c3\u30af\u6a5f\u69cb\u304c\u3042\u308a\u307e\u3059\u3002\u56f3 6 \u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\"> zombify (\u30be\u30f3\u30d3\u5316\u3059\u308b) <\/span> \u304c\u3001Kazuar \u306e\u4f5c\u8005\u306b\u3088\u308b\u30d7\u30ed\u30bb\u30b9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u5168\u822c\u3092\u6307\u3059\u7528\u8a9e\u3067\u3042\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130903\" aria-describedby=\"caption-attachment-130903\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130903 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-6.png\" alt=\"\u753b\u50cf 6 \u306f\u591a\u6570\u306e\u30b3\u30fc\u30c9\u884c\u304b\u3089\u306a\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002zombify \u30e2\u30fc\u30c9\u3092\u4f7f\u3063\u3066\u3001Kazuar \u306f\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\" width=\"900\" height=\"437\" \/><figcaption id=\"caption-attachment-130903\" class=\"wp-caption-text\">\u56f3 6. <span style=\"font-family: 'courier new', courier, monospace;\">zombify (\u30be\u30f3\u30d3\u5316)<\/span> \u30e2\u30fc\u30c9\u306e Kazuar \u306e\u30b3\u30fc\u30c9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_pm311y419u2a\"><\/a>\u30de\u30eb\u30c1\u30b9\u30ec\u30c3\u30c9 \u30e2\u30c7\u30eb<\/h4>\n<p>Kazuar \u306f\u30de\u30eb\u30c1\u30b9\u30ec\u30c3\u30c9 \u30e2\u30c7\u30eb\u3067\u52d5\u4f5c\u3057\u307e\u3059\u304c\u3001Kazuar \u306e\u4e3b\u8981\u6a5f\u80fd\u306f\u305d\u308c\u305e\u308c\u72ec\u81ea\u30b9\u30ec\u30c3\u30c9\u3067\u52d5\u4f5c\u3057\u307e\u3059\u3002\u3064\u307e\u308a\u30011 \u672c\u306e\u30b9\u30ec\u30c3\u30c9\u304c C2 \u304b\u3089\u306e\u30b3\u30de\u30f3\u30c9\u3084 <span style=\"font-family: 'courier new', courier, monospace;\">tasks<\/span> \u306e\u53d7\u4fe1\u3092\u51e6\u7406\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">solver<\/span> \u30b9\u30ec\u30c3\u30c9\u304c\u3053\u308c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3092\u51e6\u7406\u3057\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30c1\u30b9\u30ec\u30c3\u30c9 \u30e2\u30c7\u30eb\u306b\u3088\u308a\u3001Kazuar \u306e\u4f5c\u8005\u306f\u975e\u540c\u671f\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u5f0f\u30d5\u30ed\u30fc\u5236\u5fa1\u3092\u78ba\u7acb\u3067\u304d\u307e\u3059\u3002\u56f3 7 \u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">task solver<\/span> \u306e\u30d5\u30ed\u30fc\u3092\u793a\u3059\u56f3\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130905\" aria-describedby=\"caption-attachment-130905\" style=\"width: 849px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130905 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-130890-7-ja.png\" alt=\"\u753b\u50cf 7 \u306f\u3001Kazuar \u306e\u30bf\u30b9\u30af\u89e3\u6c7a\u30e1\u30ab\u30cb\u30ba\u30e0\u306e\u56f3\u3067\u3059\u3002\u6697\u53f7\u5316\u3055\u308c\u305f\u7d50\u679c\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001\u533a\u5207\u308a\u6587\u5b57\u3001\u7d50\u679c\u8b58\u5225\u5b50\u3001\u6697\u53f7\u5316\u3055\u308c\u305f GUID \u9577\u3055\u3001RSA \u6697\u53f7\u5316\u3055\u308c\u305f HMACMD5 \u30cf\u30c3\u30b7\u30e5\u3001IV\u3001AES \u30ad\u30fc\u3001\u304a\u3088\u3073 AES \u6697\u53f7\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af BLOB \u304c\u542b\u307e\u308c\u307e\u3059\u3002\u7d50\u679c\u30d5\u30a1\u30a4\u30eb\u304c\u8aad\u307f\u53d6\u3089\u308c\u3066 C2 \u306b\u9001\u4fe1\u3055\u308c\u307e\u3059\u3002\u9001\u4fe1\u30b9\u30ec\u30c3\u30c9\u306f\u30bf\u30b9\u30af \u30d5\u30a1\u30a4\u30eb\u306b\u30bf\u30b9\u30af\u3092\u66f8\u304d\u8fbc\u307f\u3001\u30bf\u30b9\u30af \u30d5\u30a1\u30a4\u30eb\u306f\u30bf\u30b9\u30af \u30bd\u30eb\u30d0\u30fc \u30b9\u30ec\u30c3\u30c9\u306b\u3088\u3063\u3066\u8aad\u307f\u53d6\u3089\u308c\u307e\u3059\u3002 \" width=\"849\" height=\"648\" \/><figcaption id=\"caption-attachment-130905\" class=\"wp-caption-text\">\u56f3 7. Kazuar \u306e task solver \u306e\u30e1\u30ab\u30cb\u30ba\u30e0<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_iyihiznxpnx1\"><\/a>\u30bf\u30b9\u30af \u30bd\u30eb\u30d0\u30fc \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 - Kazuar \u306e\u9ed2\u5e55<\/h4>\n<p>Kazuar \u306f\u65b0\u3057\u3044 <span style=\"font-family: 'courier new', courier, monospace;\">tasks<\/span> \u3092\u53d7\u3051\u53d6\u308b\u3068\u3001\u305d\u308c\u3092\u89e3\u6c7a\u3057\u3066\u3001\u7d50\u679c\u3092<span style=\"font-family: 'courier new', courier, monospace;\"> result <\/span>\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u51fa\u3057\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">solver<\/span> \u30b9\u30ec\u30c3\u30c9\u306f\u3001C2\u30b5\u30fc\u30d0\u30fc\u307e\u305f\u306f\u3079\u3064\u306e Kazuar \u30ce\u30fc\u30c9\u304b\u3089\u53d7\u4fe1\u3057\u305f\u65b0\u3057\u3044 <span style=\"font-family: 'courier new', courier, monospace;\">tasks<\/span> \u3092\u51e6\u7406\u3057\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">task<\/span> \u306e\u5185\u5bb9\u306f\u305d\u306e\u5f8c\u6697\u53f7\u5316\u3055\u308c\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">task<\/span> \u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002<\/p>\n<p>\u305d\u308c\u305e\u308c\u306e <span style=\"font-family: 'courier new', courier, monospace;\">task<\/span> \u30d5\u30a1\u30a4\u30eb\u306f\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u306a\u6697\u53f7\u5316\u30b9\u30ad\u30fc\u30e0\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ol>\n<li><span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.security.cryptography.rngcryptoserviceprovider?view=net-7.0\" target=\"_blank\" rel=\"noopener\">RNGCryptoServiceProvider<\/a><\/span> \u3092\u4f7f\u3063\u3066 2 \u3064\u306e\u30d0\u30a4\u30c8\u914d\u5217\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30d0\u30a4\u30c8\u914d\u5217\u306b\u306f\u305d\u308c\u305e\u308c 16 \u30d0\u30a4\u30c8\u3068 32 \u30d0\u30a4\u30c8\u306e\u9577\u3055\u306e\u4e71\u6570\u304c\u542b\u307e\u308c\u307e\u3059\u3002\n<ul type=\"a.\">\n<li>\u6700\u521d\u306e\u30d0\u30a4\u30c8\u914d\u5217\u306f\u3001<a href=\"https:\/\/www.tutorialspoint.com\/cryptography\/advanced_encryption_standard.htm\" target=\"_blank\" rel=\"noopener\">AES (Rijndael)<\/a> \u306e\u521d\u671f\u5316\u30d9\u30af\u30c8\u30eb (IV) \u3068\u3057\u3066\u4f7f\u3044\u307e\u3059\u3002<\/li>\n<li>2 \u3064\u3081\u306e\u30d0\u30a4\u30c8\u914d\u5217\u306f AES \u30ad\u30fc\u3068\u3057\u3066\u4f7f\u3044\u307e\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u30e1\u30e2\u30ea\u30fc\u304b\u3089\u306e <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span> \u306e\u5185\u5bb9\u306b\u57fa\u3065\u3044\u3066\u3001<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.security.cryptography.hmacmd5?view=net-7.0\" target=\"_blank\" rel=\"noopener\">HMACMD5<\/a> \u30cf\u30c3\u30b7\u30e5\u3092\u751f\u6210\u3057\u305f\u5f8c\u3001\u305d\u308c\u3092\u6697\u53f7\u5316\u3057\u3066\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u3053\u306e\u3055\u3044\u306f\u4e0a\u8a18\u306e\u6700\u521d\u306e\u7b87\u6761\u66f8\u304d\u3067\u8aac\u660e\u3057\u305f\u30d0\u30a4\u30c8\u914d\u5217\u3092\u30ad\u30fc\u3068\u3057\u3066\u4f7f\u3044\u307e\u3059\u3002<\/li>\n<li>HMACMD5 \u30cf\u30c3\u30b7\u30e5\u3001AES \u30ad\u30fc\u3001IV \u3092\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f RSA \u30ad\u30fc\u3067\u6697\u53f7\u5316\u3057\u3001\u6697\u53f7\u5316\u3057\u305f BLOB \u3092\u30d5\u30a1\u30a4\u30eb\u5148\u982d\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u9ad8\u901f\u306a AES \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u4f7f\u3063\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span>\u306e\u5185\u5bb9\u306e\u3088\u3046\u306a\u5927\u304d\u306a\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u6697\u53f7\u5316\u3057\u3001\u4f4e\u901f\u306e RSA \u6697\u53f7\u5316\u3092\u4f7f\u3063\u3066 AES \u30ad\u30fc\u3068 IV \u3092\u96a0\u3059\u3053\u3068\u306b\u3088\u308a\u3001Kazuar \u306e\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u3092\u3042\u3052\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001\u5bfe\u79f0\u30ad\u30fc\u304c\u975e\u5bfe\u79f0\u30ad\u30fc\u3067\u6697\u53f7\u5316\u3055\u308c\u3066\u3057\u307e\u3046\u306e\u3067\u3001\u611f\u67d3\u30d5\u30a1\u30a4\u30eb\u3092\u30c7\u30a3\u30b9\u30af\u3060\u3051\u3092\u5143\u306b\u5fa9\u65e7\u3059\u308b\u3068\u3044\u3046\u9078\u629e\u80a2\u306f\u5c01\u3058\u3089\u308c\u307e\u3059\u3002<\/li>\n<li>AES \u6697\u53f7\u3092\u4f7f\u3063\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span> \u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u3092\u6697\u53f7\u5316\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n<p>\u56f3 8 \u306b\u793a\u3059\u3088\u3046\u306b\u3001\u30bf\u30b9\u30af\u304c\u5b8c\u4e86\u3059\u308b\u3068\u3001\u751f\u6210\u3055\u308c\u305f <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span> \u30d5\u30a1\u30a4\u30eb\u306f\u30c7\u30a3\u30b9\u30af\u306b\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130907\" aria-describedby=\"caption-attachment-130907\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130907 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-8.png\" alt=\"\u753b\u50cf 8 \u306f\u3001\u591a\u304f\u306e\u884c\u304b\u3089\u306a\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002Kazuar \u306f\u3053\u306e\u30b3\u30fc\u30c9\u3092\u4f7f\u3063\u3066\u6697\u53f7\u5316\u3092\u884c\u3044\u3001result \u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\" width=\"900\" height=\"371\" \/><figcaption id=\"caption-attachment-130907\" class=\"wp-caption-text\">\u56f3 8. \u6697\u53f7\u5316\u3057\u3066 result \u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u8fbc\u3080 Kazuar \u306e\u30e1\u30bd\u30c3\u30c9\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<p>Kazuar \u306f\u524d\u8ff0\u306e\u6697\u53f7\u5316\u3057\u305f\u30c7\u30fc\u30bf\u306b\u52a0\u3048\u3001\u4ee5\u4e0b\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span> \u30d5\u30a1\u30a4\u30eb\u306e\u5148\u982d\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/p>\n<ol>\n<li>4 \u3064\u306e\u30bc\u30ed\u30d0\u30a4\u30c8 (\u3053\u308c\u306f\u4e00\u7a2e\u306e\u533a\u5207\u308a\u6587\u5b57\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b\u3068\u8003\u3048\u3089\u308c\u307e\u3059)<\/li>\n<li>\u751f\u6210\u3055\u308c\u305f\u7d50\u679c\u306e\u8b58\u5225\u5b50<\/li>\n<li>\u6697\u53f7\u5316\u3055\u308c\u305f GUID \u306e\u9577\u3055\u3002\u3053\u308c\u306b\u306f\u521d\u671f\u5316\u306e\u3068\u304d\u3068\u540c\u3058 XOR \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3092\u4f7f\u7528\u3059\u308b (\u3053\u3053\u3067\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u300cSystem info at [datetime] (-07)\u300d)<\/li>\n<li>\u6697\u53f7\u5316\u3055\u308c\u305f GUID \u305d\u306e\u3082\u306e<\/li>\n<li>RSA \u3067\u6697\u53f7\u5316\u3057\u305f HMACMD5 \u30cf\u30c3\u30b7\u30e5 + IV + AES \u30ad\u30fc<\/li>\n<li>AES \u3067\u6697\u53f7\u5316\u3057\u305f\u30bf\u30b9\u30af\u306e\u5185\u5bb9<\/li>\n<\/ol>\n<p>\u56f3 9 \u306f\u30c7\u30a3\u30b9\u30af\u304b\u3089\u306e\u6697\u53f7\u5316\u3055\u308c\u305f result \u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130909\" aria-describedby=\"caption-attachment-130909\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130909 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-9.png\" alt=\"\u753b\u50cf 9 \u306f\u3001\u6697\u53f7\u5316\u3055\u308c\u305f result \u30d5\u30a1\u30a4\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u8d64\u3067\u5f37\u8abf\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u306e\u306f\u3001\u533a\u5207\u308a\u6587\u5b57\u3001\u751f\u6210\u3055\u308c\u305f\u7d50\u679c\u306e\u8b58\u5225\u5b50\u3001\u6697\u53f7\u5316\u3055\u308c\u305f UUID \u306e\u9577\u3055\u3001\u6697\u53f7\u5316\u3055\u308c\u305f GUID \u306e\u5185\u5bb9\u3001RSA \u3067\u6697\u53f7\u5316\u3055\u308c\u305f HMACDM5 \u30cf\u30c3\u30b7\u30e5 + IV _ AES \u30ad\u30fc\u3001AES \u3067\u6697\u53f7\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af\u306e\u5185\u5bb9\u3067\u3059\u3002 \" width=\"900\" height=\"431\" \/><figcaption id=\"caption-attachment-130909\" class=\"wp-caption-text\">\u56f3 9. \u30c7\u30a3\u30b9\u30af\u304b\u3089\u306e\u6697\u53f7\u5316\u3055\u308c\u305f <span style=\"font-family: 'courier new', courier, monospace;\">result<\/span> \u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_2k96nikstevu\"><\/a>\u6587\u5b57\u5217\u306e\u6697\u53f7\u5316<\/h4>\n<p>Kazuar \u306e\u30b3\u30fc\u30c9\u306b\u306f\u3001\u305d\u306e\u6a5f\u80fd\u3068\u30c7\u30d0\u30c3\u30b0\u306b\u95a2\u9023\u3059\u308b\u5927\u91cf\u306e\u6587\u5b57\u5217\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5e73\u6587\u3067\u8868\u793a\u3059\u308c\u3070 Kazuar \u306e\u5185\u90e8\u6a5f\u69cb\u3084\u6a5f\u80fd\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3059\u3002\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304c\u6587\u5b57\u5217\u30d9\u30fc\u30b9\u306e\u6307\u6a19\u3068\u306a\u308b YARA \u3084\u30cf\u30f3\u30c6\u30a3\u30f3\u30b0 \u30eb\u30fc\u30eb\u3092\u4f5c\u6210\u3059\u308b\u3068\u3044\u3046\u30b7\u30ca\u30ea\u30aa\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u306b\u3001Kazuar \u306e\u6587\u5b57\u5217\u306f\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002Kazuar \u306f\u5b9f\u884c\u6642\u306b\u5404\u6587\u5b57\u5217\u3092\u5fa9\u53f7\u3057\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f\u6587\u5b57\u5217\u306e\u6697\u53f7\u5316\/\u5fa9\u53f7\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306b<a href=\"https:\/\/ja.wikipedia.org\/wiki\/%E3%82%B7%E3%83%BC%E3%82%B6%E3%83%BC%E6%9A%97%E5%8F%B7\" target=\"_blank\" rel=\"noopener\">\u30b7\u30fc\u30b6\u30fc\u6697\u53f7<\/a>\u306e\u4e00\u7a2e\u3092\u4f7f\u3044\u307e\u3059\u3002\u3053\u306e\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3067\u306f\u3001Kazuar \u306f\u5404\u30e1\u30f3\u30d0\u30fc\u306e\u30ad\u30fc\u3068\u5024\u3092\u5358\u7d14\u306b\u4ea4\u63db\u3059\u308b\u8f9e\u66f8\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002\u6700\u8fd1\u306e Kazuar \u306e\u4e9c\u7a2e\u306f\u3001\u8f9e\u66f8\u3092 1 \u3064\u3060\u3051\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u3053\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u306f\u8907\u6570\u306e\u8f9e\u66f8\u3092\u5b9f\u88c5\u3057\u3066\u304a\u308a\u3001\u305d\u308c\u305e\u308c\u306b 80 \u7d44\u306e\u6587\u5b57\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059(\u56f310)\u3002<\/p>\n<figure id=\"attachment_130911\" aria-describedby=\"caption-attachment-130911\" style=\"width: 316px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130911 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-10.png\" alt=\"\u753b\u50cf 10 \u306f\u3001\u591a\u6570\u306e\u30b3\u30fc\u30c9\u884c\u304b\u3089\u306a\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u6587\u5b57\u5217\u306e\u5fa9\u53f7\u306b\u4f7f\u7528\u3055\u308c\u308b\u8f9e\u66f8\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"316\" height=\"148\" \/><figcaption id=\"caption-attachment-130911\" class=\"wp-caption-text\">\u56f3 10. \u6587\u5b57\u5217\u306e\u5fa9\u53f7\u306b\u4f7f\u7528\u3055\u308c\u308b\u8f9e\u66f8\u3092\u542b\u3080\u30af\u30e9\u30b9\u306e 1 \u3064<\/figcaption><\/figure>\n<p>\u56f3 11 \u306f\u3001\u6307\u5b9a\u3055\u308c\u305f\u6587\u5b57\u5217\u3092\u53cd\u5fa9\u51e6\u7406\u3057\u3001\u6307\u5b9a\u3055\u308c\u305f\u6587\u5b57\u306e\u5e8f\u6570\u5024\u304c\u95a2\u9023\u30af\u30e9\u30b9\u306e\u8f9e\u66f8\u30ad\u30fc\u306b\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u30eb\u30fc\u30d7\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3042\u308c\u3070 Kazuar \u306f\u30ad\u30fc\u3068\u5024\u3092\u4ea4\u63db\u3057\u3001\u305d\u308c\u3092\u4f5c\u6210\u3055\u308c\u305f\u6587\u5b57\u5217\u306b\u8ffd\u52a0\u3057\u307e\u3059\u3002\u306a\u3051\u308c\u3070\u3001\u5143\u306e\u6587\u5b57\u304c\u7dad\u6301\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u3053\u3046\u3057\u305f\u6587\u5b57\u5217\u306e\u96e3\u8aad\u5316\u306b\u52a0\u3048\u3066\u3001\u30b3\u30fc\u30c9\u5185\u306e\u30af\u30e9\u30b9\u3084\u30e1\u30bd\u30c3\u30c9\u306b\u610f\u5473\u306e\u306a\u3044\u540d\u524d\u3092\u4ed8\u3051\u308b\u3053\u3068\u3067\u3001\u4f5c\u8005\u306f\u5206\u6790\u3092\u3088\u308a\u56f0\u96e3\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130913\" aria-describedby=\"caption-attachment-130913\" style=\"width: 658px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130913 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-11.png\" alt=\"\u753b\u50cf 11 \u306f\u591a\u6570\u306e\u30b3\u30fc\u30c9\u884c\u304b\u3089\u306a\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u30eb\u30fc\u30d7\u306b\u3088\u308a\u3001\u96e3\u8aad\u5316\u3092\u89e3\u9664\u3057\u305f\u6587\u5b57\u5217\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\" width=\"658\" height=\"295\" \/><figcaption id=\"caption-attachment-130913\" class=\"wp-caption-text\">\u56f3 11. \u96e3\u8aad\u5316\u3092\u89e3\u9664\u3057\u305f\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3059\u308b\u30eb\u30fc\u30d7<\/figcaption><\/figure>\n<p>Kazuar \u304c\u5fa9\u53f7\u3057\u305f\u6587\u5b57\u5217\u306e\u3072\u3068\u3064\u306f\u3001\u300c<span style=\"font-family: 'courier new', courier, monospace;\">Invalid pong responce<\/span>\u300d\u3068\u3044\u3046\u5024\u3092\u8fd4\u3057\u307e\u3059 (\u56f3 12)\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u958b\u767a\u8005\u306e 1 \u4eba\u304c\u3001\u30ed\u30b7\u30a2\u8a9e\u306e C \u3092\u82f1\u8a9e\u306e S \u306b\u5207\u308a\u66ff\u3048\u308b\u306e\u3092\u5fd8\u308c\u305f\u3088\u3046\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130915\" aria-describedby=\"caption-attachment-130915\" style=\"width: 387px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130915 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-12.png\" alt=\"\u753b\u50cf 12 \u306f\u3042\u308b\u8868\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002Name \u3068 Value \u3068\u3044\u3046 2 \u3064\u306e\u5217\u304c\u3042\u308a\u307e\u3059\u3002Name \u306e\u5217\u306b\u306f\u3001JJ\u3001stringBuilder\u3001i \u304c\u3042\u308a\u307e\u3059\u3002\u5bfe\u5fdc\u3059\u308b\u5024\u304c\u305d\u306e\u6a2a\u306b\u30ea\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"387\" height=\"75\" \/><figcaption id=\"caption-attachment-130915\" class=\"wp-caption-text\">\u56f3 12. \u300c<span style=\"font-family: 'courier new', courier, monospace;\">response<\/span>\u300d\u306e\u6587\u5b57\u5217\u306b\u30bf\u30a4\u30d7 \u30df\u30b9 (responce)<\/figcaption><\/figure>\n<h3><a id=\"post-130959-_4cs5iv9ijnhp\"><\/a>\u30b3\u30a2\u3068\u306a\u308b\u6a5f\u80fd<\/h3>\n<p>\u30c6\u30a4\u30af\u30c0\u30a6\u30f3\u3092\u907f\u3051\u308b\u305f\u3081\u3001Kazuar \u306f\u30cf\u30a4\u30b8\u30e3\u30c3\u30af\u3057\u305f\u6b63\u898f Web \u30b5\u30a4\u30c8\u3092 C2 \u30a4\u30f3\u30d5\u30e9\u306b\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f <a href=\"https:\/\/www.recordedfuture.com\/turla-apt-infrastructure\" target=\"_blank\" rel=\"noopener\">Pensive Ursa \u306b\u306f\u3088\u304f\u898b\u3089\u308c\u308b\u624b\u53e3\u3067\u3059<\/a>\u3002\u3055\u3089\u306b\u3001<a href=\"#post-130959-_epngo2omwiwz\">\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3 \u30e2\u30fc\u30c9<\/a>\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u3082\u8ff0\u3079\u305f\u3088\u3046\u306b\u3001Kazuar \u306f\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u3092\u4f7f\u3063\u305f\u901a\u4fe1\u3082\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3059\u3002Kazuar \u306f (\u30b3\u30fc\u30c9\u304c\u8aac\u660e\u3057\u3066\u3044\u308b\u3088\u3046\u306b) \u3053\u308c\u3089\u4e21\u65b9\u306e\u30e1\u30ab\u30cb\u30ba\u30e0\u3067\u30ea\u30e2\u30fc\u30c8 \u30b3\u30de\u30f3\u30c9\u3084\u30bf\u30b9\u30af\u3092\u53d7\u4fe1\u3057\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-130959-_tf1renih7nn9\"><\/a>\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u308b C2 \u30b3\u30de\u30f3\u30c9<\/h4>\n<p>\u8868 2 \u306b\u793a\u3059\u3088\u3046\u306b\u3001Kazuar \u306f C2 \u304b\u3089\u53d7\u4fe1\u53ef\u80fd\u306a 45 \u7a2e\u985e\u306e\u7570\u306a\u308b\u30bf\u30b9\u30af\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3059\u3002\u4ee5\u524d\u306e\u30ea\u30b5\u30fc\u30c1\u3067\u306f\u3053\u308c\u3089\u306e\u30bf\u30b9\u30af\u306e\u4e00\u90e8\u306f\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u3053\u308c\u306f Kazuar \u306e\u30b3\u30fc\u30c9\u306e\u958b\u767a\u304c\u3055\u3089\u306b\u9032\u3093\u3060\u3068\u3044\u3046\u3053\u3068\u3092\u610f\u5473\u3057\u307e\u3059\u3002\u6bd4\u3079\u3066\u307f\u308b\u3068\u30012017 \u5e74\u306b\u5206\u6790\u3055\u308c\u305f Kazuar \u306e\u6700\u521d\u306e\u4e9c\u7a2e\u306f\u300126 \u500b\u306e C2 \u30b3\u30de\u30f3\u30c9\u3060\u3051\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u3001Kazuar \u306e\u30b3\u30de\u30f3\u30c9\u3092\u6b21\u306e\u30ab\u30c6\u30b4\u30ea\u30fc\u306b\u30b0\u30eb\u30fc\u30d7\u5316\u3057\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li>\u30db\u30b9\u30c8 \u30c7\u30fc\u30bf\u306e\u53ce\u96c6<\/li>\n<li>\u62e1\u5f35\u3055\u308c\u305f\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af \u30c7\u30fc\u30bf\u306e\u53ce\u96c6<\/li>\n<li>\u30d5\u30a1\u30a4\u30eb\u306e\u64cd\u4f5c<\/li>\n<li>\u4efb\u610f\u306e\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c<\/li>\n<li>Kazuar \u306e\u69cb\u6210\u3068\u306e\u3084\u308a\u3068\u308a<\/li>\n<li>\u30ec\u30b8\u30b9\u30c8\u30ea\u30fc\u306e\u30af\u30a8\u30ea\u30fc\u3068\u64cd\u4f5c<\/li>\n<li>\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5b9f\u884c (VBS\u3001PowerShell\u3001JavaScript)<\/li>\n<li>\u30ab\u30b9\u30bf\u30e0 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30ea\u30af\u30a8\u30b9\u30c8<\/li>\n<li>\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3068\u6a5f\u5fae\u60c5\u5831\u306e\u7a83\u53d6<\/li>\n<\/ul>\n<table style=\"width: 100%; height: 1452px;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px; width: 14.784%;\"><b>\u30b3\u30de\u30f3\u30c9<\/b><\/td>\n<td style=\"height: 24px; width: 84.5515%;\"><b>\u8aac\u660e<\/b><\/td>\n<\/tr>\n<tr style=\"height: 75px;\">\n<td style=\"height: 75px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">sindex<\/span><\/td>\n<td style=\"height: 75px; width: 84.5515%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">C:\\Users\\<\/span> \u306e\u30d1\u30b9\u4ee5\u4e0b\u3067\u3001<span style=\"font-family: 'courier new', courier, monospace;\">.<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">txt<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .ini<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .config<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .vbs<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .js<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .ps1<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .doc<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .docx<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .xls<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .xlsx<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .ppt<\/span><span style=\"font-weight: 400;\">,<\/span><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\"> .pptx<\/span><span style=\"font-weight: 400;\"> \u306e\u62e1\u5f35\u5b50\u3092\u6301\u3064\u30d5\u30a1\u30a4\u30eb\u306e\u30d7\u30ed\u30d1\u30c6\u30a3\u3092\u691c\u7d22\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">scrshot<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u30d7\u30ed\u30bb\u30b9\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u64ae\u308a\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">move<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30d5\u30a1\u30a4\u30eb\u3092\u30bd\u30fc\u30b9 \u30d1\u30b9\u304b\u3089\u5b9b\u5148\u30d1\u30b9\u306b\u79fb\u52d5\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">info<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">1 \u3064\u307e\u305f\u306f\u8907\u6570\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u95a2\u3059\u308b\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u3092\u53d6\u5f97\u3057\u307e\u3059<\/span> (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">\u4ed8\u9332<\/span><\/a>\u53c2\u7167)\u3002<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">steal<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u3055\u307e\u3056\u307e\u306a\u30d6\u30e9\u30a6\u30b6\u30fc\u3084\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304b\u3089\u30c7\u30fc\u30bf\u3092\u76d7\u307f\u307e\u3059 (\u5b8c\u5168\u306a ID \u4e00\u89a7\u306f <\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">\u4ed8\u9332<\/span><\/a> \u3092\u53c2\u7167)\u3002<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">run<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3055\u308c\u305f\u5f15\u6570\u3092\u4f7f\u3063\u3066\u6307\u5b9a\u3055\u308c\u305f\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u5b9f\u884c\u3057\u3001\u7d50\u679c\u3092\u4e00\u6642\u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3057\u3066\u304b\u3089\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3092 C2 \u30b5\u30fc\u30d0\u30fc\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">schlist<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Schedule.Service<\/span><span style=\"font-weight: 400;\"> COM \u30aa\u30d6\u30b8\u30a7\u30af\u30c8<\/span><span style=\"font-weight: 400;\">\u3092\u4f7f\u3063\u3066\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3055\u308c\u305f\u30bf\u30b9\u30af\u306b\u95a2\u3059\u308b\u30c7\u30fc\u30bf\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">config<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Kazuar \u306e\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u3092\u66f4\u65b0\u3057\u307e\u3059<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">netuse<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/winnetwk\/nf-winnetwk-wnetaddconnection2a\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">WNetAddConnection2<\/span><\/a><span style=\"font-weight: 400;\"> WinAPI\u3001<\/span><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/winnetwk\/nf-winnetwk-wnetcancelconnection2a\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">WNetCancelConnection2<\/span><\/a><span style=\"font-weight: 400;\"> WinAPI<\/span><span style=\"font-weight: 400;\"> \u3092\u4f7f\u3063\u3066\u3001\u30de\u30b7\u30f3\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30ea\u30bd\u30fc\u30b9\u306e\u63a5\u7d9a\u307e\u305f\u306f\u524a\u9664\u3092\u884c\u3044\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">log<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30ab\u30b9\u30bf\u30e0 \u30ed\u30b0\u3092\u30ed\u30b0 \u30d5\u30a1\u30a4\u30eb\u306b\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">delegate<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">PIPE \u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8 \u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u5225\u306e Kazuar \u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306b\u30b3\u30de\u30f3\u30c9\u3092\u9001\u4fe1\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">eventlog<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Windows \u306e\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0 \u30a8\u30f3\u30c8\u30ea\u30fc\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">get<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3055\u308c\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092 Kazuar \u306e C2 \u30b5\u30fc\u30d0\u30fc\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u5909\u66f4\u3001\u6700\u7d42\u30a2\u30af\u30bb\u30b9\u3001\u4f5c\u6210\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306b\u57fa\u3065\u3044\u3066\u9078\u3073\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">autoruns<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u611f\u67d3\u30de\u30b7\u30f3\u5185\u3067\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u6c38\u7d9a\u5316\u3055\u305b\u3089\u308c\u308b\u304b\u3069\u3046\u304b\u3001\u3055\u307e\u3056\u307e\u306a\u53ef\u80fd\u6027\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059 (\u30c1\u30a7\u30c3\u30af\u306b\u3064\u3044\u3066\u306f<\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">\u4ed8\u9332<\/span><\/a>\u3067\u8aac\u660e)\u3002<\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">put<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u53d7\u4fe1\u3057\u305f\u30c7\u30fc\u30bf\u3092\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">regwrite<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30ec\u30b8\u30b9\u30c8\u30ea\u30fc \u30ad\u30fc\/\u5024\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">autoslist<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Autos<\/span>\u306e<span style=\"font-weight: 400;\">\u6a5f\u80fd<\/span><span style=\"font-weight: 400;\">\u306e\u4e0b\u306b\u4f5c\u6210\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u6570\u3092\u30ea\u30b9\u30c8\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">vbs<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">VBScript \u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">psh<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">PowerShell \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">sleep<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Kazuar \u3092\u6307\u5b9a\u3057\u305f\u6642\u9593\u30b9\u30ea\u30fc\u30d7\u3059\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">regdelete<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30ec\u30b8\u30b9\u30c8\u30ea\u30fc \u30ad\u30fc\/\u5024\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">timelimit<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306e\u30bf\u30b9\u30af\u306e\u6642\u9593\u5236\u9650\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">dlllist<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3055\u308c\u305f\u30d7\u30ed\u30bb\u30b9\u306e\u30ed\u30fc\u30c9\u3055\u308c\u305f\u3059\u3079\u3066\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">autosget<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Autos<\/span> \u306e\u6a5f\u80fd\u3067\u751f\u6210\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092 <span style=\"font-weight: 400;\">C2<\/span> \u306b\u9001\u4fe1\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">wmiquery<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">WMI \u30af\u30a8\u30ea\u30fc\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">dotnet<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">C2 \u304b\u3089\u53d7\u4fe1\u3057\u305f .NET \u30e1\u30bd\u30c3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">tasklist<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u5b9f\u884c\u4e2d\u306e\u30d7\u30ed\u30bb\u30b9 \u30ea\u30b9\u30c8\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u00a0<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">find<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3055\u308c\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3092\u691c\u7d22\u3057\u3001\u4e2d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u4e00\u89a7\u8868\u793a\u3057\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3001\u5909\u66f4\u3001\u30a2\u30af\u30bb\u30b9\u3001\u4f5c\u6210\u3055\u308c\u305f\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306b\u57fa\u3065\u3044\u3066\u30ea\u30b9\u30c8\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u6307\u5b9a\u3067\u304d\u308b\u3088\u3046\u3067\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">peep<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u7a83\u8996 (Peep) \u306e\u30bb\u30af\u30b7\u30e7\u30f3<\/span>\u3067\u89e3\u8aac\u3057\u305f\u7a83\u8996\u6a5f\u80fd\u306b\u95a2\u9023\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">forensic<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30b7\u30b9\u30c6\u30e0\u306b\u8907\u6570\u306e\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af \u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u304c\u306a\u3044\u304b\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059 (<\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">\u4ed8\u9332<\/span><\/a>\u53c2\u7167)\u3002<\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">kill<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u540d\u524d\u307e\u305f\u306f\u30d7\u30ed\u30bb\u30b9\u8b58\u5225\u5b50 (PID) \u3067\u30d7\u30ed\u30bb\u30b9\u3092\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">regquery<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30ec\u30b8\u30b9\u30c8\u30ea\u30fc \u30ad\u30fc\u306b\u3064\u3044\u3066\u306e\u30af\u30a8\u30ea\u30fc\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">chakra<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><a href=\"https:\/\/github.com\/chakra-core\/ChakraCore\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">ChakraCore<\/span><\/a> <span style=\"font-weight: 400;\">\u3092\u4f7f\u3063\u3066 JavaScript \u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">http<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u7d30\u5de5\u3057\u305f HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">pipelist<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u7279\u5b9a\u30de\u30b7\u30f3\u306e\u30aa\u30fc\u30d7\u30f3 \u30d1\u30a4\u30d7 \u30ea\u30b9\u30c8\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">jsc<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">JavaScript \u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">wmicall<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">WMI \u30e1\u30bd\u30c3\u30c9\u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">autosdel<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Autos<\/span> \u306e<span style=\"font-weight: 400;\">\u6a5f\u80fd<\/span><span style=\"font-weight: 400;\">\u3067\u4f5c\u6210\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">del<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30d5\u30a9\u30eb\u30c0\u30fc\u3092\u524a\u9664\u3057\u307e\u3059\u3002\u3053\u306e\u524a\u9664\u3067\u306f\u30d5\u30e9\u30b0\u3092 1 \u3064\u6307\u5b9a\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d5\u30e9\u30b0\u306b\u3088\u308a\u3001\u30e9\u30f3\u30c0\u30e0 \u30c7\u30fc\u30bf\u3067\u30d5\u30a1\u30a4\u30eb\u3092\u4e0a\u66f8\u304d\u3057\u3066\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3057\u3001\u653b\u6483\u8005\u304c\u30d5\u30a1\u30a4\u30eb\u3092\u5b89\u5168\u306b\u524a\u9664\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">nbts<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">NetBIOS \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">copy<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u6307\u5b9a\u3055\u308c\u305f\u5834\u6240\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3001\u5b9b\u5148\u30d5\u30a1\u30a4\u30eb\u304c\u65e2\u306b\u5b58\u5728\u3059\u308b\u5834\u5408\u3001\u305d\u308c\u3092\u4e0a\u66f8\u304d\u3067\u304d\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">upgrade<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cmd<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cmd.exe<\/span> <span style=\"font-weight: 400;\">\u7d4c\u7531\u3067\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/span><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">unattend<\/span><\/td>\n<td style=\"height: 48px; width: 84.5515%;\"><span style=\"font-weight: 400;\">\u3055\u307e\u3056\u307e\u306a Windows \u69cb\u6210\u307e\u305f\u306f\u30af\u30e9\u30a6\u30c9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306b\u95a2\u9023\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u76d7\u307f\u307e\u3059 (\u30d5\u30a1\u30a4\u30eb\u306e\u5168\u30ea\u30b9\u30c8\u306f<\/span><a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">\u4ed8\u9332<\/span><\/a>\u3092\u53c2\u7167)\u3002<\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 14.784%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">autosclear<\/span><\/td>\n<td style=\"height: 25px; width: 84.5515%;\"><span style=\"font-weight: 400;\">Autos<\/span><span style=\"font-weight: 400;\"> \u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30ed\u30b0\u30ea\u30b9\u30c8<\/span><span style=\"font-weight: 400;\">\u3092\u30af\u30ea\u30a2\u3057\u307e\u3059<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 8pt; color: #999999;\"><em>\u8868 2. Kazuar \u304c\u30b5\u30dd\u30fc\u30c8\u3059\u308b C2 \u30b3\u30de\u30f3\u30c9<\/em><\/span><\/p>\n<h4><a id=\"post-130959-_5higatyq4hy\"><\/a>\u30af\u30e9\u30a6\u30c9\u3001\u30bd\u30fc\u30b9\u7ba1\u7406\u3001\u30e1\u30c3\u30bb\u30fc\u30b8\u30f3\u30b0 \u30a2\u30d7\u30ea\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u7a83\u53d6<\/h4>\n<p>Kazuar\u306f\u3001C2 \u304b\u3089 <span style=\"font-family: 'courier new', courier, monospace;\">steal<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">unattend<\/span> \u3068\u3044\u3063\u305f\u30b3\u30de\u30f3\u30c9\u3092\u53d7\u3051\u53d6\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u611f\u67d3\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u5185\u306e\u3055\u307e\u3056\u307e\u306a\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u304b\u3089\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u7a83\u53d6\u8a66\u884c\u6a5f\u80fd\u3092\u6301\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u306b\u306f\u3001\u3088\u304f\u77e5\u3089\u308c\u305f\u30af\u30e9\u30a6\u30c9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u8907\u6570\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f\u3001\u3053\u308c\u3089\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u542b\u3080\u6a5f\u5fae\u30d5\u30a1\u30a4\u30eb\u306e\u7a83\u53d6\u3092\u8a66\u307f\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002Kazuar \u304c\u72d9\u3046\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u306b\u306f\u3001\u56f3 13 \u306b\u793a\u3059 Git SCM (\u958b\u767a\u8005\u306e\u9593\u3067\u4eba\u6c17\u306e\u3042\u308b\u30bd\u30fc\u30b9\u7ba1\u7406\u30b7\u30b9\u30c6\u30e0) \u3084 Signal (\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8 \u30a4\u30f3\u30b9\u30bf\u30f3\u30c8 \u30e1\u30c3\u30bb\u30fc\u30b8\u30f3\u30b0\u7528\u306e\u6697\u53f7\u5316\u30e1\u30c3\u30bb\u30fc\u30b8\u30f3\u30b0 \u30b5\u30fc\u30d3\u30b9) \u306a\u3069\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u306e\u5b8c\u5168\u306a\u8aac\u660e\u306f<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<figure id=\"attachment_130917\" aria-describedby=\"caption-attachment-130917\" style=\"width: 617px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130917 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-13.png\" alt=\"\u753b\u50cf 13 \u306f\u3001\u591a\u6570\u306e\u30b3\u30fc\u30c9\u884c\u304b\u3089\u306a\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u306f\u3001Kazuar \u304c\u76d7\u3080\u53ef\u80fd\u6027\u306e\u3042\u308b Git SCM \u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u4f8b\u3067\u3059\u3002\" width=\"617\" height=\"270\" \/><figcaption id=\"caption-attachment-130917\" class=\"wp-caption-text\">\u56f3 13. Kazuar \u304c\u7a83\u53d6\u3092\u8a66\u307f\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b Git SCM \u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_lz74dc7im8ye\"><\/a>\u5305\u62ec\u7684\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0<\/h4>\n<p>Kazuar \u304c\u6700\u521d\u306b\u4e00\u610f\u306a <span style=\"font-family: 'courier new', courier, monospace;\">solver<\/span> \u30b9\u30ec\u30c3\u30c9\u3092\u751f\u6210\u3059\u308b\u3055\u3044\u3001\u3053\u308c\u304c\u6700\u521d\u306b\u81ea\u52d5\u5b9f\u884c\u3059\u308b\u30bf\u30b9\u30af\u306f\u3001\u5bfe\u8c61\u30b7\u30b9\u30c6\u30e0\u306e\u5e83\u7bc4\u306a\u60c5\u5831\u53ce\u96c6\u3068\u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u3067\u3059\u3002Kazuar \u306e\u4f5c\u8005\u306f\u3053\u308c\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">first_systeminfo_do<\/span> \u3068\u547d\u540d\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30bf\u30b9\u30af\u306e\u306a\u304b\u3067 Kazuar \u306f\u611f\u67d3\u30de\u30b7\u30f3\u306b\u95a2\u3059\u308b\u5e83\u7bc4\u306a\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3066 C2 \u306b\u9001\u308a\u307e\u3059\u3002\u3053\u306e\u60c5\u5831\u306b\u306f\u3001\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u3001\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u95a2\u3059\u308b\u60c5\u5831\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u3053\u3061\u3089\u306e<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u306b\u653b\u6483\u8005\u304c\u53ce\u96c6\u3057\u305f\u5168\u5185\u5bb9\u3092\u542b\u3081\u3066\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f\u3053\u306e\u30c7\u30fc\u30bf\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">info.txt<\/span> \u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3057\u3001\u5b9f\u884c\u30ed\u30b0\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">logs.txt<\/span> \u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3057\u307e\u3059\u3002<a href=\"#post-130959-_iyihiznxpnx1\">Task Solver<\/a> \u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8ff0\u3079\u305f\u3088\u3046\u306b\u3001\u3053\u306e\u7d50\u679c\u306f\u30e1\u30e2\u30ea\u30fc\u4e0a\u304b\u3089\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u3053\u306e\u30b1\u30fc\u30b9\u3067\u306f\u3053\u308c\u306f\u30a2\u30fc\u30ab\u30a4\u30d6\u3067\u3059 (\u56f3 14)\u3002<\/p>\n<figure id=\"attachment_130919\" aria-describedby=\"caption-attachment-130919\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130919 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-14.png\" alt=\"\u753b\u50cf 14 \u306f\u3001\u30e1\u30e2\u30ea\u30fc\u5185\u306e first_systeminfo_do \u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u7d50\u679c\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u8d64\u3067\u5f37\u8abf\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u306e\u306f\u3001zip \u30d8\u30c3\u30c0\u30fc 0x50\u30010x4B\u30010x03\u30010x04 \u3067\u3059\u3002 \" width=\"900\" height=\"215\" \/><figcaption id=\"caption-attachment-130919\" class=\"wp-caption-text\">\u56f3 14. \u30e1\u30e2\u30ea\u30fc\u5185\u306e <span style=\"font-family: 'courier new', courier, monospace;\">first_systeminfo_do<\/span> \u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u7d50\u679c<\/figcaption><\/figure>\n<p>\u524d\u8ff0\u306e 2 \u3064\u306e\u30c6\u30ad\u30b9\u30c8 \u30d5\u30a1\u30a4\u30eb\u306b\u52a0\u3048\u3066\u3001\u3053\u306e\u30bf\u30b9\u30af\u306e\u4e00\u74b0\u3068\u3057\u3066\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30e6\u30fc\u30b6\u30fc\u306e\u753b\u9762\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u56f3 15 \u306f\u3001\u3053\u308c\u3089\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u304c 1 \u3064\u306e\u30a2\u30fc\u30ab\u30a4\u30d6\u306b zip \u5727\u7e2e\u3055\u308c\u308b\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002\u3053\u306e\u5f8c\u3067\u6697\u53f7\u5316\u3055\u308c\u3066 C2 \u306b\u9001\u4fe1\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130921\" aria-describedby=\"caption-attachment-130921\" style=\"width: 663px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130921 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-15.png\" alt=\"\u753b\u50cf 15 \u306f 7zip \u30d5\u30a9\u30eb\u30c0\u30fc\u3067\u3059\u3002\u30d1\u30b9\u306f\u7de8\u96c6\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30d5\u30a9\u30eb\u30c0\u30fc\u306e\u5185\u5bb9\u306f\u3001scrshot000.jpg\u3001info.txt\u3001logs.txt \u3067\u3059\u3002\u3053\u306e\u30d5\u30a9\u30eb\u30c0\u30fc\u306b\u306f\u3001\u30b5\u30a4\u30ba\u3001\u5727\u7e2e\u5f8c\u306e\u30b5\u30a4\u30ba\u3001\u5c5e\u6027\u3001\u6697\u53f7\u5316\u3001\u304a\u3088\u3073\u30b3\u30e1\u30f3\u30c8\u306e\u60c5\u5831\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"663\" height=\"220\" \/><figcaption id=\"caption-attachment-130921\" class=\"wp-caption-text\">\u56f3 15. <span style=\"font-family: 'courier new', courier, monospace;\">first_systeminfo_do<\/span> \u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u7d50\u679c\u3092\u30e1\u30e2\u30ea\u30fc\u304b\u3089\u62bd\u51fa\u3002\u3053\u306e\u5f8c\u6697\u53f7\u5316\u3055\u308c\u308b<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_9pmase4f3klc\"><\/a>\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af (Autos) \u306e\u4f5c\u6210<\/h4>\n<p>Kazuar \u306b\u306f\u3001\u611f\u67d3\u30de\u30b7\u30f3\u304b\u3089\u306e\u60c5\u5831\u53ce\u96c6\u306e\u305f\u3081\u3001\u6307\u5b9a\u9593\u9694\u3067\u5b9f\u884c\u3055\u308c\u308b\u81ea\u52d5\u30bf\u30b9\u30af\u3092\u8a2d\u5b9a\u3059\u308b\u6a5f\u80fd\u304c\u3042\u308a\u307e\u3059\u3002\u56f3 16 \u306f\u3001Kazuar \u306e\u69cb\u6210\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3053\u306e\u6a5f\u80fd\u306e\u4f8b\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u81ea\u52d5\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af\u306b\u306f\u6b21\u306e\u3082\u306e\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u306e\u53ce\u96c6 (\u5305\u62ec\u7684\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e)<\/li>\n<li>\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u64ae\u5f71<\/li>\n<li>\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u7a83\u53d6 (\u8a73\u7d30\u306f<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u3092\u53c2\u7167)<\/li>\n<li>\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af \u30c7\u30fc\u30bf\u306e\u53d6\u5f97 (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u53c2\u7167)<\/li>\n<li>autorun (\u81ea\u52d5\u5b9f\u884c) \u30c7\u30fc\u30bf\u306e\u53d6\u5f97 (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u53c2\u7167)<\/li>\n<li>\u7279\u5b9a\u30d5\u30a9\u30eb\u30c0\u30fc\u304b\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u53d6\u5f97<\/li>\n<li>\u6307\u5b9a\u30d5\u30a9\u30eb\u30c0\u30fc\u304b\u3089\u306eLNK\u30d5\u30a1\u30a4\u30eb\u306e\u4e00\u89a7\u53d6\u5f97<\/li>\n<li><a href=\"https:\/\/ja.wikipedia.org\/wiki\/Messaging_Application_Programming_Interface\" target=\"_blank\" rel=\"noopener\">MAPI<\/a> \u3092\u5229\u7528\u3057\u305f\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u7a83\u53d6<\/li>\n<\/ul>\n<figure id=\"attachment_130923\" aria-describedby=\"caption-attachment-130923\" style=\"width: 354px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130923 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-16.png\" alt=\"\u753b\u50cf 16 \u306f\u3001Kazuar \u306b\u3088\u308b Autos \u6a5f\u80fd\u69cb\u6210\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u69cb\u6210\u306b\u306f\u3001maximal storage count\u3001result size\u3001collect with system\u3001do deleted files \u306a\u3069\u306e\u30b3\u30de\u30f3\u30c9\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"354\" height=\"163\" \/><figcaption id=\"caption-attachment-130923\" class=\"wp-caption-text\">\u56f3 16. Kazuar \u306e <span style=\"font-family: 'courier new', courier, monospace;\">Autos<\/span> \u6a5f\u80fd\u306e\u69cb\u6210\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_bcjlnelommut\"><\/a>\u30a2\u30af\u30c6\u30a3\u30d6 \u30a6\u30a3\u30f3\u30c9\u30a6\u306e\u76e3\u8996 (Peeps: \u7a83\u8996)<\/h4>\n<p>Kazuar \u3067\u306f\u653b\u6483\u8005\u304c\u300c\u7a83\u8996 (peep) \u30eb\u30fc\u30eb\u300d\u3068\u547c\u3076\u30eb\u30fc\u30eb\u3092\u69cb\u6210\u5185\u306b\u8a2d\u5b9a\u53ef\u80fd\u3067\u3059\u3002\u30c7\u30d5\u30a9\u30eb\u30c8\u306e Kazuar \u306b\u306f\u3053\u308c\u3089\u306e\u30eb\u30fc\u30eb\u306f\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u304c\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b3\u30fc\u30c9\u306b\u3088\u308c\u3070\u3001\u3053\u306e\u6a5f\u80fd\u306b\u3088\u308a\u3001\u653b\u6483\u8005\u306f\u6307\u5b9a\u3057\u305f\u30d7\u30ed\u30bb\u30b9\u306e\u30a6\u30a3\u30f3\u30c9\u30a6\u3092\u76e3\u8996\u3067\u304d\u308b\u3088\u3046\u3067\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u653b\u6483\u8005\u306f\u4fb5\u5bb3\u3057\u305f\u30de\u30b7\u30f3\u4e0a\u3067\u95a2\u5fc3\u306e\u5bfe\u8c61\u3068\u306a\u308b\u30e6\u30fc\u30b6\u30fc\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u8ffd\u8de1\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-130959-_v56xgfp87lmn\"><\/a>\u30b3\u30de\u30f3\u30c9 &amp; \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3068\u306e\u901a\u4fe1<\/h3>\n<h4><a id=\"post-130959-_kaxvjrbkun4m\"><\/a>HTTP<\/h4>\n<p>Kazuar \u306f\u3001\u524d\u8ff0\u306e\u5206\u6790\u5bfe\u7b56\u30c1\u30a7\u30c3\u30af\u306b\u52a0\u3048\u3001C2 \u30b5\u30fc\u30d0\u30fc\u3068\u306e\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u78ba\u7acb\u524d\u306b\u69cb\u6210\u30c7\u30fc\u30bf\u306e\u9001\u4fe1\u6642\u9593\u9593\u9694\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30c1\u30a7\u30c3\u30af\u306b\u306f\u3001\u9031\u672b\u306b\u30c7\u30fc\u30bf\u3092\u9001\u4fe1\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u304b\u3069\u3046\u304b\u306e\u6c7a\u5b9a\u304c\u542b\u307e\u308c\u307e\u3059\u3002<\/p>\n<p>\u6700\u521d\u306e\u901a\u4fe1\u6642\u306b\u3001Kazuar \u306f\u53ce\u96c6\u3057\u305f\u30c7\u30fc\u30bf (\u300c\u5305\u62ec\u7684\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u300d\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e) \u3092 XML \u5f62\u5f0f\u3067\u9001\u4fe1\u3057\u3001\u65b0\u305f\u306a\u30bf\u30b9\u30af\u3068\u3068\u3082\u306b XML \u3067\u69cb\u9020\u5316\u3055\u308c\u305f\u5fdc\u7b54\u304c\u8fd4\u3055\u308c\u308b\u3053\u3068\u3092\u671f\u5f85\u3057\u3066\u3044\u307e\u3059\u3002\u56f3 17 \u306b\u305d\u306e HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u5024 <span style=\"font-family: 'courier new', courier, monospace;\">169739e7-2112-9514-6a61-d300c0fef02d<\/span> \u3092\u6587\u5b57\u5217\u306b\u578b\u30ad\u30e3\u30b9\u30c8\u3057\u3001Base64 \u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u305f\u3082\u306e\u3092\u30af\u30c3\u30ad\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130925\" aria-describedby=\"caption-attachment-130925\" style=\"width: 765px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130925 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-17.jpeg\" alt=\"\u753b\u50cf 17 \u306f HTTP POST \u30b3\u30de\u30f3\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u8d64\u304f\u30cf\u30a4\u30e9\u30a4\u30c8\u3055\u308c\u3066\u3044\u308b\u306e\u306f\u3001Base64 \u3067\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30af\u30c3\u30ad\u30fc\u306e\u5024\u3068\u3001\u751f\u6210\u3055\u308c\u305f XML \u30bf\u30b0\u3067\u3059\u3002\" width=\"765\" height=\"327\" \/><figcaption id=\"caption-attachment-130925\" class=\"wp-caption-text\">\u56f3 17. \u30dc\u30c7\u30a3\u306b XML \u3092\u542b\u3080 HTTP POST \u30b3\u30de\u30f3\u30c9\u304c C2 \u306b\u9001\u4fe1\u3055\u308c\u308b<\/figcaption><\/figure>\n<p>Kazuar \u306f XML \u7528\u306e\u30ad\u30fc\u540d\u3092\u751f\u6210\u3057\u3001Base64 \u3067\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u3066\u304b\u3089 C2 \u306b\u9001\u308a\u307e\u3059\u3002\u3053\u306e XML \u306e\u5185\u5bb9\u306b\u306f\u6b21\u306e\u3082\u306e\u304c\u542b\u307e\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>result \u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u3092\u6697\u53f7\u5316\u3057\u305f\u3082\u306e<\/li>\n<li>\u7d50\u679c\u306e\u8b58\u5225\u5b50<\/li>\n<li>\u64ec\u4f3c\u4e71\u6570\u306b\u3088\u308b 4 \u30d0\u30a4\u30c8\u306e\u6570\u5024\u3002\u304a\u305d\u3089\u304f\u306f\u5225\u306e\u7a2e\u985e\u306e\u8b58\u5225\u5b50\u304b<\/li>\n<li>\u30de\u30b7\u30f3\u306e GUID \u306b\u57fa\u3065\u3044\u3066\u64ec\u4f3c\u4e71\u6570\u3067\u751f\u6210\u3057\u305f\u5024\u3092\u542b\u3080\u914d\u5217<\/li>\n<li>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f GUID \u306e\u63a5\u7d9a\u6587\u5b57\u5217 <span style=\"font-family: 'courier new', courier, monospace;\">169739e7-2112-9514-6a61-d300c0fef02d<\/span><\/li>\n<li>\u305d\u306e\u30de\u30b7\u30f3\u306e\u4e00\u610f\u306a GUID<\/li>\n<\/ul>\n<h4><a id=\"post-130959-_nqqzm06nonld\"><\/a>\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u3092\u4f7f\u7528\u3057\u305f\u901a\u4fe1<\/h4>\n<p>C2 \u3068\u306e\u76f4\u63a5 HTTP \u901a\u4fe1\u306b\u52a0\u3048\u3001Kazuar \u306f\u30d7\u30ed\u30ad\u30b7\u30fc\u3068\u3057\u3066\u6a5f\u80fd\u3057\u3001\u611f\u67d3\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u306b\u3042\u308b Kazuar \u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u9593\u3067\u30b3\u30de\u30f3\u30c9\u3092\u9001\u53d7\u4fe1\u3059\u308b\u6a5f\u80fd\u3092\u5099\u3048\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d7\u30ed\u30ad\u30b7\u30fc\u901a\u4fe1\u306f<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/ipc\/named-pipes\" target=\"_blank\" rel=\"noopener\">\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7<\/a>\u7d4c\u7531\u3067\u884c\u308f\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u3055\u3044\u306f\u3001\u30de\u30b7\u30f3\u306e GUID \u306b\u57fa\u3065\u3044\u3066\u540d\u524d\u3092\u751f\u6210\u3057\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f\u3053\u308c\u3089\u306e\u30d1\u30a4\u30d7\u3092\u4f7f\u3063\u3066\u3001\u3055\u307e\u3056\u307e\u306a Kazuar \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u9593\u306e\u30d4\u30a2\u30fb\u30c4\u30fc\u30fb\u30d4\u30a2\u901a\u4fe1\u3092\u78ba\u7acb\u3057\u3001\u305d\u308c\u305e\u308c\u3092\u30b5\u30fc\u30d0\u30fc\u307e\u305f\u306f\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3068\u3057\u3066\u69cb\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u901a\u4fe1\u306f\u3001\u8868 3 \u306b\u793a\u3059\u30ea\u30e2\u30fc\u30c8 \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><b>\u30ea\u30e2\u30fc\u30c8 \u30ea\u30af\u30a8\u30b9\u30c8<\/b><\/td>\n<td style=\"text-align: center;\"><b>Kazuar \u306e\u30ec\u30b9\u30dd\u30f3\u30b9<\/b><\/td>\n<td style=\"text-align: center;\"><b>\u8aac\u660e<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">PING<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">PONG<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\u73fe\u5728\u306e\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u30d7\u30ed\u30bb\u30b9\u60c5\u5831\u3092\u542b\u3080\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u8fd4\u3059<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">TASK<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">RESULT<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\u53d7\u4fe1\u3057\u305f\u30bf\u30b9\u30af\u3092\u958b\u59cb\u3057\u3001\u7d50\u679c\u3092\u8fd4\u3059<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">LOGS<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ERROR<\/span><\/td>\n<td><span style=\"font-weight: 400;\">\u30a8\u30e9\u30fc \u30ed\u30b0\u3092\u53d6\u5f97\u3059\u308b<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 8pt; color: #999999;\"><em>\u8868 3. \u540d\u524d\u4ed8\u304d\u30d1\u30a4\u30d7\u3092\u4f7f\u3046 Kazuar \u306e\u30ea\u30af\u30a8\u30b9\u30c8\u3068\u30ec\u30b9\u30dd\u30f3\u30b9<\/em><\/span><\/p>\n<h3><a id=\"post-130959-_n5fhzv26et0y\"><\/a>\u89e3\u6790\u5bfe\u7b56\u306e\u30c1\u30a7\u30c3\u30af<\/h3>\n<p>Kazuar \u306f\u4e00\u9023\u306e\u5165\u5ff5\u306a\u30c1\u30a7\u30c3\u30af\u306b\u57fa\u3065\u304f\u8907\u6570\u306e\u89e3\u6790\u5bfe\u7b56\u6280\u8853\u3092\u4f7f\u3044\u3001\u81ea\u8eab\u304c\u89e3\u6790\u5bfe\u8c61\u306b\u306a\u3063\u3066\u3044\u306a\u3044\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u4f5c\u8005\u3089\u306f\u76e3\u8996\u306e\u76ee\u304c\u306a\u3051\u308c\u3070\u7d9a\u884c\u3057\u3001\u30c7\u30d0\u30c3\u30b0\u3084\u89e3\u6790\u306e\u5bfe\u8c61\u3068\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u306f\u30a2\u30a4\u30c9\u30eb\u72b6\u614b\u306e\u307e\u307e\u3001\u5168 C2 \u901a\u4fe1\u3092\u505c\u6b62\u3059\u308b\u3088\u3046\u306b Kazaur \u3092\u30d7\u30ed\u30b0\u30e9\u30e0\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30c1\u30a7\u30c3\u30af\u306f\u30013 \u3064\u306e\u4e3b\u8981\u30ab\u30c6\u30b4\u30ea\u30fc\u3001\u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u3001\u5206\u6790\u30c4\u30fc\u30eb\u3001\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u306b\u5206\u985e\u3067\u304d\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-130959-_qys1xsp5z777\"><\/a>\u30c0\u30f3\u30d7\u5bfe\u7b56<\/h4>\n<p>Kazuar \u306f\u30b9\u30bf\u30f3\u30c9\u30a2\u30ed\u30f3 \u30d7\u30ed\u30bb\u30b9\u3068\u3057\u3066\u306e\u5b9f\u884c\u3092\u60f3\u5b9a\u305b\u305a\u3001\u5225\u306e\u30d7\u30ed\u30bb\u30b9\u5185\u306b\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3055\u308c\u3066\u52d5\u4f5c\u3059\u308b\u3088\u3046\u306b\u3067\u304d\u3066\u3044\u307e\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u5bfe\u8c61\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u30e1\u30e2\u30ea\u30fc\u304b\u3089\u306f\u30b3\u30fc\u30c9\u3092\u30c0\u30f3\u30d7\u3067\u304d\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u308c\u3092\u9632\u3050\u305f\u3081\u3001Kazuar \u306f .NET \u306e\u5f37\u529b\u306a\u6a5f\u80fd\u3067\u3042\u308b <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.reflection?view=net-7.0\" target=\"_blank\" rel=\"noopener\">System.Reflection \u540d\u524d\u7a7a\u9593<\/a><\/span> \u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001Kazuar \u306f\u30a2\u30bb\u30f3\u30d6\u30ea\u30fc\u3084\u30e1\u30bd\u30c3\u30c9\u306a\u3069\u306b\u95a2\u3059\u308b\u30ea\u30a2\u30eb\u30bf\u30a4\u30e0\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u53ce\u96c6\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>Kazuar \u306f <span style=\"font-family: 'courier new', courier, monospace;\">antidump_methods<\/span> \u306e\u8a2d\u5b9a\u304c true \u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u305f\u5f8c\u3001\u30b8\u30a7\u30cd\u30ea\u30c3\u30af\u306a .NET \u30e1\u30bd\u30c3\u30c9\u3092\u7121\u8996\u3057\u3066\u30ab\u30b9\u30bf\u30e0 \u30e1\u30bd\u30c3\u30c9\u3078\u306e\u30dd\u30a4\u30f3\u30bf\u30fc\u3092\u30aa\u30fc\u30d0\u30fc\u30e9\u30a4\u30c9\u3059\u308b\u3053\u3068\u3067\u3001(Kazuar \u304c\u6b8b\u3059\u30ed\u30b0 \u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u901a\u308a) \u3053\u308c\u3089\u306e\u30e1\u30bd\u30c3\u30c9\u3092\u4e8b\u5b9f\u4e0a\u30e1\u30e2\u30ea\u30fc\u304b\u3089\u6d88\u3057\u3066\u3057\u307e\u3044\u307e\u3059\u3002\u3053\u308c\u304c\u6700\u7d42\u7684\u306b\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306b\u3088\u308b\u5b8c\u5168\u7248\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30c0\u30f3\u30d7\u3092\u9632\u304e\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-130959-_2r996mldhi3f\"><\/a>\u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u306e\u30c1\u30a7\u30c3\u30af<\/h4>\n<p>Kazuar \u304c\u307e\u3063\u3055\u304d\u306b\u3059\u308b\u3053\u3068\u306e 1 \u3064\u304c\u3001\u30de\u30b7\u30f3\u4e0a\u3067 Kaspersky \u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u306e\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u306e\u5b58\u5728\u3092\u63a2\u3059\u3053\u3068\u3067\u3059\u3002\u3053\u308c\u3092\u884c\u3046\u3055\u3044\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u7279\u5b9a\u30d7\u30ed\u30bb\u30b9\u540d\u3068\u30d5\u30a1\u30a4\u30eb\u540d\u306e\u30ea\u30b9\u30c8\u304c\u4f7f\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>Kazuar \u304c\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u3084\u30d7\u30ed\u30bb\u30b9\u3092 5 \u3064\u4ee5\u4e0a\u898b\u3064\u3051\u305f\u5834\u5408\u3001Kaspersky \u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u3092\u898b\u3064\u3051\u305f\u3068\u30ed\u30b0\u306b\u8a18\u9332\u3057\u307e\u3059\u3002\u56f3 18 \u306f\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130927\" aria-describedby=\"caption-attachment-130927\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130927 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-18.png\" alt=\"\u753b\u50cf 18 \u306f\u3001\u4f55\u884c\u3082\u3042\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u8f9e\u66f8\u9805\u76ee\u3092\u4f7f\u3063\u3066\u3001Kazuar \u306f\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3001Kaspersky \u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u3092\u898b\u3064\u3051\u307e\u3059\u3002 \" width=\"900\" height=\"315\" \/><figcaption id=\"caption-attachment-130927\" class=\"wp-caption-text\">\u56f3 18. Kaspersky \u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u3092\u898b\u3064\u3051\u308b\u305f\u3081\u306b Kazuar \u304c\u30c1\u30a7\u30c3\u30af\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u540d<\/figcaption><\/figure>\n<h4><a id=\"post-130959-_e3h45z8s83dd\"><\/a>\u89e3\u6790\u30c4\u30fc\u30eb\u306e\u30c1\u30a7\u30c3\u30af<\/h4>\n<p>Kazuar \u306f\u3088\u304f\u4f7f\u308f\u308c\u308b\u3055\u307e\u3056\u307e\u306a\u89e3\u6790\u30c4\u30fc\u30eb\u540d\u3092\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3057\u305f\u30ea\u30b9\u30c8\u3092\u6301\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>Process Monitor<\/li>\n<li>X32dbg<\/li>\n<li>DnSpy<\/li>\n<li>Wireshark<\/li>\n<\/ul>\n<p>Kazuar \u306f\u5b9f\u884c\u4e2d\u306e\u30d7\u30ed\u30bb\u30b9 \u30ea\u30b9\u30c8\u3092\u8abf\u3079\u3001\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306e\u3044\u305a\u308c\u304b\u304c\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u3001\u89e3\u6790\u30c4\u30fc\u30eb\u3092\u898b\u3064\u3051\u305f\u3068\u30ed\u30b0\u306b\u8a18\u9332\u3057\u307e\u3059 (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u53c2\u7167)\u3002<\/p>\n<h4><a id=\"post-130959-_5z6abuzxkpi\"><\/a>\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u306e\u30c1\u30a7\u30c3\u30af<\/h4>\n<p>Kazuar \u306f\u65e2\u77e5\u306e\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30e9\u30a4\u30d6\u30e9\u30ea\u30fc\u540d\u3092\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3057\u305f\u30ea\u30b9\u30c8\u3092\u6301\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u3055\u307e\u3056\u307e\u306a\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30b5\u30fc\u30d3\u30b9\u306b\u5c5e\u3059\u308b\u7279\u5b9a DLL \u306e\u5b58\u5728\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u3001Kazuar \u306f\u81ea\u8eab\u304c\u30e9\u30dc\u3067\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u3082\u306e\u3068\u5224\u65ad\u3057\u307e\u3059 (<a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unti42-Threat-Intelligence-Article-Information\/blob\/main\/Appendix-for-article-on-Pensive-Ursa-using-Kazuar.md\" target=\"_blank\" rel=\"noopener\">\u4ed8\u9332<\/a>\u53c2\u7167)\u3002<\/p>\n<h4><a id=\"post-130959-_yjmpv7sn3ld\"><\/a>\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0 \u30e2\u30cb\u30bf\u30fc<\/h4>\n<p>Kazuar \u306f Windows \u306e\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0\u304b\u3089\u30a4\u30d9\u30f3\u30c8\u3092\u53ce\u96c6\u3057\u3066\u30d1\u30fc\u30b9\u3057\u307e\u3059\u3002\u56f3 19 \u306f\u3001Kazuar \u304c\u6b21\u306e\u30a6\u30a4\u30eb\u30b9\u5bfe\u7b56\/\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30d9\u30f3\u30c0\u30fc\u304b\u3089\u306e\u30a4\u30d9\u30f3\u30c8\u3092\u3068\u304f\u306b\u691c\u7d22\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>Kaspersky Endpoint Security<\/li>\n<li>Symantec Endpoint Protection Client<\/li>\n<li>Microsoft Windows Defender<\/li>\n<li>Doctor Web<\/li>\n<\/ul>\n<p>Kaspersky \u306e\u30cf\u30cb\u30fc\u30dd\u30c3\u30c8 \u30c1\u30a7\u30c3\u30af\u306e\u3068\u304d\u3068\u540c\u3058\u3067\u3001\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u88fd\u54c1\u304c\u88ab\u5bb3\u7d44\u7e54\u306b\u4eba\u6c17\u304c\u3042\u308b\u3001\u3068\u3044\u3046\u3053\u3068\u3067\u8aac\u660e\u304c\u3064\u304d\u305d\u3046\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130929\" aria-describedby=\"caption-attachment-130929\" style=\"width: 560px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130929 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-19.png\" alt=\"\u753b\u50cf 19 \u306f\u3001\u591a\u6570\u306e\u30b3\u30fc\u30c9\u884c\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u8f9e\u66f8\u9805\u76ee\u3092\u4f7f\u3063\u3066\u3001Kazuar \u306f\u3001Kaspersky\u3001Symantec\u3001Defender \u306a\u3069\u306e\u7279\u5b9a\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u88fd\u54c1\u304b\u3089\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0\u3092\u53ce\u96c6\u3057\u307e\u3059\u3002\" width=\"560\" height=\"130\" \/><figcaption id=\"caption-attachment-130929\" class=\"wp-caption-text\">\u56f3 19. Kazuar \u304c\u7279\u5b9a\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u88fd\u54c1\u304b\u3089\u53ce\u96c6\u3059\u308b\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0<\/figcaption><\/figure>\n<h2><a id=\"post-130959-_eh7vjhg9duw5\"><\/a>Kazuar \u3068 Pensive Ursa \u3068\u306e\u3064\u306a\u304c\u308a\u306e\u5f37\u5316<\/h2>\n<p><a href=\"#post-130959-_v56xgfp87lmn\">\u524d\u8a18\u306e\u901a\u308a<\/a>\u3001C2 \u3078\u6700\u521d\u306e HTTP POST \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3059\u308b\u3055\u3044\u3001Kazuar \u306f\u305d\u306e\u30de\u30b7\u30f3\u306e GUID \u304b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f GUID \u306e <span style=\"font-family: 'courier new', courier, monospace;\">169739e7-2112-9514-6a61-d300c0fef02d<\/span> \u3092\u30af\u30c3\u30ad\u30fc\u3068\u3057\u3066\u4f7f\u3044\u3001\u305d\u306e\u30af\u30c3\u30ad\u30fc\u3092\u6587\u5b57\u5217\u306b\u578b\u30ad\u30e3\u30b9\u30c8\u3057\u3066 Base64 \u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5f8c\u8005\u306e\u5024\u3092\u6587\u5b57\u5217\u306e\u5f62\u5f0f (<span style=\"font-family: 'courier new', courier, monospace;\">169739e7211295146a61d300c0fef02d<\/span>) \u3067\u691c\u7d22\u3059\u308b\u3068\u3001<a href=\"https:\/\/www.govcert.ch\/downloads\/whitepapers\/Report_Ruag-Espionage-Case.pdf\" target=\"_blank\" rel=\"noopener\">\u30b9\u30a4\u30b9 CERT \u306b\u3088\u308b\u30ec\u30dd\u30fc\u30c8 [PDF]<\/a> \u304c\u30d2\u30c3\u30c8\u3057\u307e\u3059\u3002\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306f\u3001Pensive Ursa \u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u305f <a href=\"https:\/\/www.ruag.com\/en\" target=\"_blank\" rel=\"noopener\">RUAG<\/a> \u306b\u5bfe\u3059\u308b\u653b\u6483\u3092\u5206\u6790\u3057\u305f\u3082\u306e\u3067\u3059\u3002RUAG Holding \u306f\u3001\u822a\u7a7a\u5b87\u5b99\u30fb\u9632\u885b\u30bb\u30af\u30bf\u30fc\u306e\u30b9\u30a4\u30b9\u4f01\u696d\u3067\u3059\u3002<\/p>\n<p>\u304f\u308f\u3048\u3066\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9 AES + RSA \u6697\u53f7\u5316\u30b9\u30ad\u30fc\u30e0\u3084\u3001\u305d\u306e\u307b\u304b\u306e\u6a5f\u80fd\u9762\u3067\u306e\u660e\u3089\u304b\u306a\u985e\u4f3c\u70b9\u3092\u542b\u3081\u3001Kazuar \u306e <span style=\"font-family: 'courier new', courier, monospace;\">tasks<\/span> \u3084 <span style=\"font-family: 'courier new', courier, monospace;\">results<\/span> \u3068\u3044\u3063\u305f\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u306f\u3001\u307e\u3055\u306b Carbon \u306e\u624b\u53e3\u306e\u30a4\u30e1\u30fc\u30b8\u305d\u306e\u3082\u306e\u3067\u3059\u3002\u3053\u308c\u306f\u3053\u306e\u30b9\u30a4\u30b9 CERT \u306e\u30ec\u30dd\u30fc\u30c8\u3067\u3082\u5225\u306e <a href=\"https:\/\/www.welivesecurity.com\/2017\/03\/30\/carbon-paper-peering-turlas-second-stage-backdoor\/\" target=\"_blank\" rel=\"noopener\">ESET \u306b\u3088\u308b\u30ec\u30dd\u30fc\u30c8<\/a>\u3067\u3082\u8a00\u53ca\u3055\u308c\u3066\u3044\u307e\u3059\u3002Carbon \u3082\u306f\u3084\u308a\u7b2c 2 \u6bb5\u968e\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3001\u3053\u308c\u307e\u3067 Pensive Ursa \u306b\u3088\u308b\u3082\u306e\u3067\u3042\u308b\u3068\u4f55\u5ea6\u3082\u6307\u6458\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u30b3\u30fc\u30c9\u304c Snake \u304b\u3089\u306e\u30d5\u30a9\u30fc\u30af\u3067\u3042\u308b\u3053\u3068\u306f CISA \u3082\u8a00\u53ca\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u8abf\u67fb\u7d50\u679c\u306f\u3001\u8907\u6570\u306e CERT \u306b\u3088\u308b\u5831\u544a\u3068\u3068\u3082\u306b\u3001Kazuar \u306f Carbon \u306e\u5f8c\u7d99\u3067\u306f\u306a\u3044\u304b\u3068\u3044\u3046<a href=\"https:\/\/unit42.paloaltonetworks.jp\/unit42-kazuar-multiplatform-espionage-backdoor-api-access\/\" target=\"_blank\" rel=\"noopener\">\u4ee5\u524d\u306e Unit 42 \u306e\u63a8\u6e2c<\/a>\u3092\u3055\u3089\u306b\u88cf\u4ed8\u3051\u308b\u3082\u306e\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u6700\u3082\u91cd\u8981\u306a\u306e\u306f\u3053\u308c\u3089\u306e\u767a\u898b\u304c Kazuar \u306e Pensive Ursa \u3078\u306e\u5e30\u5c5e\u3092\u5f37\u5316\u3059\u308b\u3082\u306e\u3060\u3068\u3044\u3046\u3053\u3068\u3067\u3059\u3002<\/p>\n<h2><a id=\"post-130959-_himobtxuwvt1\"><\/a>\u7d50\u8ad6<\/h2>\n<p>\u79c1\u305f\u3061\u306f\u91ce\u751f\u3067\u691c\u51fa\u3055\u308c\u305f\u6700\u65b0\u306e Kazuar \u30de\u30eb\u30a6\u30a7\u30a2\u4e9c\u7a2e\u3092\u8abf\u67fb\u3057\u307e\u3057\u305f\u3002\u6ce8\u76ee\u3059\u3079\u304d\u6a5f\u80fd\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u5805\u7262\u306a\u30b3\u30fc\u30c9\u3068\u6587\u5b57\u5217\u96e3\u8aad\u5316\u6280\u8853<\/li>\n<li>\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u5411\u4e0a\u306e\u305f\u3081\u306e\u30de\u30eb\u30c1\u30b9\u30ec\u30c3\u30c9 \u30e2\u30c7\u30eb<\/li>\n<li>\u30e1\u30e2\u30ea\u30fc\u5185\u3001\u9001\u4fe1\u4e2d\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u3092\u554f\u308f\u305a\u3001Kazuar \u30b3\u30fc\u30c9\u3092\u89e3\u6790\u304b\u3089\u4fdd\u8b77\u3057\u3001\u305d\u306e\u30c7\u30fc\u30bf\u3092\u96a0\u3059\u305f\u3081\u306b\u5b9f\u88c5\u3055\u308c\u305f\u4e00\u9023\u306e\u6697\u53f7\u5316\u30b9\u30ad\u30fc\u30e0<\/li>\n<\/ul>\n<p>\u524d\u8ff0\u306e\u6a5f\u80fd\u306f\u3059\u3079\u3066\u3001Kazuar \u30d0\u30c3\u30af\u30c9\u30a2\u306b\u9ad8\u30ec\u30d9\u30eb\u306e\u30b9\u30c6\u30eb\u30b9\u6027\u3092\u63d0\u4f9b\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u305d\u306e\u307b\u304b\u306e\u6ce8\u76ee\u3059\u3079\u304d\u7279\u5fb4\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u89e3\u6790\u5bfe\u7b56\u6a5f\u80fd<\/li>\n<li>\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd<\/li>\n<li>\u30af\u30e9\u30a6\u30c9 \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u7684\u3092\u7d5e\u3063\u305f\u30bf\u30fc\u30b2\u30c3\u30c8\u8a2d\u5b9a<\/li>\n<\/ul>\n<p>\u3053\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e Kazuar \u306f 40 \u3092\u8d85\u3048\u308b\u4e00\u9023\u306e\u500b\u5225\u30b3\u30de\u30f3\u30c9\u3082\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u306e\u3046\u3061\u534a\u5206\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u304c\u3042\u308a\u307e\u305b\u3093\u3067\u3057\u305f\u3002<\/p>\n<p>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u62c5\u5f53\u8005\u3068\u9632\u5fa1\u62c5\u5f53\u8005\u306e\u7686\u3055\u307e\u306b\u306f\u3001\u672c\u7a3f\u3092\u304a\u8aad\u307f\u3044\u305f\u3060\u304d\u3001\u672c\u7a3f\u3067\u63d0\u4f9b\u3057\u305f\u60c5\u5831\u3092\u5229\u7528\u3057\u3066\u73fe\u5728\u306e\u691c\u51fa\u30fb\u9632\u6b62\u30fb\u30cf\u30f3\u30c8\u306e\u5b9f\u8df5\u3092\u5f37\u5316\u3057\u3001\u7d44\u7e54\u306e\u5168\u822c\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u614b\u52e2\u5f37\u5316\u306b\u52aa\u3081\u3066\u3044\u305f\u3060\u3051\u308c\u3070\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-130959-_5s92x4i8372x\"><\/a>Cortex XDR \u306e\u691c\u51fa\u3068\u9632\u6b62<\/h2>\n<p>\u56f3 20 \u306f\u3001Cortex XDR \u304c Kazuar \u3092\u691c\u51fa\u3057\u3066\u5b9f\u884c\u3092\u963b\u6b62\u3057\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<a href=\"#post-130959-_epngo2omwiwz\">\u6280\u8853\u5206\u6790<\/a>\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8a73\u7d30\u306b\u89e3\u8aac\u3057\u305f\u3068\u304a\u308a\u3001Kazuar \u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f\u30b3\u30fc\u30c9\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">explorer.exe<\/span> \u306b\u633f\u5165\u3057\u307e\u3059\u3002\u691c\u51fa\u30e2\u30fc\u30c9\u3067\u52d5\u4f5c\u3059\u308b\u3088\u3046\u306b\u69cb\u6210\u3057\u305f\u5834\u5408\u3001Cortex XDR \u306f\u30a4\u30f3\u30b8\u30a7\u30af\u30c8\u3055\u308c\u305f <span style=\"font-family: 'courier new', courier, monospace;\">explorer.exe<\/span> \u304b\u3089\u306e\u60aa\u610f\u306e\u3042\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3057\u307e\u3059 (\u56f3 20)\u3002<\/p>\n<figure id=\"attachment_130931\" aria-describedby=\"caption-attachment-130931\" style=\"width: 437px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130931 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-20.png\" alt=\"\u753b\u50cf 20 \u306f Cortex XDR \u306b\u3088\u308b explorer.exe \u304b\u3089\u306e\u60aa\u610f\u306e\u3042\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u691c\u51fa\u306e\u793a\u3059\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002Severity (\u6df1\u523b\u5ea6) \u306f\u300cHigh (\u9ad8)\u300d\u3068\u8a55\u4fa1\u3055\u308c\u3066\u304a\u308a\u3001\u8aac\u660e\u306b\u306f\u300cSuspicious execution of native code (\u30cd\u30a4\u30c6\u30a3\u30d6 \u30b3\u30fc\u30c9\u306e\u4e0d\u5be9\u306a\u5b9f\u884c)\u300d\u3068\u3042\u308a\u307e\u3059\u3002\" width=\"437\" height=\"175\" \/><figcaption id=\"caption-attachment-130931\" class=\"wp-caption-text\">\u56f3 20. \u691c\u51fa\u30e2\u30fc\u30c9\u306e Cortex XDR \u3067 Kazuar \u3092\u691c\u51fa\u3057\u305f\u3088\u3046\u3059<\/figcaption><\/figure>\n<p>Kazuar \u304c\u30d7\u30ed\u30bb\u30b9 \u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u3084 WMI \u5b9f\u884c\u306e\u305f\u3081\u306b\u884c\u3063\u305f\u30cd\u30a4\u30c6\u30a3\u30d6 \u30b3\u30fc\u30c9\u306e\u5b9f\u884c\u3084\u3001<span style=\"font-family: 'courier new', courier, monospace;\">explorer.exe<\/span> \u304c\u5b9f\u884c\u3057\u305f\u304a\u3088\u305d explorer.exe \u3089\u3057\u304b\u3089\u306c\u4e0d\u5be9\u306a\u6d3b\u52d5\u306e\u4e21\u65b9\u304c\u3001\u8907\u6570\u306e\u8b66\u544a\u3092\u30c8\u30ea\u30ac\u30fc\u3057\u3066\u3044\u307e\u3059\u3002\u56f3 20 \u306b\u793a\u3059\u30a2\u30e9\u30fc\u30c8\u3092\u542b\u3080\u30a2\u30e9\u30fc\u30c8\u306e\u8a73\u7d30\u3092\u4ee5\u4e0b\u306e\u56f3 21 \u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130933\" aria-describedby=\"caption-attachment-130933\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130933 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-21.png\" alt=\"\u753b\u50cf 21 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8 \u30c6\u30fc\u30d6\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u5408\u8a08 3 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u304c\u30ea\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306e\u8aac\u660e\u3082\u542b\u307e\u308c\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"165\" \/><figcaption id=\"caption-attachment-130933\" class=\"wp-caption-text\">\u56f3 21. \u691c\u51fa\u30e2\u30fc\u30c9\u306e Cortex XDR \u3067 Kazuar \u306e\u5b9f\u884c\u30a2\u30e9\u30fc\u30c8\u3092\u8868\u793a\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<p>\u307e\u305f\u3001\u56f3 22 \u306f\u3001Kazuar \u304c\u8a2d\u5b9a\u3084\u30ed\u30b0\u3092\u4fdd\u5b58\u3059\u308b\u305f\u3081\u306b\u4f5c\u6210\u3057\u305f<a href=\"#post-130959-_kftpeznwvieo\">\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3084\u30d5\u30a1\u30a4\u30eb<\/a>\u306e\u8a73\u7d30\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_130935\" aria-describedby=\"caption-attachment-130935\" style=\"width: 836px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130935 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-22.png\" alt=\"\u753b\u50cf 22 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8 \u30c6\u30fc\u30d6\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u5408\u8a08 6 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u304c\u30ea\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3059\u30025 \u3064\u306f File Write (\u30d5\u30a1\u30a4\u30eb\u66f8\u304d\u8fbc\u307f)\u30016 \u756a\u76ee\u306f Create Directory Event (\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u4f5c\u6210\u30a4\u30d9\u30f3\u30c8) \u3067\u3059\u3002\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3082\u30ea\u30b9\u30c8\u3055\u308c\u3066\u3044\u3066\u3001\u5404\u884c\u306e\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"836\" height=\"286\" \/><figcaption id=\"caption-attachment-130935\" class=\"wp-caption-text\">\u56f3 22. \u691c\u51fa\u30e2\u30fc\u30c9\u306e Cortex XDR \u3067 Kazuar \u306e\u5b9f\u884c\u30a2\u30e9\u30fc\u30c8\u3092\u8868\u793a\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<p>\u6700\u5f8c\u306b\u56f3 23 \u306f\u3001\u9632\u6b62\u30e2\u30fc\u30c9\u306b\u3057\u305f Cortex XDR \u304c Kazuar \u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u9632\u6b62\u3057\u3001\u305d\u308c\u306b\u5fdc\u3058\u305f\u30a2\u30e9\u30fc\u30c8 \u30dd\u30c3\u30d7\u30a2\u30c3\u30d7\u3092\u30c8\u30ea\u30ac\u30fc\u3059\u308b\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130937\" aria-describedby=\"caption-attachment-130937\" style=\"width: 531px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130937 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-23.png\" alt=\"\u753b\u50cf 23 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8 \u30a6\u30a3\u30f3\u30c9\u30a6\u3067\u3059\u3002Cortex XDR has blocked a malicious activity!Application name: Senatorial.exe. Application publisher: UnknownPrevention description: Suspicious executable detected\" width=\"531\" height=\"286\" \/><figcaption id=\"caption-attachment-130937\" class=\"wp-caption-text\">\u56f3 23. \u9632\u6b62\u30e2\u30fc\u30c9\u306e Cortex XDR \u304c Kazuar \u306e\u5b9f\u884c\u9632\u6b62\u30a2\u30e9\u30fc\u30c8\u3092\u8868\u793a\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<h2><a id=\"post-130959-_ka1fluf0dtdv\"><\/a>\u4fdd\u8b77\u3068\u7de9\u548c\u7b56<\/h2>\n<p>Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306f\u3001\u524d\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u8aac\u660e\u3057\u305f\u5b9f\u884c\u30d5\u30ed\u30fc\u3092\u691c\u51fa\u30fb\u9632\u6b62\u3057\u307e\u3059\u3002<\/p>\n<p>\u5f93\u6765\u306e\u691c\u51fa\u306b\u52a0\u3048\u3001\u72ec\u81ea\u306e <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/beating-alert-fatigue-with-cortex-xdr-smartscore-technology\/\" target=\"_blank\" rel=\"noopener\">SmartScore<\/a> \u30a8\u30f3\u30b8\u30f3\u304c\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8abf\u67fb\u65b9\u6cd5\u3084\u95a2\u9023\u30c7\u30fc\u30bf\u3092\u6a5f\u68b0\u5b66\u7fd2\u306b\u3088\u308b\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9 \u30ea\u30b9\u30af \u30b9\u30b3\u30a2\u30ea\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u3078\u3068\u5909\u63db\u3057\u307e\u3059\u3002\u56f3 24 \u306f\u3001Kazuar \u306e\u4e9c\u7a2e\u3068\u3001\u672c\u7a3f\u3067\u8a73\u3057\u304f\u89e3\u8aac\u3057\u305f\u95a2\u9023\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u304c SmartScore \u3067 100 \u70b9\u4e2d 97 \u70b9\u3092\u7372\u5f97\u3057\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_130939\" aria-describedby=\"caption-attachment-130939\" style=\"width: 537px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-130939 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/word-image-130890-24.png\" alt=\"\u753b\u50cf 24 \u306f\u3001Kazuar \u306e SmartScore \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30b9\u30b3\u30a2\u306f 97 \u3067\u3059\u3002\u30b9\u30b3\u30a2\u306e\u7406\u7531\u306e\u30ea\u30b9\u30c8\u3068\u30a4\u30f3\u30b5\u30a4\u30c8\u306e\u30ea\u30b9\u30c8\u304c\u3042\u308a\u307e\u3059\u3002\" width=\"537\" height=\"463\" \/><figcaption id=\"caption-attachment-130939\" class=\"wp-caption-text\">\u56f3 24. SmartScore \u304c Kazuar \u306b\u4e0e\u3048\u305f\u30b9\u30b3\u30a2<\/figcaption><\/figure>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u306e\u304a\u5ba2\u69d8\u306f\u3001\u5f0a\u793e\u306e\u88fd\u54c1\u30fb\u30b5\u30fc\u30d3\u30b9\u306b\u3088\u308a\u3001\u672c\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3059\u308b\u4ee5\u4e0b\u306e\u5bfe\u7b56\u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> \u3068 <a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xsiam\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a> \u306f\u4ee5\u4e0b\u3092\u542b\u3080\u8907\u6570\u306e\u30c7\u30fc\u30bf \u30bd\u30fc\u30b9\u304b\u3089\u30e6\u30fc\u30b6\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u5206\u6790\u3059\u308b\u3053\u3068\u3067\u3001\u30e6\u30fc\u30b6\u30fc\u3084\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306b\u57fa\u3065\u304f\u8105\u5a01\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/li>\n<li>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb<\/li>\n<li>Active Directory<\/li>\n<li>ID \u304a\u3088\u3073\u30a2\u30af\u30bb\u30b9\u7ba1\u7406 (IAM) \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3<\/li>\n<li>\u30af\u30e9\u30a6\u30c9 \u30ef\u30fc\u30af\u30ed\u30fc\u30c9<\/li>\n<\/ul>\n<p>Cortex XDR \u3068 XSIAM \u306f\u6a5f\u68b0\u5b66\u7fd2\u3092\u4f7f\u3063\u3066\u9577\u671f\u306b\u308f\u305f\u308b\u30e6\u30fc\u30b6\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u884c\u52d5\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u69cb\u7bc9\u3057\u307e\u3059\u3002Cortex XDR \u3068 XSIAM \u306f\u3001\u904e\u53bb\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3084\u30d4\u30a2\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3001\u671f\u5f85\u3055\u308c\u308b\u540c\u8005\u306e\u884c\u52d5\u3068\u65b0\u3057\u3044\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3068\u3092\u6bd4\u8f03\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u306e\u653b\u6483\u3092\u793a\u5506\u3059\u308b\u7570\u5e38\u306a\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p>\u3055\u3089\u306b Cortex XDR \u306f\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u653b\u6483\u306b\u95a2\u9023\u3057\u3001\u4ee5\u4e0b\u306e\u4fdd\u8b77\u3082\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u65e2\u77e5\u306e\u60aa\u610f\u306e\u3042\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3092\u9632\u6b62\u3059\u308b\u307b\u304b\u3001\u30ed\u30fc\u30ab\u30eb\u5206\u6790\u30e2\u30b8\u30e5\u30fc\u30eb\u306b\u3082\u3068\u3065\u304f\u6a5f\u68b0\u5b66\u7fd2\u3068 <a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-threat-prevention\" target=\"_blank\" rel=\"noopener\">Behavioral Threat Protection<\/a> \u306b\u3088\u3063\u3066\u672a\u77e5\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3082\u9632\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR 3.4 \u304b\u3089\u5229\u7528\u53ef\u80fd\u306b\u306a\u3063\u305f\u65b0\u305f\u306a Credential Gathering Protection \u3092\u4f7f\u3044\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u53ce\u96c6\u3059\u308b\u30c4\u30fc\u30eb\u3084\u6280\u8853\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Anti-Exploitation \u30e2\u30b8\u30e5\u30fc\u30eb\u3068 Behavioral Threat Protection \u3092\u4f7f\u3044\u3001 ProxyShell \u3084 ProxyLogon \u542b\u3080\u3001\u3055\u307e\u3056\u307e\u306a\u8106\u5f31\u6027\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR Pro \u3068 XSIAM \u306f\u632f\u308b\u821e\u3044\u5206\u6790\u306b\u3088\u308a\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u653b\u6483\u3092\u542b\u3080\u3001<a href=\"https:\/\/docs.paloaltonetworks.com\/cortex\/cortex-xdr\/cortex-xdr-analytics-alert-reference\/cortex-xdr-analytics-alert-reference\/analytics-alerts-by-required-data-source\" target=\"_blank\" rel=\"noopener\">\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u5f8c\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3<\/a>\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\">Advanced Threat Prevention<\/a> \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3\u3092\u6709\u52b9\u306b\u3057\u305f<a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\">\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb (NGFW) <\/a>\u306f\u3001Threat Prevention \u30b7\u30b0\u30cd\u30c1\u30e3\u30fc <a href=\"https:\/\/threatvault.paloaltonetworks.com\/?query=86805\" target=\"_blank\" rel=\"noopener\">86805<\/a> \u3067\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u308b C2 \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u30d6\u30ed\u30c3\u30af\u3092\u652f\u63f4\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/resources\/datasheets\/advanced-wildfire\" target=\"_blank\" rel=\"noopener\">Advanced WildFire<\/a> \u306f\u3053\u306e\u65b0\u305f\u306a Kazuar \u306e\u4e9c\u7a2e\u306e\u767a\u898b\u3092\u53d7\u3051\u3066\u6a5f\u68b0\u5b66\u7fd2\u30e2\u30c7\u30eb\u3068\u5206\u6790\u624b\u6cd5\u306e\u898b\u76f4\u3057\u3068\u66f4\u65b0\u3092\u884c\u3044\u307e\u3057\u305f\u3002\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u30dd\u30fc\u30c8\u30d5\u30a9\u30ea\u30aa\u306b\u3042\u308b\u8907\u6570\u306e\u88fd\u54c1\u304c\u3001Advanced WildFire \u3092\u6d3b\u7528\u3057\u3066 Kazuar \u306e\u4e9c\u7a2e\u3084\u305d\u306e\u307b\u304b\u306e\u8105\u5a01\u306b\u5bfe\u3059\u308b\u30ab\u30d0\u30ec\u30c3\u30b8\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u4fb5\u5bb3\u306e\u61f8\u5ff5\u304c\u3042\u308a\u5f0a\u793e\u306b\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u95a2\u3059\u308b\u3054\u76f8\u8ac7\u3092\u306a\u3055\u308a\u305f\u3044\u5834\u5408\u306f\u3001<a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u3053\u3061\u3089\u306e\u30d5\u30a9\u30fc\u30e0<\/a>\u304b\u3089\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001infojapan@paloaltonetworks.com\u307e\u3067\u30e1\u30fc\u30eb\u306b\u3066\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001\u4e0b\u8a18\u306e\u96fb\u8a71\u756a\u53f7\u307e\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044(\u3054\u76f8\u8ac7\u306f\u5f0a\u793e\u88fd\u54c1\u306e\u304a\u5ba2\u69d8\u306b\u306f\u9650\u5b9a\u3055\u308c\u307e\u305b\u3093)\u3002<\/p>\n<ul>\n<li>\u5317\u7c73\u30d5\u30ea\u30fc\u30c0\u30a4\u30e4\u30eb: 866.486.4842 (866.4.UNIT42)<\/li>\n<li>EMEA: +31.20.299.3130<\/li>\n<li>APAC: +65.6983.8730<\/li>\n<li>\u65e5\u672c: (+81) 50-1790-0200<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u3001\u3053\u308c\u3089\u306e\u8abf\u67fb\u7d50\u679c\u3092 Cyber Threat Alliance (CTA: \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9) \u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u3063\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3067\u304d\u307e\u3059\u3002\u8a73\u7d30\u306f <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a> \u306b\u3066\u3054\u78ba\u8a8d\u304f\u3060\u3055\u3044\uff61<\/p>\n<h2><a id=\"post-130959-_ydqdbjg0dngh\"><\/a>IoC (\u4fb5\u5bb3\u6307\u6a19)<\/h2>\n<p><strong>Kazuar SHA256<\/strong><\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233<\/span><\/li>\n<\/ul>\n<p><strong>\u30b3\u30de\u30f3\u30c9 &amp; \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb (C2) \u30b5\u30fc\u30d0\u30fc<\/strong><\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/www.pierreagencement[.]fr\/wp-content\/languages\/index.php<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/sansaispa[.]com\/wp-includes\/images\/gallery\/<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/octoberoctopus.co[.]za\/wp-includes\/sitemaps\/web\/<\/span><\/li>\n<\/ul>\n<p><strong>RSA \u30ad\u30fc<\/strong><\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">&lt;RSAKeyValue&gt;&lt;Modulus&gt;7ondEZo8ZjYh+FP4h3PgJBU\/yTlO+g8ZbCF0wx8eocnqxLS4YWI9hG3SI2hlEBz6J4vvxPCrs\/jazekolaZLQnbyOCyH53I+We+x32d2lUlXrtZA\/0oJa39tW2t2NsUG\/xPqsY3rBCuhi28hl30XH8Arn2\/u9Jxl1G9dNxFDdVxk9ePjlHecdAtWCa9vmC4HY0Wlqyhd0+hJfvKCoKLsHuCyl4b\/c343VVVTFubYNSFJMQnpIKsYQDRKtRszQuS1Ls+obyOr+0cbAmnKb8twTsq862pA6MzxRr16\/4\/1nyrNKuDS+OvPfv3tgvssybtGwN8D8Qac7O1FM722Nft16iis9WaoFuXCwP\/LCkaetQMjEKN07H6ESHMnUc+JDvINIspAAKK8fRwtTcWKrG2bh\/Dwtneq\/9L1Pv2cKtpQAUlxVfQX5I\/mtATEHIMcPOvNWRUqmSssDHEJiZDFKS45SjoG4qXs536xwbZ4k6lmHUUOVzkmCc71HooxRdSYx1M7Vqvou1Mi39O6vJouL2aTO6ymbGdnerKavDsgBSa2HKRbP2Nym6Ud4WAhiaqnPCWGnJz7l+4Hs++OcG2p+Ct1oXRecLK6Zy\/n9moTZeijLdqJwUh90Bht8V8STz\/vNtrhz++Do6DsDssENkOHXeUeRCqCmDdS3sqkxQnGAG3tGvc=&lt;\/Modulus&gt;&lt;Exponent&gt;AQAB&lt;\/Exponent&gt;&lt;\/RSAKeyValue&gt;<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">&lt;RSAKeyValue&gt;&lt;Modulus&gt;pyR0\/srVS0gOZbNdK3iK+GvekQVkBq8brOVCuN\/XcCz4WLJod9GhivDYrDtMXF6ZMGHKa2zAcQ+v2vltYW3X2BYCZ1sblEznfIk+oHs+lesblfHVyPPXDcTLLf5IUuGE\/dzeSpLhlWiFT\/4MyeMLzU8QexpRkBn0qJkk5xWU0D09DN0SaNzA8E4grU61aaul5iNRYMO+qLXmtIJhrjUrnHNu7ZnZ+AQtc19Dhne1hciH4aj00HRLXsofWGWsELEhZv92cnQ0Rf9n00EGB591zDR8gAt3T5sSTQvjMGWOBHusfGV4ytmchmQWZ8QY7Fp4EPgn8vM48OR2z13qo4YSediAt9Af+YKGoPu2PU3szx08UwBZRz4cyYZB3zcFB8NxCx7Gki2rS5bYx1Z1cG\/kU+Ri2gXYoCHgOz8umr+PDB+21V1pnmStxzWAdR7mK0e663LMxxAcZWjEArbt\/BcIiZAkFsyoq+NJbuKTR2RYAW+4DXbxFQeGKnFBgle3u9ktcYXWqgJ8\/rvs920rGf9k3br3I+2MtzrWglhRi\/WkAmTrEIL4i1id0M0askl0YBHlzU9+Bgv2y\/VsLH2UKQlp+owxGm1jequxwGpZfwxmWAMATe8L2qctVdXEOfT7Ue67AsVjkP\/VmhbhGDO8zt38trylUhWnpUeYdkigg9Nxs1k=&lt;\/Modulus&gt;&lt;Exponent&gt;AQAB&lt;\/Exponent&gt;&lt;\/RSAKeyValue&gt;<\/span><\/li>\n<\/ul>\n<h2><a id=\"post-130959-_hufuyy6ptzkd\"><\/a>\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/h2>\n<ul>\n<li><a href=\"https:\/\/cert.gov.ua\/article\/5213167\" target=\"_blank\" rel=\"noopener\">Targeted Turla attacks (UAC-0024, UAC-0003) using CAPIBAR and KAZUAR malware<\/a> [English version] \u2013 CERT-UA (Ukraine)<\/li>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.jp\/unit42-kazuar-multiplatform-espionage-backdoor-api-access\/\" target=\"_blank\" rel=\"noopener\">Kazuar\u3001API\u3092\u4f7f\u3046\u30de\u30eb\u30c1\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u5bfe\u5fdc\u306e\u30b9\u30d1\u30a4\u6d3b\u52d5\u578b\u30d0\u30c3\u30af\u30c9\u30a2<\/a> \u2013 \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2021\/01\/researchers-find-links-between-sunburst.html\" target=\"_blank\" rel=\"noopener\">Researchers Find Links Between Sunburst and Russian Kazuar Malware<\/a> \u2013 The Hacker News<\/li>\n<li><a href=\"https:\/\/e.cyberint.com\/hubfs\/CyberInt_Russian%20Backed%20Turla%20Resourfaces%20with%20a%20Sophisticated%20RAT_Report.pdf\" target=\"_blank\" rel=\"noopener\">Nation-state Turla resurfaces with a Sophisticated RAT<\/a> \u2013 Cyberint (PDF)<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.guid?view=net-7.0\" target=\"_blank\" rel=\"noopener\">Guid Struct (System)<\/a> \u2013 Microsoft Learn<\/li>\n<li><a href=\"https:\/\/www.govcert.ch\/whitepapers\/apt-case-ruag-technical-report-govcert-ch\/\" target=\"_blank\" rel=\"noopener\">Technical Report about the Malware used in the Cyberespionage against RUAG<\/a> \u2013 Swiss GovCERT<\/li>\n<li><a href=\"https:\/\/securelist.com\/turla-renews-its-arsenal-with-topinambour\/91687\/\" target=\"_blank\" rel=\"noopener\">Turla renews its arsenal with Topinambour<\/a> \u2013 Securelist, Kaspersky<\/li>\n<li><a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-129a\" target=\"_blank\" rel=\"noopener\">Hunting Russian Intelligence \u201cSnake\u201d Malware<\/a> \u2013 Cybersecurity Advisory, CISA<\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1070\/006\/\" target=\"_blank\" rel=\"noopener\">Indicator Removal: Timestomp, Sub-technique T1070.006 - Enterprise<\/a> \u2013 MITRE ATT&amp;CK<\/li>\n<li><a href=\"https:\/\/www.recordedfuture.com\/turla-apt-infrastructure\" target=\"_blank\" rel=\"noopener\">Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure<\/a> \u2013 Recorded Future<\/li>\n<li><a href=\"https:\/\/www.welivesecurity.com\/2017\/03\/30\/carbon-paper-peering-turlas-second-stage-backdoor\/\" target=\"_blank\" rel=\"noopener\">Carbon Paper: Peering into Turla\u2019s second stage backdoor<\/a> \u2013 WeLiveSecurity, ESET<\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/software\/S0335\/\" target=\"_blank\" rel=\"noopener\">Carbon, Software S0335<\/a> \u2013 MITRE ATT&amp;CK<\/li>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.jp\/turla-pensive-ursa-threat-assessment\/\" target=\"_blank\" rel=\"noopener\">\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306e\u8a55\u4fa1: Turla (\u5225\u540d Pensive Ursa)<\/a> \u2013 \u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9 Unit 42<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Pensive Ursa (\u5225\u540d Turla\u3001Uroburos) \u306e\u9032\u5316\u3092\u8ffd\u8de1\u3059\u308b\u306a\u304b\u3067\u3001Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f Kazuar \u306e\u65b0\u3057\u304f\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u3055\u308c\u305f\u4e9c\u7a2e\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002Kazuar \u306f\u5927\u304d\u304f\u3066\u5371\u967a<\/p>\n","protected":false},"author":86,"featured_media":130892,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1974,4433,4431,4428],"tags":[4499,4501,4881,4883,4885,4886],"product_categories":[4442,4444,4448,4450,4456,4465],"coauthors":[4017,4094],"class_list":["post-130959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-ja","category-nation-state-cyberattacks-ja","category-threat-actor-groups-ja","category-threat-research-ja","tag-advanced-persistent-threat-ja","tag-backdoor-ja","tag-kazuar-ja","tag-pensive-ursa-ja","tag-turla-ja","tag-uroburos","product_categories-advanced-threat-prevention-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja","product_categories-cortex-xsiam-ja","product_categories-next-generation-firewall-ja","product_categories-unit-42-incident-response-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b<\/title>\n<meta name=\"description\" content=\"\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Pensive Ursa (Turla) \u306e\u64cd\u308b .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3001Kazuar \u306e\u89e3\u6790\u7d50\u679c\u3092\u307e\u3068\u3081\u307e\u3059\u3002\u540c\u30c4\u30fc\u30eb\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u6a5f\u80fd\u304c\u591a\u6570\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd\u3084\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u30e2\u30fc\u30c9\u3092\u6301\u3063\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b\" \/>\n<meta property=\"og:description\" content=\"\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Pensive Ursa (Turla) \u306e\u64cd\u308b .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3001Kazuar \u306e\u89e3\u6790\u7d50\u679c\u3092\u307e\u3068\u3081\u307e\u3059\u3002\u540c\u30c4\u30fc\u30eb\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u6a5f\u80fd\u304c\u591a\u6570\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd\u3084\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u30e2\u30fc\u30c9\u3092\u6301\u3063\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-06T02:03:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-20T06:13:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"919\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Daniel Frank, Tom Fakterman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b","description":"\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Pensive Ursa (Turla) \u306e\u64cd\u308b .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3001Kazuar \u306e\u89e3\u6790\u7d50\u679c\u3092\u307e\u3068\u3081\u307e\u3059\u3002\u540c\u30c4\u30fc\u30eb\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u6a5f\u80fd\u304c\u591a\u6570\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd\u3084\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u30e2\u30fc\u30c9\u3092\u6301\u3063\u3066\u3044\u307e\u3057\u305f\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/","og_locale":"ja_JP","og_type":"article","og_title":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b","og_description":"\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Pensive Ursa (Turla) \u306e\u64cd\u308b .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3001Kazuar \u306e\u89e3\u6790\u7d50\u679c\u3092\u307e\u3068\u3081\u307e\u3059\u3002\u540c\u30c4\u30fc\u30eb\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u6a5f\u80fd\u304c\u591a\u6570\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd\u3084\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u30e2\u30fc\u30c9\u3092\u6301\u3063\u3066\u3044\u307e\u3057\u305f\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/","og_site_name":"Unit 42","article_published_time":"2023-11-06T02:03:27+00:00","article_modified_time":"2024-06-20T06:13:09+00:00","og_image":[{"width":1600,"height":919,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg","type":"image\/jpeg"}],"author":"Daniel Frank, Tom Fakterman","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/"},"author":{"name":"Bo Qu","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5ee2f9aa41910b06a373bc7908ed7069"},"headline":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b","datePublished":"2023-11-06T02:03:27+00:00","dateModified":"2024-06-20T06:13:09+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/"},"wordCount":1245,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg","keywords":["Advanced Persistent Threat","backdoor","Kazuar","Pensive Ursa","Turla","Uroburos"],"articleSection":["\u30de\u30eb\u30a6\u30a7\u30a2","\u56fd\u5bb6\u652f\u63f4\u578b\u30b5\u30a4\u30d0\u30fc\u653b\u6483","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/","name":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg","datePublished":"2023-11-06T02:03:27+00:00","dateModified":"2024-06-20T06:13:09+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5ee2f9aa41910b06a373bc7908ed7069"},"description":"\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Pensive Ursa (Turla) \u306e\u64cd\u308b .NET \u30d0\u30c3\u30af\u30c9\u30a2\u3001Kazuar \u306e\u89e3\u6790\u7d50\u679c\u3092\u307e\u3068\u3081\u307e\u3059\u3002\u540c\u30c4\u30fc\u30eb\u306f\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u305f\u3053\u3068\u306e\u306a\u3044\u6a5f\u80fd\u304c\u591a\u6570\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u5e83\u7bc4\u306a\u30b7\u30b9\u30c6\u30e0 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ea\u30f3\u30b0\u6a5f\u80fd\u3084\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u30e2\u30fc\u30c9\u3092\u6301\u3063\u3066\u3044\u307e\u3057\u305f\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/10\/PA-Pensive-Ursa-Centre.jpg","width":1600,"height":919,"caption":"A purple illustrated bear against a night sky with stars. Its head is inset in a red circle. The constellation ursa."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/pensive-ursa-uses-upgraded-kazuar-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Kazuar (\u30d2\u30af\u30a4\u30c9\u30ea) \u306e\u5de3\u306e\u4e0a\u3067: \u5b75\u3063\u305f\u3070\u304b\u308a\u306e Pensive Ursa (Turla) \u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u53d6\u308a\u7de0\u307e\u308b"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5ee2f9aa41910b06a373bc7908ed7069","name":"Bo Qu","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Bo Qu"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/bo-qu\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=130959"}],"version-history":[{"count":10,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130959\/revisions"}],"predecessor-version":[{"id":135165,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/130959\/revisions\/135165"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/130892"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=130959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=130959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=130959"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=130959"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=130959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}