{"id":131138,"date":"2023-11-07T23:38:48","date_gmt":"2023-11-08T07:38:48","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=131138"},"modified":"2024-06-17T02:00:48","modified_gmt":"2024-06-17T09:00:48","slug":"agonizing-serpens-targets-israeli-tech-higher-ed-sectors","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/","title":{"rendered":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)"},"content":{"rendered":"<h2><a id=\"post-131138-_5w6sdwx5mcgc\"><\/a>\u6982\u8981<\/h2>\n<p>Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u30012023 \u5e74 1 \u6708\u304b\u3089 2023 \u5e74 10 \u6708\u307e\u3067\u7d9a\u3044\u305f\u4e00\u9023\u306e\u7834\u58ca\u7684\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u3092\u8abf\u67fb\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u653b\u6483\u306e\u7279\u5fb4\u306f\u3001\u500b\u4eba\u3092\u7279\u5b9a\u53ef\u80fd\u306a\u60c5\u5831 (PII) \u3084\u77e5\u7684\u8ca1\u7523\u306a\u3069\u306e\u6a5f\u5fae\u30c7\u30fc\u30bf\u306e\u7a83\u53d6\u3092\u8a66\u307f\u3066\u3044\u305f\u70b9\u3067\u3059\u3002\u3053\u306e\u653b\u6483\u8005\u306f\u60c5\u5831\u3092\u76d7\u3093\u3060\u5f8c\u3001\u3055\u307e\u3056\u307e\u306a\u30ef\u30a4\u30d1\u30fc\u3092\u5c55\u958b\u3057\u3066\u81ea\u3089\u306e\u75d5\u8de1\u3092\u6d88\u3057\u3001\u611f\u67d3\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4f7f\u7528\u4e0d\u80fd\u306b\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306e\u8abf\u67fb\u306b\u3088\u308a\u3001\u3053\u306e\u653b\u6483\u72af\u3089\u306f Unit 42 \u304c\u300cAgonizing Serpens (\u5225\u540d <a href=\"https:\/\/apt.etda.or.th\/cgi-bin\/showcard.cgi?g=Agrius&amp;n=1\" target=\"_blank\" rel=\"noopener\">Agrius<\/a>\u3001<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/blackshadow-hackers-extort-israeli-insurance-company-for-1-million\/\" target=\"_blank\" rel=\"noopener\">BlackShadow<\/a>\u3001<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/microsoft-365\/security\/intelligence\/microsoft-threat-actor-naming?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Pink Sandstorm<\/a>\u3001<a href=\"https:\/\/learn.microsoft.com\/ja-jp\/microsoft-365\/security\/intelligence\/microsoft-threat-actor-naming?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">DEV-0022<\/a>) \u306e\u540d\u524d\u3067\u8ffd\u8de1\u3057\u3066\u3044\u308b\u3001\u30a4\u30e9\u30f3\u306e\u652f\u63f4\u3059\u308b APT \u30b0\u30eb\u30fc\u30d7\u3068\u5f37\u3044\u3064\u306a\u304c\u308a\u304c\u3042\u308b\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001Agonizing Serpens \u304c\u6700\u8fd1\u306e\u653b\u6483\u3067\u4f7f\u3063\u305f\u65b0\u3057\u3044\u30ef\u30a4\u30d1\u30fc\u3068\u30c4\u30fc\u30eb\u3082\u7279\u5b9a\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li>MultiLayer \u30ef\u30a4\u30d1\u30fc<\/li>\n<li>PartialWasher \u30ef\u30a4\u30d1\u30fc<\/li>\n<li>BFG Agonizer \u30ef\u30a4\u30d1\u30fc<\/li>\n<li>Sqlextractor (\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9 \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u60c5\u5831\u3092\u62bd\u51fa\u3059\u308b\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb)<\/li>\n<\/ul>\n<p>\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af\u7684\u306a\u8a3c\u62e0\u306b\u57fa\u3065\u304f\u3068\u3001Agonizing Serpens APT \u30b0\u30eb\u30fc\u30d7\u306f\u6700\u8fd1\u305d\u306e\u6a5f\u80fd\u3092\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u3057\u3001EDR (\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3067\u306e\u691c\u51fa\u30fb\u5bfe\u5fdc) \u306a\u3069\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u306b\u591a\u5927\u306a\u52aa\u529b\u3068\u30ea\u30bd\u30fc\u30b9\u3092\u6295\u8cc7\u3057\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u305d\u306e\u305f\u3081\u306b\u3001\u5f7c\u3089\u306f\u3055\u307e\u3056\u307e\u306a\u65e2\u77e5\u306e\u6982\u5ff5\u5b9f\u8a3c (PoC) \u30c4\u30fc\u30eb\u3084\u30da\u30cd\u30c8\u30ec\u30fc\u30b7\u30e7\u30f3 \u30c6\u30b9\u30c8 \u30c4\u30fc\u30eb\u3001\u3055\u3089\u306b\u306f\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u3092\u30ed\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u3057\u3066\u4f7f\u3063\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n<p>\u4ee5\u4e0b\u306b\u8aac\u660e\u3059\u308b\u653b\u6483\u3067\u306f\u3053\u306e\u653b\u6483\u8005\u306f Cortex XDR \u3092\u56de\u907f\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u3002Cortex XDR \u304a\u3088\u3073 Cortex XSIAM \u306f\u672c\u7a3f\u306b\u89e3\u8aac\u3059\u308b\u5b9f\u884c\u30d5\u30ed\u30fc\u3092\u691c\u51fa\u3057\u3066\u9632\u6b62\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u3053\u308c\u3089\u306e\u88fd\u54c1\u3067\u306f\u6a5f\u68b0\u5b66\u7fd2\u306b\u3088\u308a\u30e6\u30fc\u30b6\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u7d4c\u6642\u7684\u884c\u52d5\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u69cb\u7bc9\u3057\u3001\u305f\u3068\u3048\u3070\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u306e\u653b\u6483\u3092\u793a\u5506\u3059\u308b\u3088\u3046\u306a\u7570\u5e38\u306a\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u3001\u3053\u306e\u8abf\u67fb\u3092\u5171\u6709\u3057\u3001\u691c\u51fa\u30fb\u9632\u6b62\u30fb\u30cf\u30f3\u30c8\u306b\u95a2\u3059\u308b\u63a8\u5968\u4e8b\u9805\u3092\u63d0\u4f9b\u3059\u308b\u3053\u3068\u3067\u3001Agonizing Serpens \u306b\u95a2\u9023\u3059\u308b\u8105\u5a01\u304b\u3089\u306e\u7d44\u7e54\u306e\u4fdd\u8b77\u306b\u8ca2\u732e\u3067\u304d\u308c\u3070\u3068\u8003\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>\u95a2\u9023\u3059\u308b Unit 42 \u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\n<td style=\"width: 100%;\"><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/APT-ja\/\" target=\"_blank\" rel=\"noopener\"><b>APT<\/b><\/a>, <strong><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/education-ja\/\" target=\"_blank\" rel=\"noopener\">Education<\/a><\/strong><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-131138-_9qe1dt2ghwhp\"><\/a>Agonizing Serpens APT \u30b0\u30eb\u30fc\u30d7\u3068\u306f<\/h2>\n<p>Agonizing Serpens (\u5225\u540d Agrius) \u306f\u30012020 \u5e74\u304b\u3089\u6d3b\u52d5\u3057\u3066\u3044\u308b\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308b APT \u30b0\u30eb\u30fc\u30d7\u3067\u3059\u3002\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u7834\u58ca\u7684\u306a\u30ef\u30a4\u30d1\u30fc\u653b\u6483\u3084\u507d\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u653b\u6483\u3067\u77e5\u3089\u308c\u3066\u304a\u308a\u3001\u4e3b\u306b\u8907\u6570\u306e\u30bb\u30af\u30bf\u30fc\u30fb\u56fd\u306b\u304a\u3051\u308b\u30a4\u30b9\u30e9\u30a8\u30eb\u7cfb\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u653b\u6483\u306b\u95a2\u3059\u308b\u4ee5\u524d\u306e\u5831\u544a\u3067\u306f\u3001\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u3084\u8eab\u4ee3\u91d1\u30e1\u30e2\u306b\u3064\u3044\u3066\u89e6\u308c\u3089\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u3053\u308c\u3089\u306f\u7b56\u7565\u3067\u3042\u308b\u3053\u3068\u304c\u5224\u660e\u3057\u307e\u3057\u305f (\u3053\u306e\u50be\u5411\u306b\u3064\u3044\u3066\u306f <a href=\"https:\/\/start.paloaltonetworks.jp\/2023-unit42-ransomware-extortion-report\" target=\"_blank\" rel=\"noopener\">2023 \u5e74\u7248 Unit 42 \u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 &amp; \u8105\u8feb\u30ec\u30dd\u30fc\u30c8<\/a>\u3067\u3082\u8ff0\u3079\u3089\u308c\u3066\u3044\u307e\u3059)\u3002\u3053\u306e\u653b\u6483\u8005\u306f\u6700\u8fd1\u306e\u653b\u6483\u3067\u306f\u8eab\u4ee3\u91d1\u3092\u8981\u6c42\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u3080\u3057\u308d\u3053\u306e\u653b\u6483\u304c\u72d9\u3063\u3066\u3044\u305f\u7d50\u679c\u306f\u3001\u81a8\u5927\u306a\u30c7\u30fc\u30bf\u306e\u640d\u5931\u3068\u4e8b\u696d\u7d99\u7d9a\u306e\u4e2d\u65ad\u3060\u3063\u305f\u3088\u3046\u3067\u3059\u3002<\/p>\n<p>Agonizing Serpens \u304b\u3089\u306e\u653b\u6483\u3067\u306f\u901a\u5e38\u3001\u4e3b\u306a\u76ee\u7684\u304c 2 \u3064\u3042\u308a\u307e\u3059\u30021 \u3064\u3081\u306f PII \u3084\u77e5\u7684\u8ca1\u7523\u3092\u542b\u3080\u6a5f\u5fae\u60c5\u5831\u3092\u76d7\u307f\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u30bd\u30fc\u30b7\u30e3\u30eb \u30e1\u30c7\u30a3\u30a2\u3084 Telegram \u30c1\u30e3\u30cd\u30eb\u306b\u516c\u958b\u3059\u308b\u3053\u3068\u3067\u3059\u3002\u30bd\u30fc\u30b7\u30e3\u30eb \u30e1\u30c7\u30a3\u30a2\u306b\u516c\u958b\u3059\u308b\u52d5\u6a5f\u306f\u3001\u6050\u6016\u3092\u690d\u3048\u4ed8\u3051\u305f\u308a\u3001\u98a8\u8a55\u88ab\u5bb3\u3092\u4e0e\u3048\u305f\u308a\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u30022 \u3064\u3081\u306e\u52d5\u6a5f\u306f\u3001\u3067\u304d\u308b\u3060\u3051\u591a\u304f\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u30ef\u30a4\u30d7\u3059\u308b\u3053\u3068\u3067\u6df7\u4e71\u3092\u5f15\u304d\u8d77\u3053\u3057\u3001\u591a\u5927\u306a\u640d\u5bb3\u3092\u4e0e\u3048\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n<p>\u51fa\u73fe\u4ee5\u6765\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u65b0\u3057\u3044\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u3092\u958b\u767a\u3057\u3001\u65e2\u77e5\u306e\u30cf\u30c3\u30ad\u30f3\u30b0 \u30c4\u30fc\u30eb\u3084\u6280\u8853\u3082\u6d3b\u7528\u3057\u3066\u3001\u653b\u6483\u7684\u6d3b\u52d5\u3092\u5b9f\u884c\u3057\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n<h2><a id=\"post-131138-_dg3kemqhofes\"><\/a>\u6280\u8853\u7684\u5206\u6790<\/h2>\n<p>\u4ee5\u4e0b\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u3001Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304c\u5206\u6790\u3057\u305f Agonizing Serpens \u306b\u3088\u308b 2023 \u5e74 10 \u6708\u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u3092\u305d\u306e\u653b\u6483\u6bb5\u968e\u3054\u3068\u306b\u5206\u3051\u3066\u8a73\u3057\u304f\u89e3\u8aac\u3057\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-131138-_ijlt30gm37nb\"><\/a>Entry Vector (\u4fb5\u5165\u30d9\u30af\u30c8\u30eb)<\/h3>\n<p>\u653b\u6483\u8005\u306f\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u306b\u9762\u3057\u305f\u8106\u5f31\u306a Web \u30b5\u30fc\u30d0\u30fc\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3001\u5bfe\u8c61\u74b0\u5883\u3078\u306e\u521d\u671f\u30a2\u30af\u30bb\u30b9\u3092\u5f97\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u3001Web \u30b7\u30a7\u30eb\u3092\u8907\u6570\u5c55\u958b\u3057\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u3067\u306e\u8db3\u5834\u3092\u7bc9\u304d\u307e\u3057\u305f\u3002<\/p>\n<p>\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u4e0a\u8a18\u306e\u653b\u6483\u3067\u4f7f\u3063\u305f Web \u30b7\u30a7\u30eb (\u56f3 1 \u3092\u53c2\u7167) \u306b\u306f\u3001\u95a2\u6570\u540d\u306f\u5909\u66f4\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001<a href=\"https:\/\/assets.sentinelone.com\/sentinellabs\/evol-agrius\" target=\"_blank\" rel=\"noopener\">\u4ee5\u524d\u306e Agonizing Serpens \u306b\u3088\u308b\u653b\u6483<\/a>\u3067\u89b3\u6e2c\u3055\u308c\u305f Web \u30b7\u30a7\u30eb\u3068\u540c\u3058\u30b3\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e Web \u30b7\u30a7\u30eb\u306f ASPXSpy \u306e\u4e00\u7a2e\u306e\u3088\u3046\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_131014\" aria-describedby=\"caption-attachment-131014\" style=\"width: 563px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131014 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-1.png\" alt=\"\u753b\u50cf 1 \u306f\u3001ASPXSpy \u306e\u4e00\u7a2e\u3067\u3042\u308b Web \u30b7\u30a7\u30eb\u306e\u4e00\u90e8\u3092\u69cb\u6210\u3059\u308b\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"563\" height=\"416\" \/><figcaption id=\"caption-attachment-131014\" class=\"wp-caption-text\">\u56f3 1. <span style=\"font-family: 'courier new', courier, monospace;\">xcopy.aspx<\/span> Web \u30b7\u30a7\u30eb\u304b\u3089\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<p>\u3053\u306e\u653b\u6483\u3067\u4f7f\u308f\u308c\u305f\u5225\u306e Web \u30b7\u30a7\u30eb\u306e\u540d\u524d\u306f <span style=\"font-family: 'courier new', courier, monospace;\">Uploader.aspx<\/span> \u3067\u3059\u3002\u56f3 2 \u306f\u3001Agonizing Serpens \u304c\u4f7f\u3046 2 \u3064\u306e Web \u30b7\u30a7\u30eb\u3067\u898b\u3064\u304b\u3063\u305f\u307b\u307c\u540c\u4e00\u306e\u30b3\u30fc\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u30021 \u3064\u306f\u6700\u8fd1\u306e\u653b\u6483\u304b\u3089\u306e\u3082\u306e\u3067\u3001\u3082\u3046 1 \u3064\u306f\u904e\u53bb\u306e\u653b\u6483\u304b\u3089\u306e\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_131016\" aria-describedby=\"caption-attachment-131016\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131016 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-2.png\" alt=\"\u753b\u50cf 2 \u306f\u30012 \u3064\u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8\u3092\u7d44\u307f\u5408\u308f\u305b\u305f\u3082\u306e\u3067\u3059\u3002\u4e0a\u306e\u30b9\u30cb\u30da\u30c3\u30c8\u306f Uploader.aspx \u304b\u3089\u306e\u3082\u306e\u3067\u3001\u4e0b\u306e\u30b9\u30cb\u30da\u30c3\u30c8\u306f\u30a4\u30b9\u30e9\u30a8\u30eb\u4f01\u696d\u306b\u5bfe\u3057\u3066\u653b\u6483\u8005\u304c\u4f7f\u3063\u305f Web \u30b7\u30a7\u30eb\u304b\u3089\u306e\u3082\u306e\u3067\u3059\u30022 \u3064\u306e\u30b9\u30cb\u30da\u30c3\u30c8\u306f\u8d64\u3044\u7dda\u3067\u533a\u5207\u3063\u3066\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"362\" \/><figcaption id=\"caption-attachment-131016\" class=\"wp-caption-text\">\u56f3 2. \u4e0a: <span style=\"font-family: 'courier new', courier, monospace;\">Uploader.aspx<\/span> \u304b\u3089\u306e\u30b9\u30cb\u30da\u30c3\u30c8\u3002\u4e0b: \u3042\u308b\u30a4\u30b9\u30e9\u30a8\u30eb\u4f01\u696d\u306b\u5bfe\u3059\u308b\u4ee5\u524d\u306e Agonizing Serpens \u306b\u3088\u308b\u653b\u6483\u3067\u4f7f\u308f\u308c\u305f Web \u30b7\u30a7\u30eb\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<p>\u56f3 3 \u306f\u3001\u653b\u6483\u8005\u304c Web \u30b7\u30a7\u30eb\u3092\u5c55\u958b\u3057\u305f\u76f4\u5f8c\u306b\u3001Web \u30b7\u30a7\u30eb\u3092\u4ecb\u3057\u3066\u57fa\u672c\u7684\u306a\u5075\u5bdf\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3092\u958b\u59cb\u3057\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131018\" aria-describedby=\"caption-attachment-131018\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131018 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-3.png\" alt=\"\u753b\u50cf 3 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8 \u30b7\u30b9\u30c6\u30e0\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u306f\u30c4\u30ea\u30fc\u56f3\u3067\u3001\u6700\u521d\u306e w3wp.exe \u30a2\u30e9\u30fc\u30c8\u304b\u3089\u306e\u3073\u308b 4 \u672c\u306e\u72ec\u7acb\u3057\u305f\u30d6\u30e9\u30f3\u30c1\u304c\u63cf\u304b\u308c\u3066\u3044\u307e\u3059\u30023 \u3064\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u306e\u307b\u304b\u3001net user\u3001net user\/domain\/ \u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"598\" \/><figcaption id=\"caption-attachment-131018\" class=\"wp-caption-text\">\u56f3 3. Cortex XDR \u4e0a\u3067 Web \u30b7\u30a7\u30eb\u3092\u4ecb\u3057\u305f\u57fa\u672c\u5075\u5bdf\u30b3\u30de\u30f3\u30c9\u3092\u8868\u793a\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_kkfnvgj2vojp\"><\/a>Reconnaissance (\u5075\u5bdf)<\/h3>\n<p>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u306e\u628a\u63e1\u306e\u305f\u3081\u3001\u516c\u958b\u3055\u308c\u3066\u3044\u3066\u8ab0\u3067\u3082\u5165\u624b\u3067\u304d\u308b\u65e2\u77e5\u306e\u30b9\u30ad\u30e3\u30ca\u30fc\u304c\u591a\u6570\u4f7f\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-131138-_r65hkz6xzb4u\"><\/a>nbtscan<\/h4>\n<p>\u653b\u6483\u8005\u306f\u3001<a href=\"https:\/\/attack.mitre.org\/software\/S0590\/\" target=\"_blank\" rel=\"noopener\">nbtscan<\/a> \u306e\u540d\u524d\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">systems.txt<\/span> \u306b\u5909\u3048\u3001\u3053\u308c\u3067\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u65e2\u5b58\u30db\u30b9\u30c8\u3092\u63a2\u3057\u3066\u3044\u307e\u3057\u305f (\u56f3 4 \u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_131020\" aria-describedby=\"caption-attachment-131020\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131020 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-4.png\" alt=\"\u753b\u50cf 4 \u306f Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u56f3\u306b\u306f 3 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"152\" \/><figcaption id=\"caption-attachment-131020\" class=\"wp-caption-text\">\u56f3 4. \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u30b9\u30ad\u30e3\u30f3\u306b nbtscan \u3092\u4f7f\u7528<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_zcjs3fgmt829\"><\/a>WinEggDrop<\/h4>\n<p>\u56f3 5 \u306f\u3001\u653b\u6483\u8005\u304c\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u306e SYN\/TCP \u30dd\u30fc\u30c8 \u30b9\u30ad\u30e3\u30ca\u30fc <a href=\"https:\/\/github.com\/kingron\/s\" target=\"_blank\" rel=\"noopener\">WinEggDrop<\/a>\u00a0\u3092\u4f7f\u3063\u3066\u3001\u95a2\u5fc3\u3092\u5bc4\u305b\u305f\u7279\u5b9a\u30db\u30b9\u30c8\u3092\u3069\u306e\u3088\u3046\u306b\u30b9\u30ad\u30e3\u30f3\u3057\u305f\u304b\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_131022\" aria-describedby=\"caption-attachment-131022\" style=\"width: 755px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131022 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-5.png\" alt=\"\u753b\u50cf 5 \u306f Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u30c4\u30ea\u30fc\u56f3\u306b\u306f\u30a2\u30e9\u30fc\u30c8\u3092\u3082\u3064 4 \u3064\u306e\u30d6\u30e9\u30f3\u30c1\u304c\u63cf\u304b\u308c\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"755\" height=\"585\" \/><figcaption id=\"caption-attachment-131022\" class=\"wp-caption-text\">\u56f3 5. \u30dd\u30fc\u30c8 \u30b9\u30ad\u30e3\u30f3\u306b WinEggdDrop \u30b9\u30ad\u30e3\u30ca\u30fc\u3092\u4f7f\u7528<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_bd1emu2qyqz0\"><\/a>NimScan<\/h4>\n<p><a href=\"https:\/\/github.com\/elddy\/NimScan\" target=\"_blank\" rel=\"noopener\">NimScan<\/a> \u306f\u653b\u6483\u8005\u304c\u653b\u6483\u306b\u4f7f\u3063\u305f\u3079\u3064\u306e\u30dd\u30fc\u30c8 \u30b9\u30ad\u30e3\u30ca\u30fc\u3067\u3001\u3053\u3061\u3089\u3082\u4e00\u822c\u306b\u516c\u958b\u3055\u308c\u3066\u3044\u307e\u3059 (\u56f3 6)\u3002<\/p>\n<figure id=\"attachment_131024\" aria-describedby=\"caption-attachment-131024\" style=\"width: 592px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131024 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-6.png\" alt=\"\u753b\u50cf 6 \u306f\u30012 \u3064\u306e\u5225\u500b\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"592\" height=\"93\" \/><figcaption id=\"caption-attachment-131024\" class=\"wp-caption-text\">\u56f3 6. \u30dd\u30fc\u30c8 \u30b9\u30ad\u30e3\u30f3\u306b NimScan \u3092\u4f7f\u7528<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_ejgc8h2jj112\"><\/a>Credential Stealing (\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306e\u7a83\u53d6)<\/h3>\n<p>\u653b\u6483\u306e\u6700\u91cd\u8981\u30d5\u30a7\u30fc\u30ba\u306f\u3001\u7ba1\u7406\u8005\u6a29\u9650\u3092\u6301\u3064\u30e6\u30fc\u30b6\u30fc\u306e\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u3092\u53d6\u5f97\u3059\u308b\u3053\u3068\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u653b\u6483\u8005\u306f\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u53d6\u5f97\u306e\u305f\u3081\u306b\u8907\u6570\u306e\u624b\u6cd5\u3092\u8a66\u307f\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u3044\u305a\u308c\u3082 Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u3088\u3063\u3066\u963b\u6b62\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li>Mimikatz (\u30d5\u30a1\u30a4\u30eb\u540d:<span style=\"font-family: 'courier new', courier, monospace;\">Mimi.exe<\/span>)<\/li>\n<li>SMB \u3092\u4f7f\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9 \u30b9\u30d7\u30ec\u30fc<\/li>\n<li>SMB \u3092\u4f7f\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u7dcf\u5f53\u305f\u308a\u653b\u6483 (\u56f3 7 \u53c2\u7167)<\/li>\n<\/ul>\n<figure id=\"attachment_131026\" aria-describedby=\"caption-attachment-131026\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131026 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-7.png\" alt=\"\u753b\u50cf 7 \u306f Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30c4\u30ea\u30fc\u56f3\u306b\u306f 3 \u3064\u306e\u30d6\u30e9\u30f3\u30c1\u304c\u3042\u308a\u307e\u3059\u30023 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u306b\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"532\" \/><figcaption id=\"caption-attachment-131026\" class=\"wp-caption-text\">\u56f3 7. SMB \u3092\u4f7f\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u7dcf\u5f53\u305f\u308a\u653b\u6483<\/figcaption><\/figure>\n<ul>\n<li>SAM \u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30f3\u30d7 (\u56f3 8 \u53c2\u7167)<\/li>\n<\/ul>\n<figure id=\"attachment_131028\" aria-describedby=\"caption-attachment-131028\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131028 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-8.png\" alt=\"\u753b\u50cf 8 \u306f Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u56f3\u306b\u306f 3 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u304c\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u3046\u3061 2 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u304c 1 \u3064\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"802\" height=\"312\" \/><figcaption id=\"caption-attachment-131028\" class=\"wp-caption-text\">\u56f3 8. SAM \u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30f3\u30d7<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_3kw2gs67ke4y\"><\/a>Lateral Movement (\u30e9\u30c6\u30e9\u30eb \u30e0\u30fc\u30d6)<\/h3>\n<p>\u56f3 9 \u304b\u3089\u306f\u3001\u653b\u6483\u8005\u304c\u74b0\u5883\u5185\u3067\u30e9\u30c6\u30e9\u30eb \u30e0\u30fc\u30d6\u3092\u884c\u3046\u3055\u3044\u3001\u4e3b\u306b <a href=\"https:\/\/manpages.ubuntu.com\/manpages\/trusty\/man1\/plink.1.html\" target=\"_blank\" rel=\"noopener\">Plink<\/a> (<span style=\"font-family: 'courier new', courier, monospace;\">systems.exe<\/span> \u306b\u540d\u524d\u3092\u5909\u66f4\u3057\u3066\u3042\u308b) \u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8 \u30c8\u30f3\u30cd\u30eb\u3092\u4f5c\u308a\u3001\u30ea\u30e2\u30fc\u30c8 \u30de\u30b7\u30f3\u3078\u306e\u63a5\u7d9a\u3092\u78ba\u7acb\u3057\u3066\u3044\u305f\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131030\" aria-describedby=\"caption-attachment-131030\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131030 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-9.png\" alt=\"\u753b\u50cf 9 \u306f Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30c4\u30ea\u30fc\u56f3\u306b\u306f 3 \u3064\u306e\u30d6\u30e9\u30f3\u30c1\u304c\u3042\u308a\u307e\u3059\u30023 \u3064\u306e\u30a2\u30e9\u30fc\u30c8\u306b\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306e\u539f\u56e0\u3068\u306a\u3063\u305f\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3082\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"469\" \/><figcaption id=\"caption-attachment-131030\" class=\"wp-caption-text\">\u56f3 9. Plink \u3067\u30ea\u30e2\u30fc\u30c8 \u30c8\u30f3\u30cd\u30eb\u3092\u78ba\u7acb<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_wwfu4qvc6d3j\"><\/a>Stealing and Exfiltrating Data (\u30c7\u30fc\u30bf\u306e\u7a83\u53d6\u3068\u6f0f\u51fa)<\/h3>\n<p>\u3053\u306e\u653b\u6483\u8005\u306f\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306a\u3069\u91cd\u8981\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u306e\u60c5\u5831\u7a83\u53d6\u3092\u56f3\u3063\u305f\u306e\u3061\u3001\u30ef\u30a4\u30d1\u30fc\u3092\u5b9f\u884c\u3057\u3066\u75d5\u8de1\u3092\u96a0\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u6b21\u306b\u3001WinSCP \u3084 Putty \u306a\u3069\u306e\u3055\u307e\u3056\u307e\u306a\u516c\u958b\u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u3053\u306e\u60c5\u5831\u3092\u653b\u6483\u8005\u306e C2 \u30b5\u30fc\u30d0\u30fc\u306b\u6f0f\u51fa\u3055\u305b\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-131138-_58yky8aj3bj7\"><\/a>Sqlextractor \u3092\u4f7f\u3063\u305f\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u60c5\u5831\u306e\u62bd\u51fa<\/h4>\n<p>\u653b\u6483\u8005\u306f\u3001sqlextractor (\u30d0\u30a4\u30ca\u30ea\u30fc\u540d\u306f <span style=\"font-family: 'courier new', courier, monospace;\">SQL.net4.exe<\/span>) \u3068\u3044\u3046\u540d\u524d\u306e\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30c4\u30fc\u30eb\u306e\u76ee\u7684\u306f\u3001SQL \u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306b\u30af\u30a8\u30ea\u30fc\u3092\u767a\u884c\u3057\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u6a5f\u5fae\u306a\u500b\u4eba\u8b58\u5225\u60c5\u5831 (PII) \u306e\u30c7\u30fc\u30bf\u3092\u62bd\u51fa\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n<ul>\n<li>ID \u756a\u53f7<\/li>\n<li>\u30d1\u30b9\u30dd\u30fc\u30c8\u306e\u30b9\u30ad\u30e3\u30f3<\/li>\n<li>\u96fb\u5b50\u30e1\u30fc\u30eb<\/li>\n<li>\u5b8c\u5168\u306a\u4f4f\u6240<\/li>\n<\/ul>\n<p>\u3053\u306e\u30c7\u30fc\u30bf\u306f CSV \u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u307e\u3057\u305f (\u56f3 10\u300111)\u3002\u3053\u306e\u30c4\u30fc\u30eb\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30b9\u30c6\u30fc\u30b8\u30f3\u30b0 \u30d1\u30b9\u306e <span style=\"font-family: 'courier new', courier, monospace;\">C:\\windows\\temp\\s\\<\/span> \u306b\u30c7\u30fc\u30bf\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/p>\n<p>\u56f3 10 \u306f\u3001\u653b\u6483\u8005\u304c <span style=\"font-family: 'courier new', courier, monospace;\">7za.exe<\/span> \u3092\u4f7f\u3063\u3066\u3001\u62bd\u51fa\u3057\u305f\u30c7\u30fc\u30bf\u3092\u30a2\u30fc\u30ab\u30a4\u30d6\u3057\u3001\u6f0f\u51fa\u306e\u6e96\u5099\u3092\u3057\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_131032\" aria-describedby=\"caption-attachment-131032\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131032 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-10.png\" alt=\"\u753b\u50cf 10 \u306f\u3001Cortex XDR \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30c4\u30ea\u30fc\u56f3\u306b\u306f 2 \u3064\u306e\u30d6\u30e9\u30f3\u30c1\u304c\u3042\u308a\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306e 1 \u3064\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306e\u539f\u56e0\u3068\u306a\u3063\u305f\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3082\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"288\" \/><figcaption id=\"caption-attachment-131032\" class=\"wp-caption-text\">\u56f3 10. Sqlextractor \u3068<span style=\"font-family: 'courier new', courier, monospace;\">7za.exe<\/span> \u3067\u30d5\u30a1\u30a4\u30eb\u3092\u62bd\u51fa\u30fb\u30a2\u30fc\u30ab\u30a4\u30d6<\/figcaption><\/figure>\n<figure id=\"attachment_131034\" aria-describedby=\"caption-attachment-131034\" style=\"width: 668px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131034 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-11.png\" alt=\"\u753b\u50cf 11 \u306f\u3042\u308b\u8868\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u30023 \u3064\u306e\u5217\u306b\u306f\u3001SRC_PROCESS_NAME\u3001ACTION_TYPE\u3001FILE_PATH \u3068\u3044\u3046\u30e9\u30d9\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002\u8868\u306b\u306f\u5168\u90e8\u3067 5 \u884c\u3042\u308a\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u7de8\u96c6\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"668\" height=\"232\" \/><figcaption id=\"caption-attachment-131034\" class=\"wp-caption-text\">\u56f3 11. Sqlextractor \u304c\u62bd\u51fa\u3057\u305f\u30c7\u30fc\u30bf\u3092 CSV \u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3080<\/figcaption><\/figure>\n<p>\u56f3 12 \u306f\u3001\u653b\u6483\u8005\u304c\u611f\u67d3\u74b0\u5883\u3067\u95a2\u5fc3\u3092\u62b1\u3044\u305f\u30d5\u30a9\u30eb\u30c0\u30fc\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">7zG.exe<\/span> \u3082\u4f7f\u3063\u3066\u30a2\u30fc\u30ab\u30a4\u30d6\u3057\u3066\u3044\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131036\" aria-describedby=\"caption-attachment-131036\" style=\"width: 576px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131036 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-12.png\" alt=\"\u753b\u50cf 12 \u306f\u30014 \u884c\u3042\u308b\u8868\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u884c\u306f\u3001\u30d5\u30a9\u30eb\u30c0\u30fc\u3092\u30a2\u30fc\u30ab\u30a4\u30d6\u3059\u308b\u305f\u3081\u306b\u4f7f\u308f\u308c\u305f\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u7de8\u96c6\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"576\" height=\"152\" \/><figcaption id=\"caption-attachment-131036\" class=\"wp-caption-text\">\u56f3 12. 7zG.exe \u3067\u3055\u307e\u3056\u307e\u306a\u30d5\u30a9\u30eb\u30c0\u30fc\u3092\u30a2\u30fc\u30ab\u30a4\u30d6<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_w6zszkbi136z\"><\/a>WinSCP \u3092\u4f7f\u3063\u305f\u30c7\u30fc\u30bf\u6f0f\u51fa<\/h4>\n<p>\u653b\u6483\u8005\u306f WinSCP \u3092\u4f7f\u3063\u3066\u74b0\u5883\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u62bd\u51fa\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f (\u56f3 13\u300114)\u3002<\/p>\n<figure id=\"attachment_131038\" aria-describedby=\"caption-attachment-131038\" style=\"width: 482px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131038 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-13.png\" alt=\"\u753b\u50cf 13 \u306f\u3001Cortex XDR \u304b\u3089\u306e\u30a2\u30e9\u30fc\u30c8\u3067\u3059\u3002ACTION_TYPE \u3068 FILE_NAME \u3092\u542b\u3080\u8868\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5404\u884c\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u306f File Read (\u30d5\u30a1\u30a4\u30eb\u306e\u8aad\u307f\u53d6\u308a)\u3067\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u7de8\u96c6\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"482\" height=\"215\" \/><figcaption id=\"caption-attachment-131038\" class=\"wp-caption-text\">\u56f3 13. \u30d5\u30a1\u30a4\u30eb\u306e\u62bd\u51fa\u306b\u306f WinSCP \u304c\u4f7f\u308f\u308c\u305f<\/figcaption><\/figure>\n<figure id=\"attachment_131040\" aria-describedby=\"caption-attachment-131040\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131040 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-14.png\" alt=\"\u753b\u50cf 14 \u306f\u3001Cortex XDR \u306e\u8868\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u5217\u540d\u306f\u3001Alert Source\u3001Action\u3001Category\u3001Alert Name\u3001Description\u3001Initiated By \u3067\u3059\u3002\u5408\u8a08 2 \u884c\u3042\u308a\u307e\u3059\u3002\" width=\"900\" height=\"112\" \/><figcaption id=\"caption-attachment-131040\" class=\"wp-caption-text\">\u56f314. Cortex XDR \u306b\u3088\u308b\u6f0f\u51fa\u30a2\u30e9\u30fc\u30c8<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_y9q1awqys7bo\"><\/a>Pscp.exe (PuTTY Secure Copy Protocol) \u3092\u4f7f\u3063\u305f\u30c7\u30fc\u30bf\u6f0f\u51fa<\/h4>\n<p>\u56f3 15 \u306f\u3001\u653b\u6483\u8005\u304c\u6f0f\u51fa\u306b\u4f7f\u7528\u3057\u305f\u3082\u3046 1 \u3064\u306e\u30c4\u30fc\u30eb\u3001<span style=\"font-family: 'courier new', courier, monospace;\">pscp.exe<\/span> (PuTTY Secure Copy Protocol) \u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u653b\u6483\u8005\u306f C2 \u3078\u306e\u63a5\u7d9a\u3092\u78ba\u7acb\u3057\u3088\u3046\u3068\u3057\u3066\u304b\u3089\u3001\u76d7\u3093\u3060\u30c7\u30fc\u30bf\u3092\u542b\u3081\u305f <span style=\"font-family: 'courier new', courier, monospace;\">.7z<\/span> \u30d5\u30a1\u30a4\u30eb\u3068 <span style=\"font-family: 'courier new', courier, monospace;\">.ezip<\/span> \u30d5\u30a1\u30a4\u30eb\u3001ProcDump \u3067\u4f5c\u6210\u3057\u305f <span style=\"font-family: 'courier new', courier, monospace;\">.dmp<\/span> \u30d5\u30a1\u30a4\u30eb\u3092\u691c\u7d22\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_131042\" aria-describedby=\"caption-attachment-131042\" style=\"width: 410px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131042 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-15.png\" alt=\"\u753b\u50cf 15 \u306f\u3001\u6f0f\u51fa\u306b\u4f7f\u308f\u308c\u305f pscp.exe \u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059 (\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059)\u3002\" width=\"410\" height=\"116\" \/><figcaption id=\"caption-attachment-131042\" class=\"wp-caption-text\">\u56f3 15. <span style=\"font-family: 'courier new', courier, monospace;\">pscp.exe<\/span> \u3092\u4f7f\u3063\u3066\u6f0f\u51fa<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_gpm29t634ood\"><\/a>\u30ef\u30a4\u30d1\u30fc\u306e\u30da\u30a4\u30ed\u30fc\u30c9<\/h3>\n<p>\u3053\u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u3067\u653b\u6483\u8005\u306f\u7834\u58ca\u653b\u6483\u306e\u4e00\u74b0\u3068\u3057\u3066 3 \u3064\u306e\u7570\u306a\u308b\u30ef\u30a4\u30d1\u30fc\u3092\u4f7f\u304a\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u4e00\u90e8\u306e\u30ef\u30a4\u30d1\u30fc\u306f\u3001\u4ee5\u524d\u306b Agonizing Serpens \u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u3063\u305f\u3053\u3068\u304c\u5831\u544a\u3055\u308c\u3066\u3044\u308b\u30ef\u30a4\u30d1\u30fc\u3068\u30b3\u30fc\u30c9\u306b\u985e\u4f3c\u6027\u304c\u3042\u308a\u307e\u3059\u304c\u3001\u6b8b\u308a\u306e\u30ef\u30a4\u30d1\u30fc\u306f\u771f\u65b0\u3057\u3044\u3082\u306e\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059\u304c\u3001\u3053\u308c\u3089\u306f\u4eca\u56de\u306e\u653b\u6483\u3067\u521d\u3081\u3066\u4f7f\u308f\u308c\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-131138-_qg8d6gez366v\"><\/a>MultiLayer \u30ef\u30a4\u30d1\u30fc<\/h4>\n<p>\u653b\u6483\u8005\u304c\u4f7f\u3063\u305f\u6700\u521d\u306e\u30ef\u30a4\u30d1\u30fc\u306f\u3001MultiLayer \u3068\u547c\u3070\u308c\u308b .NET \u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3059\u3002\u305d\u306e\u540d\u304c\u793a\u3059\u901a\u308a\u3001\u3053\u306e\u30ef\u30a4\u30d1\u30fc\u306b\u306f\u8907\u6570\u306e\u30ec\u30a4\u30e4\u30fc\u3068\u30b9\u30c6\u30fc\u30b8\u3068\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30b3\u30f3\u30d1\u30a4\u30eb\u65e5\u306f 2093 \u5e74 10 \u6708 14 \u65e5\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u5c06\u6765\u306e\u65e5\u4ed8\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304b\u3089\u3001\u30e1\u30bf\u30c7\u30fc\u30bf\u306f\u660e\u3089\u304b\u306b\u6539\u3056\u3093\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u56f3 16 \u306f\u3001\u30ea\u30bd\u30fc\u30b9 \u30bb\u30af\u30b7\u30e7\u30f3\u306b MultiList \u3068 MultiWip \u3068\u3044\u3046\u540d\u524d\u306e\u3055\u3089\u306b 2 \u3064\u306e\u30d0\u30a4\u30ca\u30ea\u30fc\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131044\" aria-describedby=\"caption-attachment-131044\" style=\"width: 299px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131044 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-16.png\" alt=\"\u753b\u50cf 16 \u306f\u3001\u30d5\u30a1\u30a4\u30eb \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002Resources \u30d5\u30a9\u30eb\u30c0\u30fc\u306b\u306f\u3001MultiList \u3084 MultiWip \u3092\u542b\u3080 MultiLayer \u306e\u30ea\u30bd\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\" width=\"299\" height=\"71\" \/><figcaption id=\"caption-attachment-131044\" class=\"wp-caption-text\">\u56f3 16. MultiLayer \u306e\u30ea\u30bd\u30fc\u30b9<\/figcaption><\/figure>\n<p>MultiLayer \u306f\u3001\u524d\u8ff0\u306e\u5404\u30d0\u30a4\u30ca\u30ea\u30fc\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u3066\u5b9f\u884c\u3057\u3001\u5b9f\u884c\u76f4\u5f8c\u306b\u524a\u9664\u3057\u307e\u3059\u3002<\/p>\n<h5><a id=\"post-131138-_mgkz2l756wp\"><\/a>MultiList \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 - \u30bf\u30fc\u30b2\u30c3\u30c8 \u30d5\u30a1\u30a4\u30eb\u306e\u8a2d\u5b9a<\/h5>\n<p>MultiList \u306f\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u56fa\u5b9a\u30c9\u30e9\u30a4\u30d6\u4e0a\u306e\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u3068\u305d\u306e\u30d1\u30b9\u306e\u30ea\u30b9\u30c8\u3092\u751f\u6210\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u611f\u67d3\u3057\u305f\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u5217\u6319\u3057\u3001\u4e8b\u524d\u5b9a\u7fa9\u30ea\u30b9\u30c8 (\u56f3 17 \u3092\u53c2\u7167) \u306b\u5b9a\u7fa9\u3057\u305f\u7279\u5b9a\u30d5\u30a9\u30eb\u30c0\u30fc\u3092\u9664\u5916\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u884c\u308f\u308c\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3001\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u3092\u4f7f\u3044\u3001\u3053\u306e\u30c4\u30fc\u30eb\u304c\u30ea\u30b9\u30c8\u3092\u4fdd\u5b58\u3059\u308b\u30d1\u30b9\u3092\u5b9a\u7fa9\u3067\u304d\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131046\" aria-describedby=\"caption-attachment-131046\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131046 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-17.png\" alt=\"\u753b\u50cf 17 \u306f\u3001MultiList \u306b\u3088\u3063\u3066\u9664\u5916\u3055\u308c\u308b\u30d5\u30a9\u30eb\u30c0\u30fc\u306e\u4e8b\u524d\u5b9a\u7fa9\u30ea\u30b9\u30c8\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"900\" height=\"503\" \/><figcaption id=\"caption-attachment-131046\" class=\"wp-caption-text\">\u56f3 17. MultiList \u306e\u9664\u5916\u7528\u306e\u95a2\u6570<\/figcaption><\/figure>\n<h5><a id=\"post-131138-_ny3jmqall2io\"><\/a>MultiWip - \u30b3\u30a2\u3068\u306a\u308b\u30ef\u30a4\u30d1\u30fc \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h5>\n<p>MultiWip \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306b\u5b9f\u969b\u306e\u30d5\u30a1\u30a4\u30eb\u6d88\u53bb\u6a5f\u80fd\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306f\u3001\u3055\u304d\u307b\u3069\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 (MultiList) \u306b\u4f9d\u5b58\u3057\u3066\u3001\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u5f15\u6570\u3068\u3057\u3066\u6e21\u3055\u308c\u305f\u30ef\u30a4\u30d7\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u306e\u51fa\u529b\u30ea\u30b9\u30c8\u3092\u8aad\u307f\u53d6\u308a\u307e\u3059\u3002<\/p>\n<p>MultiWip \u306e\u30e1\u30a4\u30f3\u306e\u95a2\u6570\u306f <span style=\"font-family: 'courier new', courier, monospace;\">DoJob()<\/span> \u3068\u547c\u3070\u308c\u308b\u3082\u306e\u3067\u3001\u3053\u306e\u95a2\u6570\u306f\u56f3 18 \u306b\u793a\u3059\u65b9\u6cd5\u3067\u306e\u30d5\u30a1\u30a4\u30eb\u6d88\u53bb\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u306e\u5b9f\u884c\u3092\u62c5\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131048\" aria-describedby=\"caption-attachment-131048\" style=\"width: 601px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131048 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-18.png\" alt=\"\u753b\u50cf 18 \u306f\u3001MultiWip \u306e DoJob() \u95a2\u6570\u3092\u5b9a\u7fa9\u3057\u3066\u3044\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"601\" height=\"502\" \/><figcaption id=\"caption-attachment-131048\" class=\"wp-caption-text\">\u56f3 18. MultiWip \u306e\u30e1\u30a4\u30f3\u306e\u95a2\u6570\u3067\u3042\u308b <span style=\"font-family: 'courier new', courier, monospace;\">DoJob()<\/span> \u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u6307\u5b9a\u3055\u308c\u305f\u9806\u5e8f\u3067\u4ee5\u4e0b\u306e\u624b\u9806\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<ol>\n<li>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c9\u30e9\u30a4\u30d6\u4e0a\u306b\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u305f\u3060\u3061\u306b\u524a\u9664\u3057\u307e\u3059\u3002<\/li>\n<li>\u30ed\u30fc\u30ab\u30eb\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u7834\u58ca\u3057\u3001\u30e9\u30f3\u30c0\u30e0 \u30c7\u30fc\u30bf\u3067\u4e0a\u66f8\u304d\u3059\u308b\u3053\u3068\u3067\u3001\u30d5\u30a1\u30a4\u30eb\u5fa9\u65e7\u51e6\u7406\u3092\u59a8\u3052\u307e\u3059 (\u56f3 19)\u3002<\/li>\n<\/ol>\n<figure id=\"attachment_131050\" aria-describedby=\"caption-attachment-131050\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131050 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-19.png\" alt=\"\u753b\u50cf 19 \u306f\u3001MultiWip \u306e\u30c7\u30fc\u30bf\u7834\u58ca\u95a2\u6570\u3092\u5b9a\u7fa9\u3057\u3066\u3044\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"900\" height=\"734\" \/><figcaption id=\"caption-attachment-131050\" class=\"wp-caption-text\">\u56f3 19. MultiWip \u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30c7\u30fc\u30bf\u7834\u58ca\u95a2\u6570\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/figcaption><\/figure>\n<ol start=\"3\">\n<li>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.io.filesysteminfo.lastaccesstime?view=net-7.0\" target=\"_blank\" rel=\"noopener\">LastAccessTime<\/a><\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.io.filesysteminfo.lastwritetime?view=net-7.0\" target=\"_blank\" rel=\"noopener\">LastWriteTime<\/a><\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.io.filesysteminfo.creationtime?view=net-7.0\" target=\"_blank\" rel=\"noopener\">CreationTime<\/a><\/span> \u306e\u5404 <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.io.filesysteminfo?view=net-7.0\" target=\"_blank\" rel=\"noopener\">FileSystemInfo<\/a><\/span> \u30d7\u30ed\u30d1\u30c6\u30a3\u5185\u306e\u5143\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3092\u5909\u66f4\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3088\u304f\u77e5\u3089\u308c\u305f\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af\u5bfe\u7b56\u306e<a href=\"https:\/\/attack.mitre.org\/techniques\/T1070\/006\/\" target=\"_blank\" rel=\"noopener\">\u30bf\u30a4\u30e0\u30b9\u30c8\u30f3\u30d7\u6280\u8853 (timestomp: \u653b\u6483\u8005\u304c\u81ea\u8eab\u306e\u653b\u6483\u306e\u75d5\u8de1\u3092\u6d88\u3057\u305f\u308a\u8abf\u67fb\u3092\u59a8\u5bb3\u3059\u308b\u76ee\u7684\u3067\u30d5\u30a1\u30a4\u30eb\u3084\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3092\u6539\u3056\u3093\u3059\u308b) <\/a>\u3067\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30d5\u30a1\u30a4\u30eb \u30b7\u30b9\u30c6\u30e0\u306b\u3057\u305f\u304c\u3063\u3066\u30bf\u30a4\u30e0\u30b9\u30c8\u30f3\u30d7\u3092\u884c\u3044\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb \u30b7\u30b9\u30c6\u30e0\u304c NTFS \u3067\u3042\u308c\u3070\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3092 1601.1.1 \u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002\u3079\u3064\u306e\u30d5\u30a1\u30a4\u30eb \u30b7\u30b9\u30c6\u30e0\u3067\u3042\u308c\u3070\u30011980.1.1 \u306b\u8a2d\u5b9a\u3057\u307e\u3059 (\u56f3 20 \u53c2\u7167)\u3002<\/li>\n<\/ol>\n<figure id=\"attachment_131052\" aria-describedby=\"caption-attachment-131052\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131052 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-20.png\" alt=\"\u753b\u50cf 20 \u306f\u3001MultiWip \u306e\u30bf\u30a4\u30e0\u30b9\u30c8\u30f3\u30d7\u95a2\u6570\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"900\" height=\"86\" \/><figcaption id=\"caption-attachment-131052\" class=\"wp-caption-text\">\u56f3 20. MultiWip \u306e\u30bf\u30a4\u30e0\u30b9\u30c8\u30f3\u30d7\u95a2\u6570<\/figcaption><\/figure>\n<ol start=\"4\">\n<li>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/dotnet\/api\/system.io.path.getrandomfilename?view=net-7.0\" target=\"_blank\" rel=\"noopener\">Path.GetRandomFileName<\/a><\/span> \u3092\u4f7f\u3063\u3066\u524a\u9664\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u5143\u306e\u30d1\u30b9\u3092\u5909\u66f4\u3059\u308b\u3053\u3068\u3067\u3001\u5fa9\u65e7\u4f5c\u696d\u3092\u975e\u5e38\u306b\u96e3\u3057\u304f\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u6700\u5f8c\u306b\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3053\u308c\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n<h5><a id=\"post-131138-_ug0emwjzalh3\"><\/a>\u653b\u6483\u306e\u75d5\u8de1\u3092\u96a0\u3057\u30b7\u30b9\u30c6\u30e0\u3092\u4f7f\u7528\u4e0d\u80fd\u306b\u3059\u308b<\/h5>\n<p>MultiLayer \u306f\u3001\u81ea\u8eab\u306e\u5b9f\u884c\u306e\u8a3c\u62e0\u3092\u6d88\u3057\u3066\u75d5\u8de1\u3092\u96a0\u3059\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u51e6\u7406\u306f\u3001\u5931\u308f\u308c\u305f\u30c7\u30fc\u30bf\u306e\u5fa9\u65e7\u3092\u9632\u304e\u3001\u30c7\u30a3\u30b9\u30af\u3092\u4f7f\u7528\u4e0d\u80fd\u306b\u3059\u308b\u305f\u3081\u306b\u3055\u307e\u3056\u307e\u306a\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u884c\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>\u56f3 21 \u306f\u3001MultiLayer \u304c <span style=\"font-family: 'courier new', courier, monospace;\">DeleteLogs()<\/span> \u95a2\u6570\u306b\u3088\u308a\u3001\u3042\u308b\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3092 1 \u5ea6\u3060\u3051\u8d77\u52d5\u3059\u308b\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb \u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3059\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u6b21\u306b\u3001\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3059\u3079\u3066\u306e Windows \u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131054\" aria-describedby=\"caption-attachment-131054\" style=\"width: 723px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131054 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-21.png\" alt=\"\u753b\u50cf 21 \u306f\u3001\u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0\u3092\u524a\u9664\u3059\u308b MultiLayer \u306e\u6a5f\u80fd\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"723\" height=\"294\" \/><figcaption id=\"caption-attachment-131054\" class=\"wp-caption-text\">\u56f3 21. \u30a4\u30d9\u30f3\u30c8 \u30ed\u30b0\u3092\u524a\u9664\u3059\u308b MultiLayer \u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb \u30bf\u30b9\u30af<\/figcaption><\/figure>\n<p>MultiLayer \u306f\u691c\u51fa\u3092\u9003\u308c\u308b\u305f\u3081\u3001\u4f7f\u308f\u308c\u305f\u30d5\u30a1\u30a4\u30eb (\u81ea\u5206\u81ea\u8eab\u3092\u542b\u3080) \u3092\u3059\u3079\u3066\u5b9f\u884c\u5f8c\u306b\u524a\u9664\u3057\u307e\u3059\u3002MultiLayer \u306f\u81ea\u8eab\u3092\u524a\u9664\u3059\u308b\u3055\u3044\u3001<span style=\"font-family: 'courier new', courier, monospace;\">SelfDelete()<\/span> \u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u524a\u9664\u51e6\u7406\u306f\u3001\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c <span style=\"font-family: 'courier new', courier, monospace;\">%TEMP%<\/span> \u306b <span style=\"font-family: 'courier new', courier, monospace;\">remover.bat<\/span> \u3068\u3044\u3046\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u8fbc\u3093\u3067\u5b9f\u884c\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u5b9f\u73fe\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u306f\u30a2\u30bb\u30f3\u30d6\u30ea\u30fc \u30d5\u30a1\u30a4\u30eb\u3068\u3053\u306e\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u81ea\u4f53\u3092\u524a\u9664\u3057\u3001\u30d5\u30a1\u30a4\u30eb \u30b7\u30b9\u30c6\u30e0\u306e\u30ad\u30e3\u30c3\u30b7\u30e5 \u30e1\u30e2\u30ea\u30fc\u3092\u30af\u30ea\u30a2\u3057\u307e\u3059\u3002\u3053\u306e\u3055\u3044\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">advapi32.dll<\/span> \u304b\u3089\u306e <span style=\"font-family: 'courier new', courier, monospace;\">ProcessIdleTasks<\/span> \u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u304c\u5229\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u3055\u3089\u306b\u30c7\u30fc\u30bf\u5fa9\u65e7\u3092\u59a8\u5bb3\u3059\u308b\u305f\u3081\u3001MultiLayer \u306f\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u3059\u3079\u3066\u306e\u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc\u3092\u524a\u9664 (\u56f3 22) \u3057\u3066\u304b\u3089\u3001\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc (VSS) \u30b5\u30fc\u30d3\u30b9\u81ea\u4f53\u3092\u524a\u9664\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131056\" aria-describedby=\"caption-attachment-131056\" style=\"width: 603px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131056 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-22.png\" alt=\"\u753b\u50cf 22 \u306f\u3001MultilLayer \u306e\u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc\u3092\u524a\u9664\u3059\u308b\u6a5f\u80fd\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"603\" height=\"57\" \/><figcaption id=\"caption-attachment-131056\" class=\"wp-caption-text\">\u56f3 22. MultiLayer \u306b\u3088\u308b\u30b7\u30e3\u30c9\u30a6 \u30b3\u30d4\u30fc\u306e\u524a\u9664<\/figcaption><\/figure>\n<p>\u56f3 23 \u306b\u793a\u3059\u3088\u3046\u306b\u3001MultiLayer \u306f\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u30d6\u30fc\u30c8\u3092\u78ba\u5b9f\u306b\u59a8\u5bb3\u3059\u308b\u305f\u3081\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">\\\\\\\\.\\\\PhysicalDrive0<\/span> \u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092\u958b\u304d\u3001\u5148\u982d\u306e 512 \u30d0\u30a4\u30c8(\u3064\u307e\u308a\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc) \u3092\u30ef\u30a4\u30d7\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131058\" aria-describedby=\"caption-attachment-131058\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131058 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-23.png\" alt=\"\u753b\u50cf 23 \u306f\u3001\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u6d88\u53bb\u3059\u308b MultiLayer \u306e\u6a5f\u80fd\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"900\" height=\"184\" \/><figcaption id=\"caption-attachment-131058\" class=\"wp-caption-text\">\u56f3 23. MultiLayer \u306b\u3088\u308b\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u306e\u6d88\u53bb<\/figcaption><\/figure>\n<p>\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u7834\u58ca\u5f8c\u3001MultiLayer \u306f\u4ed5\u4e0a\u3052\u3068\u3057\u3066\u81ea\u8eab\u306e\u6a29\u9650\u3092<span style=\"font-family: 'courier new', courier, monospace;\">SeShutdownPrivilege<\/span> \u306b\u8a2d\u5b9a\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">EWX_REBOOT<\/span> \u30d5\u30e9\u30b0\u3092\u6307\u5b9a\u3057\u3066 Windows API \u306e <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/winuser\/nf-winuser-exitwindowsex\" target=\"_blank\" rel=\"noopener\">ExitWindowsEx<\/a><\/span> \u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002\u518d\u8d77\u52d5\u5f8c\u3001\u30b7\u30b9\u30c6\u30e0\u306f\u8d77\u52d5\u3067\u304d\u306a\u304f\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e\u56f3 24 \u306b\u793a\u3059\u3088\u3046\u306b\u3001MultiLayer \u5b9f\u884c\u306e\u8a66\u307f\u306f Cortex XDR \u306b\u3088\u3063\u3066\u963b\u6b62\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_131060\" aria-describedby=\"caption-attachment-131060\" style=\"width: 722px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131060 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-24.png\" alt=\"\u753b\u50cf 24 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002Tags\u3001Severity (Medium)\u3001Action\u3001Description \u306e\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002Module \u306f WildFire \u3067\u3059\u3002\" width=\"722\" height=\"427\" \/><figcaption id=\"caption-attachment-131060\" class=\"wp-caption-text\">\u56f3 24. Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u3088\u308b MultiLayer \u30ef\u30a4\u30d1\u30fc\u306e\u5b9f\u884c\u9632\u6b62<\/figcaption><\/figure>\n<h5><a id=\"post-131138-_m01o1xtlu4l9\"><\/a>Apostle\u3001IPsec Helper\u3001Fantasy\u3068\u306e\u985e\u4f3c\u70b9<\/h5>\n<p>\u5206\u6790\u3092\u884c\u3046\u306a\u304b\u3067\u3001MultiLayer \u306e\u30b3\u30fc\u30c9\u304c Apostle \u3084 IPsec Helper\u3001Fantasy \u3068\u8907\u6570\u91cd\u8907\u3057\u3066\u3044\u308b\u3053\u3068\u306b\u6c17\u4ed8\u304d\u307e\u3057\u305f\u3002Apostle\u3001IPsec Helper\u3001Fantasy \u306f\u3001Agonizing Serpens \u304c\u4ee5\u524d\u4f7f\u3063\u3066\u3044\u305f\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u3067\u3059\u3002\u3053\u306e\u91cd\u8907\u306f\u3001\u30b3\u30fc\u30c9 \u30d9\u30fc\u30b9\u304c\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u304b\u3001\u540c\u3058\u958b\u767a\u8005\u30c1\u30fc\u30e0\u306b\u3088\u3063\u3066\u4f5c\u6210\u3055\u308c\u3066\u3044\u308b\u7d50\u679c\u751f\u3058\u305f\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u524d\u8ff0\u306e\u30c4\u30fc\u30eb\u306e\u30b3\u30fc\u30c9\u3092\u6bd4\u8f03\u3059\u308b\u3068\u3001MultiLayer \u306f\u547d\u540d\u898f\u5247\u3084\u30b3\u30fc\u30c9 \u30d6\u30ed\u30c3\u30af\u5168\u4f53\u306b\u304a\u3044\u3066\u3082\u3001\u305d\u308c\u3089\u306e\u30c4\u30fc\u30eb\u3068\u5171\u901a\u7b87\u6240\u304c\u3042\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u3002<\/p>\n<p><strong>\u91cd\u8907\u306e\u4f8b 1: \u81ea\u5df1\u524a\u9664\u30e1\u30ab\u30cb\u30ba\u30e0<\/strong><br \/>\nMultiLayer \u306e\u81ea\u5df1\u524a\u9664\u30e1\u30ab\u30cb\u30ba\u30e0\u306f\u3001<a href=\"https:\/\/assets.sentinelone.com\/sentinellabs\/evol-agrius\" target=\"_blank\" rel=\"noopener\">IPsec Helper<\/a>\u3001<a href=\"https:\/\/assets.sentinelone.com\/sentinellabs\/evol-agrius\" target=\"_blank\" rel=\"noopener\">Apostle<\/a>\u3001<a href=\"https:\/\/www.eset.com\/hk\/about\/newsroom\/press-releases\/news\/fantasy-a-new-agrius-wiper-deployed-through-a-supply-chain-attack0\/\" target=\"_blank\" rel=\"noopener\">Fantasy<\/a> \u3068\u540c\u69d8\u306e\u65b9\u6cd5\u3067\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306e\u95a2\u6570\u540d\u306f\u3044\u305a\u308c\u3082\u540c\u3058\u3067 <span style=\"font-family: 'courier new', courier, monospace;\">SelfDelete()<\/span> \u3068\u540d\u3065\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001\u56f3 25 \u3068\u56f3 26 \u306b\u793a\u3057\u305f\u6a5f\u80fd\u3092\u4f7f\u3044\u3001<span style=\"font-family: 'courier new', courier, monospace;\">%TEMP%<\/span> \u306b <span style=\"font-family: 'courier new', courier, monospace;\">remover.bat<\/span> \u3068\u3044\u3046\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u8fbc\u3093\u3067\u5b9f\u884c\u3059\u308b\u3053\u3068\u3067\u3001\u81ea\u5206\u81ea\u8eab\u3092\u524a\u9664\u3057\u3066\u3044\u308b\u70b9\u3082\u5171\u901a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131062\" aria-describedby=\"caption-attachment-131062\" style=\"width: 651px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131062 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-25.png\" alt=\"\u753b\u50cf 25 \u306f\u3001MultiLayer \u306e SelfDelete \u95a2\u6570\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"651\" height=\"435\" \/><figcaption id=\"caption-attachment-131062\" class=\"wp-caption-text\">\u56f3 25. MultiLayer \u306e <span style=\"font-family: 'courier new', courier, monospace;\">SelfDelete()<\/span> \u95a2\u6570<\/figcaption><\/figure>\n<figure id=\"attachment_131064\" aria-describedby=\"caption-attachment-131064\" style=\"width: 572px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131064 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-26.png\" alt=\"\u753b\u50cf 26 \u306f\u3001IPsec Helper\u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30b3\u30fc\u30c9\u306e 3 \u3064\u306e\u7570\u306a\u308b\u30bb\u30af\u30b7\u30e7\u30f3\u304c\u5f37\u8abf\u8868\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"572\" height=\"513\" \/><figcaption id=\"caption-attachment-131064\" class=\"wp-caption-text\">\u56f3 26. IPsec Helper \u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8\u51fa\u5178: SentinalLABS \u306b\u3088\u308b\u300e<a href=\"https:\/\/assets.sentinelone.com\/sentinellabs\/evol-agrius\" target=\"_blank\" rel=\"noopener\">From Wiper to Ransomware: The Evolution of Agrius (\u30ef\u30a4\u30d1\u30fc\u304b\u3089\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u3078: Agrius \u306e\u9032\u5316)<\/a>\u300f\u30ec\u30dd\u30fc\u30c8\u306e \u56f3 20<\/figcaption><\/figure>\n<p><strong>\u91cd\u8907\u306e\u4f8b 2: \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30ea\u30b9\u30c8\u306e\u5b9f\u88c5<\/strong><\/p>\n<p>MultiList \u306e\u518d\u5e30\u7684\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u4e00\u89a7\u30e1\u30ab\u30cb\u30ba\u30e0\u306f\u3001Fantasy \u304a\u3088\u3073 Apostle \u3068\u540c\u69d8\u306e\u65b9\u6cd5\u3067\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30c4\u30fc\u30eb\u306f\u540c\u3058 <span style=\"font-family: 'courier new', courier, monospace;\">GetSubDirectoryFileListRecusrive<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u95a2\u6570\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u307e\u305f\u3044\u305a\u308c\u306e\u30c4\u30fc\u30eb\u3082 <span style=\"font-family: 'courier new', courier, monospace;\">GetSubDirectoryFileListRecusrive()<\/span> \u3068 <span style=\"font-family: 'courier new', courier, monospace;\">GetDirectoryFileList()<\/span>\u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u304c\u3001\u3053\u306e <span style=\"font-family: 'courier new', courier, monospace;\">GetSubDirectoryFileListRecusrive()<\/span> \u306f\u3001\u56f3 27\u300128 \u306e\u30b3\u30fc\u30c9 \u30b9\u30cb\u30da\u30c3\u30c8\u304c\u793a\u3059\u901a\u308a\u3001\u518d\u5e30\u7684\u306b\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131066\" aria-describedby=\"caption-attachment-131066\" style=\"width: 881px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131066 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-27.png\" alt=\"\u753b\u50cf 27 \u306f\u3001MultilLists \u306e\u518d\u5e30\u7684\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30ea\u30b9\u30c8\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"881\" height=\"288\" \/><figcaption id=\"caption-attachment-131066\" class=\"wp-caption-text\">\u56f3 27. MultiList \u306e\u518d\u5e30\u7684\u306a\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30ea\u30b9\u30c8<\/figcaption><\/figure>\n<figure id=\"attachment_131068\" aria-describedby=\"caption-attachment-131068\" style=\"width: 777px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131068 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-28.png\" alt=\"\u753b\u50cf 28 \u306f\u3001Fantasy \u306e\u518d\u5e30\u7684\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30ea\u30b9\u30c8\u3092\u5b9a\u7fa9\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"777\" height=\"560\" \/><figcaption id=\"caption-attachment-131068\" class=\"wp-caption-text\">\u56f3 28. Fantasy \u306e\u518d\u5e30\u7684\u306a\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc \u30ea\u30b9\u30c8\u51fa\u5178: <a href=\"https:\/\/www.eset.com\/hk\/about\/newsroom\/press-releases\/news\/fantasy-a-new-agrius-wiper-deployed-through-a-supply-chain-attack0\/\" target=\"_blank\" rel=\"noopener\">ESET<\/a> \u30d6\u30ed\u30b0\u300eFantasy \u2013 a new Agrius wiper deployed through a supply\u2011chain attack (Fantasy \u2013 \u30b5\u30d7\u30e9\u30a4\u30c1\u30a7\u30fc\u30f3\u653b\u6483\u3092\u901a\u3058\u3066\u5c55\u958b\u3055\u308c\u305f\u65b0\u305f\u306a Agrius \u30ef\u30a4\u30d1\u30fc)\u300f\u306e\u56f3 6<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_47rv8zv8mxgz\"><\/a>PartialWasher \u30ef\u30a4\u30d1\u30fc<\/h4>\n<p>\u3053\u306e\u653b\u6483\u4e2d\u3001\u653b\u6483\u8005\u306f PartialWasher \u307e\u305f\u306f PW \u3068\u547c\u3070\u308c\u308b 2 \u3064\u3081\u306e\u30ef\u30a4\u30d1\u30fc\u3092\u4f7f\u304a\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u56f3 29 \u306f\u3001\u3053\u308c\u304c 10 \u6708 8 \u65e5\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3053\u308c\u306f\u672c\u7a3f\u3067\u8aac\u660e\u3057\u305f\u307b\u304b\u306e .NET \u30ef\u30a4\u30d1\u30fc\u3068\u306f\u9055\u3044\u3001C++ \u3067\u66f8\u304b\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131070\" aria-describedby=\"caption-attachment-131070\" style=\"width: 568px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131070 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-29.png\" alt=\"\u753b\u50cf 29 \u306f\u3001PartialWasher \u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002Compiler-stamp. 0x652218A2. Sun Oct 8 02:29:06 2023 | UTC.\" width=\"568\" height=\"21\" \/><figcaption id=\"caption-attachment-131070\" class=\"wp-caption-text\">\u56f3 29. PartialWasher \u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7<\/figcaption><\/figure>\n<p>PartialWasher \u306f <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-setprocessinformation\" target=\"_blank\" rel=\"noopener\">NtSetInformationProcess<\/a><\/span> \u3092\u547c\u3073\u51fa\u3059\u3053\u3068\u3067\u81ea\u8eab\u3092\u91cd\u8981\u30d7\u30ed\u30bb\u30b9\u3068\u5b9a\u7fa9\u3057\u307e\u3059\u3002PartialWasher \u306f\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u5f15\u6570\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u307e\u3059\u3002\u5f15\u6570\u304c\u6307\u5b9a\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u6a5f\u80fd\u306f\u30ef\u30a4\u30d1\u30fc\u6a5f\u80fd\u3067\u3059\u3002<\/p>\n<p>\u5f15\u6570\u3068\u3057\u3066 <span style=\"font-family: 'courier new', courier, monospace;\">1<\/span> \u3092\u6e21\u3057\u305f\u5834\u5408\u3001\u653b\u6483\u8005\u306f CLI (\u5bfe\u8a71\u578b\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3 \u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9) \u3092\u5229\u7528\u3067\u304d\u307e\u3059\u3002\u3053\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u30c6\u30ad\u30b9\u30c8\u306b\u306f\u3044\u304f\u3064\u304b\u306e\u30bf\u30a4\u30d7\u30df\u30b9\u304c\u3042\u308a\u3001\u4f5c\u8005\u304c\u82f1\u8a9e\u306e\u30cd\u30a4\u30c6\u30a3\u30d6 \u30b9\u30d4\u30fc\u30ab\u30fc\u3067\u306f\u306a\u3044\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u56f3 30 \u306f\u6e21\u3055\u308c\u308b\u5f15\u6570 <span style=\"font-family: 'courier new', courier, monospace;\">S \/p<\/span> \u306e\u4f8b\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306f\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u8d77\u52d5\u3057\u3001\u611f\u67d3\u30de\u30b7\u30f3\u4e0a\u3067\u5229\u7528\u53ef\u80fd\u306a\u30c9\u30e9\u30a4\u30d6\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53ce\u96c6\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131072\" aria-describedby=\"caption-attachment-131072\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131072 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-30.png\" alt=\"\u753b\u50cf 30 \u306f\u3001\u30bf\u30a4\u30d7\u30df\u30b9\u3092\u5f37\u8abf\u8868\u793a\u3057\u305f PartialWasher \u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30bf\u30a4\u30d7\u30df\u30b9\u306b\u306f\u3001\u300cOperation\u300d\u3068\u300csuccessy\u300d\u304c\u542b\u307e\u308c\u307e\u3059\u3002\" width=\"900\" height=\"408\" \/><figcaption id=\"caption-attachment-131072\" class=\"wp-caption-text\">\u56f3 30. PartialWasher \u306e CLI \u3068\u30bf\u30a4\u30d7\u30df\u30b9 (\u56db\u89d2\u3067\u8d64\u304f\u56f2\u3093\u3060\u90e8\u5206)<\/figcaption><\/figure>\n<p>\u3053\u3053\u3067\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u308b\u30b3\u30de\u30f3\u30c9\u306f\u3001\u30aa\u30da\u30ec\u30fc\u30bf\u30fc\u306e\u8981\u6c42\u306b\u5fdc\u3058\u3066\u500b\u5225\u306e\u30ef\u30a4\u30d7 \u30bf\u30b9\u30af\u3092\u5b9f\u884c\u3059\u308b\u3053\u306e\u30ef\u30a4\u30d1\u30fc\u306e\u3055\u3089\u306a\u308b\u6a5f\u80fd\u3092\u793a\u3059\u3082\u306e\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306b\u306f\u6b21\u306e\u3082\u306e\u304c\u542b\u307e\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">S<\/span> - \u6307\u5b9a\u3055\u308c\u305f 2 \u756a\u76ee\u306e\u5f15\u6570\u306b\u5fdc\u3058\u3066\u3001\u30c9\u30e9\u30a4\u30d6\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3001\u30c9\u30e9\u30a4\u30d6\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u53d6\u5f97\u3057\u307e\u3059\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\/a<\/span> - \u3059\u3079\u3066\u306e\u30c9\u30e9\u30a4\u30d6\u60c5\u5831\u3068\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u8a73\u7d30\u3092\u53d6\u5f97\u3057\u307e\u3059<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\/p<\/span> - \u30c9\u30e9\u30a4\u30d6\u60c5\u5831\u306e\u307f\u3092\u53d6\u5f97\u3057\u307e\u3059<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\/v<\/span> - \u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u8a73\u7d30\u306e\u307f\u3092\u53d6\u5f97\u3057\u307e\u3059<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">D<\/span> - \u63d0\u4f9b\u3055\u308c\u305f\u30c7\u30d0\u30a4\u30b9\u756a\u53f7\u306b\u7d04 420 MB \u306e\u30d0\u30a4\u30ca\u30ea\u30fc \u30c7\u30fc\u30bf\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u304a\u305d\u3089\u304f\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u4e0d\u80fd\u306b\u3059\u308b\u305f\u3081\u3068\u8003\u3048\u3089\u308c\u307e\u3059<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">F<\/span> - \u6307\u5b9a\u30d5\u30a9\u30eb\u30c0\u30fc\u3068\u305d\u306e\u30b5\u30d6\u30d5\u30a9\u30eb\u30c0\u30fc\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u6d88\u53bb\u3057\u307e\u3059 (\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u304c\u7a7a\u3067\u306a\u3044\u5834\u5408)<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">I<\/span>- \u6307\u5b9a\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u6d88\u53bb\u3057\u307e\u3059 (\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u304c\u7a7a\u3067\u306a\u3044\u5834\u5408)<\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">W<\/span> - \u30d5\u30a1\u30a4\u30eb\u5c5e\u6027\u3092\u5909\u66f4\u3057\u3066\u30d5\u30a1\u30a4\u30eb\u3092\u6d88\u53bb\u3057\u307e\u3059<\/li>\n<\/ul>\n<p>PartialWiper \u5b9f\u884c\u306e\u8a66\u307f\u306f Cortex XDR \u306b\u3088\u3063\u3066\u963b\u6b62\u3055\u308c\u307e\u3057\u305f (\u56f3 31)\u3002<\/p>\n<figure id=\"attachment_131074\" aria-describedby=\"caption-attachment-131074\" style=\"width: 428px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131074 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-31.png\" alt=\"\u753b\u50cf 31 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002Severity (High)\u3001Action\u3001Description \u306e\u60c5\u5831\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002 \" width=\"428\" height=\"293\" \/><figcaption id=\"caption-attachment-131074\" class=\"wp-caption-text\">\u56f3 31. PartialWasher \u306f Cortex XDR \u306b\u3088\u3063\u3066\u691c\u51fa\u30fb\u963b\u6b62\u3055\u308c\u305f<\/figcaption><\/figure>\n<h4><a id=\"post-131138-_r62clqx2x6n6\"><\/a>BFG Agonizer \u30ef\u30a4\u30d1\u30fc<\/h4>\n<h5><a id=\"post-131138-_6zwprz8it8uq\"><\/a>BFG Agonizer<\/h5>\n<p>\u653b\u6483\u8005\u304c\u4f7f\u3063\u305f 3 \u3064\u3081\u306e\u30ef\u30a4\u30d1\u30fc\u306f\u3001\u305d\u306e PDB \u30d1\u30b9 (<span style=\"font-family: 'courier new', courier, monospace;\">E:\\tools2\\BFG agonizer\\INFECTOR\\Dropper\\Dropper\\Release\\Dropper.pdb<\/span>) \u306b\u3088\u308c\u3070\u3001BFG Agonizer (<span style=\"font-family: 'courier new', courier, monospace;\">bfg.exe<\/span>) \u3068\u547c\u3070\u308c\u308b\u3082\u306e\u3067\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u306f\u3001\u56f3 32 \u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304c 10 \u6708 8 \u65e5\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131076\" aria-describedby=\"caption-attachment-131076\" style=\"width: 513px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131076 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-32.png\" alt=\"\u753b\u50cf 32 \u306f\u3001BGF Agonizer \u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u30022 \u884c\u306f\u30b9\u30bf\u30f3\u30d7\u3068\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u3059\u3002 \" width=\"513\" height=\"43\" \/><figcaption id=\"caption-attachment-131076\" class=\"wp-caption-text\">\u56f3 32. BGF Agonizer \u306e\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7<\/figcaption><\/figure>\n<p>BFG Agonizer \u3068\u3001GitHub \u306b\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u308b CRYLINE-v5.0 \u3068\u547c\u3070\u308c\u308b\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9 \u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3068\u306e\u9593\u306b\u3001\u30b3\u30fc\u30c9\u306e\u985e\u4f3c\u70b9\u304c\u591a\u6570\u5b58\u5728\u3059\u308b\u3053\u3068\u306f\u6ce8\u76ee\u306b\u5024\u3057\u307e\u3059\u3002\u79c1\u305f\u3061\u306f\u3001BFG \u306e\u4f5c\u8005\u304c\u3053\u306e\u516c\u958b\u30b3\u30fc\u30c9\u3092\u30b3\u30d4\u30fc\u3057\u305f\u304b\u3001\u5c11\u306a\u304f\u3068\u3082\u305d\u308c\u306b\u5927\u304d\u304f\u4f9d\u5b58\u3057\u3066\u3044\u305f\u3082\u306e\u3068\u8a55\u4fa1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30ef\u30a4\u30d1\u30fc\u306f\u3001\u611f\u67d3\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u4e0a\u306b\u5b58\u5728\u3057\u3046\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3092\u56de\u907f\u3057\u3066\u304b\u3089\u30ef\u30a4\u30d7\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u958b\u59cb\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u305d\u306e\u305f\u3081\u306b\u30d5\u30c3\u30af\u5bfe\u7b56\u6280\u8853\u304c\u8907\u6570\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u308c\u3089\u306e\u6280\u8853\u306f\u540c\u30b0\u30eb\u30fc\u30d7\u3067\u306f\u3053\u308c\u307e\u3067\u5831\u544a\u304c\u306a\u3044\u3082\u306e\u3067\u3057\u305f\u3002\u3053\u3053\u304b\u3089\u306f\u3001\u5f7c\u3089\u306e\u80fd\u529b\u306e\u3055\u3089\u306a\u3089\u5411\u4e0a\u304c\u793a\u5506\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001BFG \u304c\u30e1\u30a4\u30f3 \u30da\u30a4\u30ed\u30fc\u30c9\u306e\u5b9f\u884c\u524d\u306b\u5b9f\u884c\u3059\u308b\u30d5\u30c3\u30af\u5bfe\u7b56\u95a2\u6570\u3092\u30ea\u30b9\u30c8\u3057\u307e\u3059\u3002<\/p>\n<h5><a id=\"post-131138-_ed5xtdvh7v9q\"><\/a>DLL \u306e\u30d5\u30c3\u30af\u89e3\u9664<\/h5>\n<p>\u3055\u307e\u3056\u307e\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306f\u3001\u30e6\u30fc\u30b6\u30fc \u30e2\u30fc\u30c9\u306e<a href=\"https:\/\/www.malwaretech.com\/2015\/01\/inline-hooking-for-programmers-part-1.html\" target=\"_blank\" rel=\"noopener\">\u30a4\u30f3\u30e9\u30a4\u30f3 \u30d5\u30c3\u30af<\/a>\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002DLL \u306e\u30d5\u30c3\u30af\u89e3\u9664\u3068\u306f\u3001\u3053\u306e\u30a4\u30f3\u30e9\u30a4\u30f3 \u30d5\u30c3\u30af\u306e\u524a\u9664\u3092\u8a66\u307f\u308b\u30d5\u30c3\u30af\u5bfe\u7b56\u6280\u8853\u3067\u3059\u3002\u3053\u306e\u6280\u8853\u306f\u3001\u30d5\u30c3\u30af\u3055\u308c\u305f\u95a2\u6570\u306e\u30d0\u30a4\u30c8\u3092\u5143\u306e\u30c7\u30a3\u30b9\u30af\u306e\u5024\u306b\u623b\u3059\u3053\u3068\u306b\u3088\u308a\u6a5f\u80fd\u3057\u307e\u3059\u3002\u3053\u306e\u6280\u8853\u306f\u3088\u304f\u77e5\u3089\u308c\u3066\u304a\u308a\u3001\u3053\u306e\u30ef\u30a4\u30d1\u30fc\u306e\u4f5c\u8005\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a<a href=\"https:\/\/www.ired.team\/offensive-security\/defense-evasion\/how-to-unhook-a-dll-using-c++\" target=\"_blank\" rel=\"noopener\">\u4e00\u822c\u516c\u958b\u3055\u308c\u305f\u30b3\u30fc\u30c9<\/a>\u3092\u4e3b\u306b\u63a1\u7528\u3057\u305f\u3082\u306e\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002<\/p>\n<h5><a id=\"post-131138-_ujmll29d790a\"><\/a>\u30a4\u30f3\u30dd\u30fc\u30c8 \u30a2\u30c9\u30ec\u30b9 \u30c6\u30fc\u30d6\u30eb (IAT) \u306e\u30d5\u30c3\u30af\u89e3\u9664<\/h5>\n<p>\u3055\u307e\u3056\u307e\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306f\u3001\u30e6\u30fc\u30b6\u30fc \u30e2\u30fc\u30c9\u306e<a href=\"https:\/\/www.ired.team\/offensive-security\/code-injection-process-injection\/import-adress-table-iat-hooking\" target=\"_blank\" rel=\"noopener\"> IAT \u30d5\u30c3\u30af<\/a>\u3092\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002IAT \u306e\u30d5\u30c3\u30af\u89e3\u9664\u3068\u306f\u3001\u3053\u306e\u30d5\u30c3\u30af\u306e\u524a\u9664\u3092\u8a66\u307f\u308b\u30d5\u30c3\u30af\u5bfe\u7b56\u6280\u8853\u3067\u3059\u3002\u30ef\u30a4\u30d1\u30fc\u306e\u30b3\u30fc\u30c9\u304b\u3089\u3059\u308b\u3068\u3001\u3053\u306e\u4f5c\u8005\u306f<a href=\"https:\/\/alice.climent-pommeret.red\/posts\/how-and-why-to-unhook-the-import-address-table\/\" target=\"_blank\" rel=\"noopener\">\u4e00\u822c\u516c\u958b\u3055\u308c\u3066\u3044\u308b IAT \u30d5\u30c3\u30af\u89e3\u9664\u30b3\u30fc\u30c9<\/a>\u306e\u30b9\u30cb\u30da\u30c3\u30c8\u3092\u4e3b\u306b\u63a1\u7528\u3057\u3066\u3044\u305f\u3088\u3046\u3067\u3059\u3002<\/p>\n<h5><a id=\"post-131138-_oqb6vt6gn3c1\"><\/a>\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u306e\u6d88\u53bb<\/h5>\n<p>\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u6d88\u53bb\u3059\u308b\u305f\u3081\u3001\u3053\u306e\u30ef\u30a4\u30d1\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">\\\\.\\PhysicalDrive0<\/span> \u3078\u306e\u30c7\u30d0\u30a4\u30b9 \u30cf\u30f3\u30c9\u30eb\u3092\u53d6\u5f97\u3057\u307e\u3059 (\u56f3 33)\u3002\u6b21\u306b\u3001\u30ef\u30a4\u30d1\u30fc\u306f <span style=\"font-family: 'courier new', courier, monospace;\">DeviceIoControl<\/span> \u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002\u3053\u306e\u547c\u3073\u51fa\u3057\u306e\u3055\u3044\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/winioctl\/ni-winioctl-ioctl_disk_get_partition_info\" target=\"_blank\" rel=\"noopener\">IOCTL_DISK_GET_PARTITION_INFO<\/a><\/span>\u3068\u3044\u3046\u5236\u5fa1\u30b3\u30fc\u30c9\u3092\u6307\u5b9a\u3059\u308b\u3053\u3068\u3067\u3001\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3\u306e\u30b9\u30bf\u30a4\u30eb\u3092\u53d6\u5f97\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131078\" aria-describedby=\"caption-attachment-131078\" style=\"width: 796px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131078 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-33.png\" alt=\"\u753b\u50cf 33 \u306f\u3001BFG \u304c\u30c7\u30d0\u30a4\u30b9 \u30cf\u30f3\u30c9\u30eb\u3092\u53d6\u5f97\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"796\" height=\"157\" \/><figcaption id=\"caption-attachment-131078\" class=\"wp-caption-text\">\u56f3 33. BFG \u304c <span style=\"font-family: 'courier new', courier, monospace;\">\\\\.\\PhysicalDrive0<\/span> \u3078\u306e\u30c7\u30d0\u30a4\u30b9 \u30cf\u30f3\u30c9\u30eb\u3092\u53d6\u5f97<\/figcaption><\/figure>\n<p>\u3053\u306e\u3068\u304d\u3001\u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3 \u30b9\u30bf\u30a4\u30eb\u304c<a href=\"https:\/\/www.howtogeek.com\/193669\/whats-the-difference-between-gpt-and-mbr-when-partitioning-a-drive\/\" target=\"_blank\" rel=\"noopener\">\u30de\u30b9\u30bf\u30fc \u30d6\u30fc\u30c8 \u30ec\u30b3\u30fc\u30c9 (MBR) \u307e\u305f\u306f GUID \u30d1\u30fc\u30c6\u30a3\u30b7\u30e7\u30f3 \u30c6\u30fc\u30d6\u30eb (GPT)<\/a>\u3067\u3042\u308b\u5834\u5408\u306f\u3001\u5148\u982d\u306e 6 \u30bb\u30af\u30bf\u30fc\u306b\u611f\u67d3\u3057\u307e\u3059 (\u56f3 34)\u3002<\/p>\n<figure id=\"attachment_131080\" aria-describedby=\"caption-attachment-131080\" style=\"width: 580px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131080 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-34.png\" alt=\"\u753b\u50cf 34 \u306f\u3001BFG \u304c\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u4e0a\u66f8\u304d\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u3044\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"580\" height=\"436\" \/><figcaption id=\"caption-attachment-131080\" class=\"wp-caption-text\">\u56f3 34. BFG \u304c\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u4e0a\u66f8\u304d<\/figcaption><\/figure>\n<p>\u6700\u5f8c\u306b\u3001\u305d\u308c\u3089\u306e\u30bb\u30af\u30bf\u30fc\u306e\u611f\u67d3\u5f8c\u3001\u30ef\u30a4\u30d1\u30fc\u306f\u81ea\u8eab\u306e\u7279\u6a29\u3092 <span style=\"font-family: 'courier new', courier, monospace;\">SeShutdownPrivilege<\/span> \u306b\u8a2d\u5b9a\u3057\u3001\u30cd\u30a4\u30c6\u30a3\u30d6 API \u306e <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/undocumented.ntinternals.net\/index.html?page=UserMode%2FUndocumented%20Functions%2FError%2FNtRaiseHardError.html\" target=\"_blank\" rel=\"noopener\">NtRaiseHardError<\/a><\/span> \u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u3002\u3053\u306e\u547c\u3073\u51fa\u3057\u306b\u3088\u308a\u3001\u30b7\u30b9\u30c6\u30e0\u5185\u3067\u30a8\u30e9\u30fc \u30b3\u30fc\u30c9 <span style=\"font-family: 'courier new', courier, monospace;\">0xC0000420<\/span> \u306e\u300c\u6b7b\u306e\u30d6\u30eb\u30fc \u30b9\u30af\u30ea\u30fc\u30f3 (<a href=\"https:\/\/ja.wikipedia.org\/wiki\/%E3%83%96%E3%83%AB%E3%83%BC%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3\" target=\"_blank\" rel=\"noopener\">BSOD<\/a>)\u300d\u304c\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u307e\u3059\u3002\u30b7\u30b9\u30c6\u30e0\u306f\u30af\u30e9\u30c3\u30b7\u30e5\u3057\u3001\u518d\u8d77\u52d5\u3067\u304d\u306a\u304f\u306a\u308a\u307e\u3059 (\u56f3 35 \u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_131082\" aria-describedby=\"caption-attachment-131082\" style=\"width: 439px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131082 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-35.png\" alt=\"\u753b\u50cf 35 \u306f\u3001BFG \u304c\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30d6\u30eb\u30fc \u30b9\u30af\u30ea\u30fc\u30f3 (BSOD) \u3092\u30c8\u30ea\u30ac\u30fc\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002 \" width=\"439\" height=\"125\" \/><figcaption id=\"caption-attachment-131082\" class=\"wp-caption-text\">\u56f3 35. BFG \u304c\u30d6\u30fc\u30c8 \u30bb\u30af\u30bf\u30fc\u3092\u7834\u58ca\u5f8c\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067 BSOD (\u6b7b\u306e\u30d6\u30eb\u30fc \u30b9\u30af\u30ea\u30fc\u30f3) \u3092\u30c8\u30ea\u30ac\u30fc<\/figcaption><\/figure>\n<p>BFG Agonizer \u30ef\u30a4\u30d1\u30fc\u5b9f\u884c\u306e\u8a66\u307f\u306f Cortex XDR \u306b\u3088\u3063\u3066\u963b\u6b62\u3055\u308c\u307e\u3057\u305f (\u4e0b\u56f3 36)\u3002<\/p>\n<figure id=\"attachment_131084\" aria-describedby=\"caption-attachment-131084\" style=\"width: 464px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131084 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-36.png\" alt=\"\u753b\u50cf 36 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002Tags\u3001Severity (Medium)\u3001Action\u3001Description \u306e\u60c5\u5831\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"464\" height=\"315\" \/><figcaption id=\"caption-attachment-131084\" class=\"wp-caption-text\">\u56f3 36. BFG Agonizer \u30ef\u30a4\u30d1\u30fc\u306e\u5b9f\u884c\u306f Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u3088\u308a\u30d6\u30ed\u30c3\u30af\u3055\u308c\u305f<\/figcaption><\/figure>\n<h2><a id=\"post-131138-_b8krt4nregls\"><\/a>EDR \u56de\u907f\u306e\u8a66\u307f<\/h2>\n<p>\u3053\u306e\u653b\u6483\u4e2d\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u306f\u3068\u308a\u308f\u3051 EDR \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306e\u56de\u907f\u3092\u8a66\u307f\u3066\u3044\u307e\u3057\u305f\u3002\u653b\u6483\u3092\u4e2d\u65ad\u3055\u305b\u305a\u3001\u30b9\u30c6\u30eb\u30b9\u6027\u3092\u9ad8\u3081\u3088\u3046\u3068\u3057\u3066\u306e\u3053\u3068\u3067\u3059\u304c\u3001\u3053\u3046\u3057\u305f\u8a66\u307f\u306f Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3072\u3068\u3064\u8208\u5473\u6df1\u3044\u306e\u304c\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u306f\u8907\u6570\u306e\u30c4\u30fc\u30eb\u3084\u6280\u8853\u3092\u8a66\u3057\u30011\u3064\u304c\u30c0\u30e1\u306a\u3089\u3055\u3089\u306b\u3079\u3064\u306e\u30c4\u30fc\u30eb\u3084\u6280\u8853\u3092\u4f7f\u304a\u3046\u3068\u3057\u3066\u3044\u305f\u70b9\u3067\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u6280\u8853\u306f\u307b\u3068\u3093\u3069\u304c\u65e2\u77e5\u306e\u3082\u306e\u3067\u3001\u6587\u66f8\u5316\u3082\u5341\u5206\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u304c\u3053\u308c\u307e\u3067\u516c\u3051\u306b\u5831\u544a\u3055\u308c\u305f\u653b\u6483\u3067\u305d\u308c\u3089\u3092\u4f7f\u3063\u305f\u3053\u3068\u306f\u3042\u308a\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3053\u306e\u3053\u3068\u306f\u3001\u5f53\u8a72\u30b0\u30eb\u30fc\u30d7\u306e\u30a2\u30d7\u30ed\u30fc\u30c1\u304c\u3088\u308a\u9ad8\u5ea6\u306b\u3001\u3088\u308a\u5f37\u5f15\u306b\u306a\u3063\u3066\u304d\u305f\u3053\u3068\u3092\u793a\u5506\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u3063\u305f EDR \u56de\u907f\u30c4\u30fc\u30eb\u30fb\u6280\u8853\u306e\u4e00\u90e8\u3092\u5229\u7528\u9806\u306b\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-131138-_kpb7q4pu4d59\"><\/a>EDR \u306e\u30b5\u30fc\u30d3\u30b9\u4f9d\u5b58\u95a2\u4fc2\u306e\u64cd\u4f5c\u306b\u3088\u308b\u56de\u907f<\/h3>\n<p>\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f 10 \u6708 6 \u65e5\u306b 1 \u3064\u3081\u306e EDR \u56de\u907f\u6280\u8853\u3092\u8a66\u307f\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u3068\u304d\u306f Cortex XDR \u30b5\u30fc\u30d3\u30b9\u306e\u81ea\u52d5\u8d77\u52d5\u6a5f\u80fd\u3092\u64cd\u4f5c\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u53d6\u5f97\u6e08\u307f\u306e\u7ba1\u7406\u8005\u6a29\u9650\u3092\u4f7f\u3044\u3001Cortex XDR \u304c\u4f9d\u5b58\u3059\u308b\u30b5\u30fc\u30d3\u30b9\u3092\u5909\u66f4\u3059\u308b\u3053\u3068\u3067\u3001\u30b7\u30b9\u30c6\u30e0\u8d77\u52d5\u6642\u306b\u81ea\u52d5\u8d77\u52d5\u3067\u304d\u306a\u3044\u3088\u3046\u306b\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u56f3 37 \u306f\u3001\u3053\u308c\u3089\u306e\u8a66\u307f\u304c\u963b\u6b62\u3055\u308c\u305f\u3088\u3046\u3059\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u6b21\u306b\u3001\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u3092\u4f7f\u3063\u305f\u300c(<a href=\"https:\/\/cybernews.com\/security\/bring-your-own-vulnerable-driver-attack\/\" target=\"_blank\" rel=\"noopener\">BYOVD: Bring Your Own Vulnerable Driver\u3001\u8106\u5f31\u306a\u81ea\u524d\u306e\u30c9\u30e9\u30a4\u30d0\u30fc\u3092\u81ea\u6301\u3061\u8fbc\u3080<\/a>)\u300d\u6280\u8853\u306e\u60aa\u7528\u306b\u79fb\u308a\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_131086\" aria-describedby=\"caption-attachment-131086\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131086 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-37.png\" alt=\"\u753b\u50cf 37 \u306f\u3001Cortex XDR \u306e\u30a2\u30e9\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u60c5\u5831\u306f\u4f0f\u305b\u3066\u3042\u308a\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306b\u306f\u8d64\u3044\u8b66\u544a\u30b7\u30f3\u30dc\u30eb\u304c\u4ed8\u3044\u3066\u3044\u307e\u3059\u3002Tags\u3001Severity (Medium)\u3001Action\u3001Description \u306e\u60c5\u5831\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3082\u542b\u307e\u308c\u307e\u3059\u3002\" width=\"900\" height=\"428\" \/><figcaption id=\"caption-attachment-131086\" class=\"wp-caption-text\">\u56f3 37. Cortex XDR \u304c\u30b5\u30fc\u30d3\u30b9 \u30ec\u30b8\u30b9\u30c8\u30ea\u30fc\u306e\u64cd\u4f5c\u3092\u9632\u6b62\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_xi59rib1k4fi\"><\/a>DrvIX: \u30ab\u30b9\u30bf\u30e0 BYOVD \u30ed\u30fc\u30c0\u30fc<\/h3>\n<p>\u653b\u6483\u8005\u304c\u4f7f\u3063\u305f\u6700\u521d\u306e\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u3068\u3044\u3046\u540d\u524d\u306e\u30d0\u30a4\u30ca\u30ea\u30fc\u3067\u3001\u3053\u308c\u306f 10 \u6708 7 \u65e5\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002PDB \u30d1\u30b9 (<span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\dude\\source\\repos\\drvix\\x64\\Release\\drvix.pdb<\/span>) \u306b\u3088\u308b\u3068\u3001\u3053\u306e\u30c4\u30fc\u30eb\u306e\u5143\u306e\u540d\u524d\u306f drvIX \u3067\u3042\u308b\u3088\u3046\u3067\u3059 (\u56f3 38 \u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_131088\" aria-describedby=\"caption-attachment-131088\" style=\"width: 429px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131088 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-38.png\" alt=\"\u753b\u50cf 38 \u306f\u3001agmt.exe \u306e PDB \u30d1\u30b9\u3068\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u30022 \u884c\u306f\u30b9\u30bf\u30f3\u30d7\u3068\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u3059\u3002\" width=\"429\" height=\"43\" \/><figcaption id=\"caption-attachment-131088\" class=\"wp-caption-text\">\u56f3 38. agmt.exe \u306e PDB \u30d1\u30b9\u3068\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305f\u65e5<\/figcaption><\/figure>\n<p>\u305f\u3060\u3057\u3001\u56f3 39 \u306b\u793a\u3059\u30d0\u30a4\u30ca\u30ea\u30fc \u30d8\u30eb\u30d7\u95a2\u6570\u306b\u3088\u308c\u3070\u3001\u3053\u306e\u540d\u524d\u306f Drvtopia \u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131090\" aria-describedby=\"caption-attachment-131090\" style=\"width: 771px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131090 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-39.png\" alt=\"\u753b\u50cf 39 \u306f\u3001DRVtopia \u306b\u3064\u3044\u3066\u8a00\u53ca\u3057\u3066\u3044\u308b\u30d8\u30eb\u30d7 \u30bb\u30af\u30b7\u30e7\u30f3\u3092\u542b\u3080\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"771\" height=\"78\" \/><figcaption id=\"caption-attachment-131090\" class=\"wp-caption-text\">\u56f3 39. DrvIX \u306e\u30d8\u30eb\u30d7 \u30bb\u30af\u30b7\u30e7\u30f3\u306b\u306f Drvtopia \u306b\u3064\u3044\u3066\u306e\u8a18\u8f09\u304c\u3042\u308b<\/figcaption><\/figure>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u306f\u3001<a href=\"https:\/\/www.gmer.net\/\" target=\"_blank\" rel=\"noopener\">GMER<\/a> \u306e\u30c9\u30e9\u30a4\u30d0\u30fc\u3067\u3042\u308b <span style=\"font-family: 'courier new', courier, monospace;\">gmer64.sys<\/span> (<span style=\"font-family: 'courier new', courier, monospace;\">AGMT.sys<\/span> \u306b\u540d\u524d\u304c\u5909\u66f4\u3055\u308c\u3066\u3044\u308b) \u7528\u306e\u30ab\u30b9\u30bf\u30e0 \u30ed\u30fc\u30c0\u30fc\/\u30aa\u30da\u30ec\u30fc\u30bf\u30fc\u3067\u3059\u3002GMER \u306e\u672c\u6765\u306e\u76ee\u7684\u306f\u3001\u30eb\u30fc\u30c8\u30ad\u30c3\u30c8\u306e\u691c\u51fa\u3068\u524a\u9664\u3067\u3059\u304c\u3001\u653b\u6483\u8005\u306f\u3053\u308c\u3092\u4f7f\u3063\u3066\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u88fd\u54c1\u3092\u524a\u9664\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u3092\u4f7f\u3063\u3066\u3001\u30b3\u30de\u30f3\u30c9 \u30e9\u30a4\u30f3\u7d4c\u7531\u3067\u7d42\u4e86\u3055\u305b\u305f\u3044\u30d7\u30ed\u30bb\u30b9\u306e PID \u3092\u6307\u5b9a\u3067\u304d\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u306f\u307e\u305a\u3001\u65b0\u3057\u3044\u30ab\u30fc\u30cd\u30eb \u30c9\u30e9\u30a4\u30d0\u30fc (<span style=\"font-family: 'courier new', courier, monospace;\">agmt.sys<\/span>) \u3092 AGMT \u3068\u3044\u3046\u540d\u524d\u306e\u30b5\u30fc\u30d3\u30b9\u3068\u3057\u3066 GMER \u306b\u767b\u9332\u3057\u3001\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u6b21\u306b\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u304c\u3001\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u306e\u30ab\u30fc\u30cd\u30eb\u306b\u5f53\u8a72\u30c9\u30e9\u30a4\u30d0\u30fc\u3092\u30ed\u30fc\u30c9\u3055\u305b\u307e\u3059\u3002<\/p>\n<p>GMER \u306e\u3082\u3064\u30d7\u30ed\u30bb\u30b9\u7d42\u4e86\u6a5f\u80fd\u3068\u901a\u4fe1\u3057\u3001\u3053\u306e\u6a5f\u80fd\u3092\u60aa\u7528\u3059\u308b\u305f\u3081\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u306f GMER \u306e\u30c7\u30d0\u30a4\u30b9 \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3078\u306e\u30c7\u30d0\u30a4\u30b9 \u30cf\u30f3\u30c9\u30eb\u3092\u53d6\u5f97\u3057\u307e\u3059 (\u56f3 40)\u3002<\/p>\n<figure id=\"attachment_131092\" aria-describedby=\"caption-attachment-131092\" style=\"width: 541px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131092 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-40.png\" alt=\"\u753b\u50cf 40 \u306f\u3001GMER \u30c7\u30d0\u30a4\u30b9 \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092\u30aa\u30fc\u30d7\u30f3\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"541\" height=\"110\" \/><figcaption id=\"caption-attachment-131092\" class=\"wp-caption-text\">\u56f3 40. <span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u304c GMER \u30c7\u30d0\u30a4\u30b9 \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092\u30aa\u30fc\u30d7\u30f3\u3057\u305f\u3068\u3053\u308d<\/figcaption><\/figure>\n<p>\u6b21\u306b <span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u306f\u3001\u5236\u5fa1\u30b3\u30fc\u30c9 <span style=\"font-family: 'courier new', courier, monospace;\">0x9876C094<\/span> \u3092\u6307\u5b9a\u3057\u3066 <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/api\/ioapiset\/nf-ioapiset-deviceiocontrol\" target=\"_blank\" rel=\"noopener\">DeviceIoControl<\/a><\/span> Windows API \u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u307e\u305f\u547c\u3073\u51fa\u3057\u6642\u306b\u5bfe\u8c61\u3068\u306a\u308b PID \u3092 <span style=\"font-family: 'courier new', courier, monospace;\">Input_Buffer<\/span> \u30d1\u30e9\u30e1\u30fc\u30bf\u30fc\u306b\u6307\u5b9a\u3057\u307e\u3059 (\u56f3 41 \u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_131094\" aria-describedby=\"caption-attachment-131094\" style=\"width: 670px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131094 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-41.png\" alt=\"\u753b\u50cf 41 \u306f\u3001\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3059\u308b\u305f\u3081\u306b GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u3068\u901a\u4fe1\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"670\" height=\"173\" \/><figcaption id=\"caption-attachment-131094\" class=\"wp-caption-text\">\u56f3 41. <span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u304c\u30d7\u30ed\u30bb\u30b9\u306e\u7d42\u4e86\u306e\u305f\u3081\u306b GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u3068\u901a\u4fe1<\/figcaption><\/figure>\n<p><span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows\/win32\/devio\/calling-deviceiocontrol\" target=\"_blank\" rel=\"noopener\">DeviceIoControl<\/a><\/span> \u3092\u4f7f\u3046\u3068\u3001\u30e6\u30fc\u30b6\u30fc \u30e2\u30fc\u30c9 \u30d7\u30ed\u30bb\u30b9\u304c\u30ab\u30fc\u30cd\u30eb \u30c9\u30e9\u30a4\u30d0\u30fc\u3068\u76f4\u63a5\u901a\u4fe1\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u305d\u308c\u3089\u306e\u30d7\u30ed\u30bb\u30b9\u306f\u3001\u30ab\u30fc\u30cd\u30eb \u30c9\u30e9\u30a4\u30d0\u30fc\u306b\u7279\u5b9a\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u63d0\u4f9b\u3059\u308b\u3088\u3046\u8981\u6c42\u3067\u304d\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span> \u306e\u5834\u5408\u3001<span style=\"font-family: 'courier new', courier, monospace;\">DeviceIoControl<\/span> API \u306e\u547c\u3073\u51fa\u3057\u306f\u3001GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u306b\u3001\u30d7\u30ed\u30bb\u30b9\u7d42\u4e86\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u30c8\u30ea\u30ac\u30fc\u3055\u305b\u307e\u3059\u3002GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u3092\u8abf\u3079\u3066\u307f\u308b\u3068\u3001<span style=\"font-family: 'courier new', courier, monospace;\">0x9876C094<\/span> \u3068\u3044\u3046\u5236\u5fa1\u30b3\u30fc\u30c9\u306e\u6a5f\u80fd\u306f\u3001PID \u3067\u63d0\u4f9b\u3057\u305f\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u306e\u7d42\u4e86\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059 (\u56f3 44)\u3002<\/p>\n<figure id=\"attachment_131096\" aria-describedby=\"caption-attachment-131096\" style=\"width: 293px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131096 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-42.png\" alt=\"\u753b\u50cf 42 \u306f\u3001\u5236\u5fa1\u30b3\u30fc\u30c9\u306e\u6a5f\u80fd\u3092\u8868\u3059\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002 \" width=\"293\" height=\"154\" \/><figcaption id=\"caption-attachment-131096\" class=\"wp-caption-text\">\u56f3 42. GMER \u306e <span style=\"font-family: 'courier new', courier, monospace;\">0x9876C094<\/span> \u5236\u5fa1\u30b3\u30fc\u30c9\u306e\u6a5f\u80fd<\/figcaption><\/figure>\n<p>\u3053\u306e\u95a2\u6570\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-zwopenprocess\" target=\"_blank\" rel=\"noopener\">ZwOpenProcess<\/a><\/span> \u3092\u4f7f\u3063\u3066\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u306e PID \u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092\u30aa\u30fc\u30d7\u30f3\u3057\u3001\u305d\u306e\u5f8c <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-zwterminateprocess\" target=\"_blank\" rel=\"noopener\">ZwTerminateProcess<\/a><\/span> \u3092\u547c\u3073\u51fa\u3057\u3066\u3001\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u5229\u7528\u306e\u8a66\u307f\u306f\u5931\u6557\u3057\u3066\u3044\u307e\u3059 (\u56f3 43)\u3002<\/p>\n<figure id=\"attachment_131098\" aria-describedby=\"caption-attachment-131098\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131098 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-43.png\" alt=\"\u753b\u50cf 43 \u306f Cortex XDR \u306b\u3088\u308b\u60c5\u5831\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u306e\u56f3\u306b\u306f\u3001Source (XDR Agent)\u3001Category (Malware)\u3001Tags\u3001Module (Behavioral Threat Protection)\u3001Severity (High)\u3001Description\u3001Action \u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\" width=\"900\" height=\"107\" \/><figcaption id=\"caption-attachment-131098\" class=\"wp-caption-text\">\u56f3 43. GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u306e\u30ed\u30fc\u30c9\u306f Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u3088\u308a\u30d6\u30ed\u30c3\u30af\u3055\u308c\u305f<\/figcaption><\/figure>\n<h3><a id=\"post-131138-_wq92bkcmcwwa\"><\/a>2 \u3064\u3081\u306e\u8106\u5f31\u306a\u30c9\u30e9\u30a4\u30d0\u30fc\u3092\u8a66\u3059 (Rentdrv2 \u30c9\u30e9\u30a4\u30d0\u30fc)<\/h3>\n<p>GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u60aa\u7528\u306e\u8a66\u307f\u304c\u5931\u6557\u3057\u305f\u305f\u3081\u3001\u653b\u6483\u8005\u306f drvIX \u30c4\u30fc\u30eb\u3067\u306e\u6b66\u88c5\u3092\u8a66\u307f\u307e\u3057\u305f\u3002\u5f7c\u3089\u306f\u3001\u65b0\u3057\u304f\u4e00\u822c\u516c\u958b\u3055\u308c\u305f <a href=\"https:\/\/github.com\/keowu\/BadRentdrv2\/tree\/main\" target=\"_blank\" rel=\"noopener\">BadRentdrv2<\/a>\u3068\u3044\u3046\u540d\u524d\u306e Poc \u30c4\u30fc\u30eb\u304b\u3089\u3001\u307e\u305f\u3079\u3064\u306e\u8106\u5f31\u306a\u30c9\u30e9\u30a4\u30d0\u30fc\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u306f 2023 \u5e74 10 \u6708\u4e0a\u65ec\u306b\u521d\u3081\u3066\u516c\u958b\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<p>\u56f3 44 \u306b\u793a\u3057\u305f\u3088\u3046\u306b\u3001\u3053\u306e\u653b\u6483\u8005\u306f\u3053\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3092\u4f7f\u3044\u3001\u6539\u5909\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30c4\u30fc\u30eb\u3092\u7fcc\u65e5 10 \u6708 8 \u65e5\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u4eca\u56de\u306f\u3001\u30d0\u30a4\u30ca\u30ea\u30fc\u306e\u5143\u306e\u540d\u524d\u3067\u3042\u308b <span style=\"font-family: 'courier new', courier, monospace;\">drvIX.exe<\/span> \u306f\u5909\u66f4\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_131100\" aria-describedby=\"caption-attachment-131100\" style=\"width: 427px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131100 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-44.png\" alt=\"\u753b\u50cf 44 \u306f\u3001\u3053\u306e PDB \u30d1\u30b9\u3068 drvIX.exe \u306e\u30b3\u30f3\u30d1\u30a4\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u3053\u306b\u306f\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3068\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002 \" width=\"427\" height=\"43\" \/><figcaption id=\"caption-attachment-131100\" class=\"wp-caption-text\">\u56f3 44. <span style=\"font-family: 'courier new', courier, monospace;\">drvIX.exe<\/span> \u306e PDB \u30d1\u30b9\u3068\u30b3\u30f3\u30d1\u30a4\u30eb\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7<\/figcaption><\/figure>\n<p>\u30c9\u30e9\u30a4\u30d0\u30fc\u306e\u30ed\u30fc\u30c9\u3059\u308b\u30b3\u30fc\u30c9\u306f\u3001\u524d\u8ff0\u306e drvIX \u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u307b\u307c\u540c\u3058\u3067\u3059\u3002\u540c\u69d8\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">drvIX.exe<\/span> \u306f\u3001\u653b\u6483\u8005\u304c\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u7d4c\u7531\u3067\u7d42\u4e86\u3055\u305b\u305f\u3044\u30d7\u30ed\u30bb\u30b9\u306e PID \u3092\u53d7\u3051\u53d6\u308a\u307e\u3059\u3002<\/p>\n<p>DrvIX \u306f\u3001\u30c7\u30d0\u30a4\u30b9 \u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3078\u306e\u30c7\u30d0\u30a4\u30b9 \u30cf\u30f3\u30c9\u30eb\u3092\u53d6\u5f97\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">DeviceIoControl<\/span> \u7d4c\u7531\u3067 Rentdrv2 \u30c9\u30e9\u30a4\u30d0\u30fc\u3068\u901a\u4fe1\u3057\u307e\u3059\u3002\u6b21\u306b DrvIX \u306f\u3001\u5bfe\u8c61 PID \u3092\u69cb\u9020\u4f53\u5185\u306b\u6307\u5b9a\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">Input_Buffer<\/span> \u3068\u3057\u3066\u9001\u4fe1\u3057\u3001\u5236\u5fa1\u30b3\u30fc\u30c9\u306b\u306f <span style=\"font-family: 'courier new', courier, monospace;\">0x22E010<\/span> \u3092\u6307\u5b9a\u3057\u307e\u3059 (\u56f3 45 \u53c2\u7167)\u3002<\/p>\n<figure id=\"attachment_131102\" aria-describedby=\"caption-attachment-131102\" style=\"width: 887px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131102 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-45.png\" alt=\"\u753b\u50cf 45 \u306f\u3001DRVIX \u304c Rentdrv2 \u3068\u901a\u4fe1\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\" width=\"887\" height=\"259\" \/><figcaption id=\"caption-attachment-131102\" class=\"wp-caption-text\">\u56f3 45. DrvIX \u306f Rentdrv2 \u3068\u901a\u4fe1\u3059\u308b<\/figcaption><\/figure>\n<p>GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u306e\u3068\u304d\u3068\u540c\u69d8\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">0x220E010<\/span> \u3068\u3044\u3046\u5236\u5fa1\u30b3\u30fc\u30c9\u306f\u3001PID \u306b\u3088\u3063\u3066\u63d0\u4f9b\u3055\u308c\u305f\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u307e\u3059 (\u56f3 46)\u3002<\/p>\n<figure id=\"attachment_131104\" aria-describedby=\"caption-attachment-131104\" style=\"width: 346px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131104 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-46.png\" alt=\"\u753b\u50cf 46 \u306f\u3001Rentdrv2 \u306e\u5236\u5fa1\u30b3\u30fc\u30c9\u6a5f\u80fd\u3092\u53ef\u80fd\u306b\u3059\u308b\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002 \" width=\"346\" height=\"138\" \/><figcaption id=\"caption-attachment-131104\" class=\"wp-caption-text\">\u56f3 46. Rentdrv2 \u306e 0x22E010 \u5236\u5fa1\u30b3\u30fc\u30c9\u306e\u6a5f\u80fd<\/figcaption><\/figure>\n<p>\u3053\u306e\u95a2\u6570\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-zwopenprocess\" target=\"_blank\" rel=\"noopener\">ZwOpenProcess<\/a><\/span> \u3092\u4f7f\u3063\u3066\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u306e PID \u3078\u306e\u30cf\u30f3\u30c9\u30eb\u3092\u30aa\u30fc\u30d7\u30f3\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/learn.microsoft.com\/ja-jp\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-zwterminateprocess\" target=\"_blank\" rel=\"noopener\">ZwTerminateProcess<\/a><\/span> \u3092\u547c\u3073\u51fa\u3057\u3066\u5bfe\u8c61\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u307e\u3059\u3002<\/p>\n<p>\u56f3 47 \u306f\u3001\u3053\u306e\u8a66\u307f\u304c Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u3088\u3063\u3066\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3001\u963b\u6b62\u3055\u308c\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_131106\" aria-describedby=\"caption-attachment-131106\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-131106 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/word-image-131008-47.png\" alt=\"\u753b\u50cf 47 \u306f\u3001Cortex XDR \u304b\u3089\u306e\u60c5\u5831\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002\u3053\u308c\u306b\u306f\u3001Tags\u3001Module (Behavioral Threat Protection)\u3001Severity (High)\u3001Description\u3001Action \u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u4e00\u90e8\u306e\u60c5\u5831\u306f\u4f0f\u305b\u3089\u308c\u3066\u3044\u307e\u3059\u3002 \" width=\"600\" height=\"397\" \/><figcaption id=\"caption-attachment-131106\" class=\"wp-caption-text\">\u56f3 47. Cortex XDR \u30b5\u30fc\u30d3\u30b9\u3092\u7d42\u4e86\u3057\u3088\u3046\u3068\u3057\u305f\u304c\u9632\u6b62\u3055\u308c\u3066\u3044\u308b<\/figcaption><\/figure>\n<h2><a id=\"post-131138-_3wblh5hm1ss4\"><\/a>\u5e30\u5c5e<\/h2>\n<p>Unit 42 \u306e\u5e30\u5c5e\u30e2\u30c7\u30eb\u306b\u57fa\u3065\u3044\u3066\u3001\u79c1\u305f\u3061\u306f\u672c\u7a3f\u3067\u8aac\u660e\u3057\u305f\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308b Agonizing Serpens APT \u30b0\u30eb\u30fc\u30d7\u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u305f\u3082\u306e\u3067\u3042\u308b\u3068\u9ad8\u3044\u78ba\u5ea6\u3067\u8a55\u4fa1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u8a55\u4fa1\u306f\u3001\u6b21\u306e\u7406\u7531\u3068\u8a3c\u62e0\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li><strong>\u30ef\u30a4\u30d1\u30fc\u5185\u306e\u8907\u6570\u306e\u30b3\u30fc\u30c9\u306e\u985e\u4f3c\u70b9:<\/strong> \u672c\u7a3f\u306e MultiLayer \u30ef\u30a4\u30d1\u30fc\u306e\u5206\u6790\u3067\u306f\u3001\u904e\u53bb\u306b\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u308b\u65e2\u77e5\u306e Agonizing Serpens \u306e\u30ef\u30a4\u30d1\u30fc (<a href=\"https:\/\/www.sentinelone.com\/labs\/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education\/\" target=\"_blank\" rel=\"noopener\">Apostle<\/a>\u3068\u305d\u306e\u5f8c\u7d99\u3068\u306a\u308b <a href=\"https:\/\/www.welivesecurity.com\/2022\/12\/07\/fantasy-new-agrius-wiper-supply-chain-attack\/\" target=\"_blank\" rel=\"noopener\">Fantasy<\/a>\u3001\u304a\u3088\u3073 IPsec Helper \u30d0\u30c3\u30af\u30c9\u30a2) \u3068\u306e\u9593\u3067\u3001\u30b3\u30fc\u30c9\u3084\u547d\u540d\u898f\u5247\u306b\u304a\u3051\u308b\u8907\u6570\u306e\u985e\u4f3c\u70b9\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li><strong>Web \u30b7\u30a7\u30eb\u306e\u30b3\u30fc\u30c9\u306e\u985e\u4f3c\u6027:<\/strong> \u3053\u306e\u653b\u6483\u8005\u306f\u3001\u30b5\u30f3\u30d7\u30eb\u3054\u3068\u306b\u7f6e\u304d\u63db\u3048\u3089\u308c\u308b\u5909\u6570\u540d\u3068\u95a2\u6570\u540d\u3092\u9664\u304d\u3001\u540c\u3058\u30b3\u30fc\u30c9\u304b\u3089\u306a\u308b Web \u30b7\u30a7\u30eb\u306e\u4e9c\u7a2e\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<li><strong>\u653b\u6483\u306e\u7834\u58ca\u7684\u6027\u8cea:<\/strong> \u653b\u6483\u306e\u6700\u7d42\u30b9\u30c6\u30c3\u30d7\u3067\u306f\u3001\u30ab\u30b9\u30bf\u30e0 \u30ef\u30a4\u30d1\u30fc\u3092\u4f7f\u3063\u3066\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4f7f\u7528\u4e0d\u80fd\u306b\u3057\u3001\u653b\u6483\u8005\u306e\u75d5\u8de1\u3092\u96a0\u3059\u300c\u7126\u571f\u300d\u30dd\u30ea\u30b7\u30fc\u304c\u5b9f\u88c5\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u3053\u308c\u307e\u3067\u306e\u3059\u3079\u3066\u306e\u5831\u544a\u3068\u4e00\u81f4\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li><strong>\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u7d44\u7e54\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3059\u308b:<\/strong> \u79c1\u305f\u3061\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u30fc\u3067\u306f\u3001\u653b\u6483\u306e\u5f71\u97ff\u3092\u53d7\u3051\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u4ee5\u5916\u306e\u7d44\u7e54\u306f\u691c\u51fa\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u3053\u306e APT \u30b0\u30eb\u30fc\u30d7\u306f\u3068\u304f\u306b\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u7d44\u7e54\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u3057\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002<\/li>\n<\/ul>\n<h2><a id=\"post-131138-_35isquanjx5r\"><\/a>\u7d50\u8ad6<\/h2>\n<p>\u672c\u7a3f\u306f\u3001\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308b Agonizing Serpens APT \u30b0\u30eb\u30fc\u30d7\u306b\u3088\u3063\u3066\u5b9f\u884c\u3055\u308c\u305f\u6700\u8fd1\u306e\u7834\u58ca\u7684\u30ef\u30a4\u30d1\u30fc\u653b\u6483\u306e\u8a73\u7d30\u306a\u5206\u6790\u3092\u63d0\u4f9b\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u3001\u30a4\u30b9\u30e9\u30a8\u30eb\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3057\u305f\u5e83\u7bc4\u306a\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u4e00\u74b0\u3067\u3059\u3002\u5f0a\u793e\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u30fc\u306b\u3088\u308b\u3068\u3001\u6700\u3082\u6a19\u7684\u306b\u3055\u308c\u3066\u3044\u308b\u7d44\u7e54\u306f\u6559\u80b2\u30bb\u30af\u30bf\u30fc\u3068\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u30bb\u30af\u30bf\u30fc\u306b\u5c5e\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306e\u8abf\u67fb\u304b\u3089\u306f\u3001\u30b0\u30eb\u30fc\u30d7\u306e\u5175\u5668\u5eab\u306b\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u3001\u3053\u308c\u307e\u3067\u6587\u66f8\u5316\u3055\u308c\u3066\u3044\u306a\u304b\u3063\u305f 3 \u3064\u306e\u30ef\u30a4\u30d1\u30fc \u30bb\u30c3\u30c8\u3068\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u62bd\u51fa\u30c4\u30fc\u30eb\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u65b0\u3057\u3044\u30ef\u30a4\u30d1\u30fc\u3092\u5206\u6790\u3059\u308b\u3068\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u304c\u305d\u306e\u80fd\u529b\u3092\u9ad8\u3081\u3001\u30b9\u30c6\u30eb\u30b9\u6280\u8853\u3084\u56de\u907f\u6280\u8853\u306b\u91cd\u70b9\u3092\u7f6e\u3044\u3066\u3001EDR \u6280\u8853\u306a\u3069\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u306e\u56de\u907f\u3092\u56f3\u3063\u3066\u3044\u305f\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>\u307e\u305f\u4eca\u56de\u306e\u8abf\u67fb\u3067\u306f\u3001Cortex XDR \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u304c\u653b\u6483\u30e9\u30a4\u30d5\u30b5\u30a4\u30af\u30eb\u306e\u3055\u307e\u3056\u307e\u306a\u6bb5\u968e\u3092\u691c\u51fa\u30fb\u9632\u6b62\u53ef\u80fd\u3067\u3042\u308b\u3053\u3068\u3082\u793a\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<h2><a id=\"post-131138-_ka1fluf0dtdv\"><\/a>\u4fdd\u8b77\u3068\u7de9\u548c\u7b56<\/h2>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6700\u8fd1\u306e Agonizing Serpens \u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u4e2d\u306b\u89b3\u6e2c\u3055\u308c\u305f\u3055\u307e\u3056\u307e\u306a\u30c4\u30fc\u30eb\u304b\u3089\u306e\u4fdd\u8b77\u3092\u53d7\u3051\u3066\u3044\u307e\u3059\u3002Cortex XDR \u3068 Cortex XSIAM \u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306f\u3001\u524d\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u542b\u307e\u308c\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u8aac\u660e\u3057\u305f\u5b9f\u884c\u30d5\u30ed\u30fc\u3092\u691c\u51fa\u30fb\u963b\u6b62\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u306e\u304a\u5ba2\u69d8\u306f\u3001\u5f0a\u793e\u306e\u88fd\u54c1\u30fb\u30b5\u30fc\u30d3\u30b9\u306b\u3088\u308a\u3001\u672c\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3059\u308b\u4ee5\u4e0b\u306e\u5bfe\u7b56\u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> \u3068 XSIAM \u306f\u4ee5\u4e0b\u3092\u542b\u3080\u8907\u6570\u306e\u30c7\u30fc\u30bf \u30bd\u30fc\u30b9\u304b\u3089\u30e6\u30fc\u30b6\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u5206\u6790\u3059\u308b\u3053\u3068\u3067\u3001\u30e6\u30fc\u30b6\u30fc\u3084\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u306b\u57fa\u3065\u304f\u8105\u5a01\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8<\/li>\n<li>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb<\/li>\n<li>Active Directory<\/li>\n<li>ID \u304a\u3088\u3073\u30a2\u30af\u30bb\u30b9\u7ba1\u7406 (IAM) \u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3<\/li>\n<li>\u30af\u30e9\u30a6\u30c9 \u30ef\u30fc\u30af\u30ed\u30fc\u30c9<\/li>\n<\/ul>\n<p>Cortex XDR \u3068 XSIAM \u306f\u6a5f\u68b0\u5b66\u7fd2\u3092\u4f7f\u3063\u3066\u9577\u671f\u306b\u308f\u305f\u308b\u30e6\u30fc\u30b6\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u884c\u52d5\u30d7\u30ed\u30d5\u30a1\u30a4\u30eb\u3092\u69cb\u7bc9\u3057\u307e\u3059\u3002Cortex XDR \u3068 XSIAM \u306f\u3001\u904e\u53bb\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3084\u30d4\u30a2\u30fc \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3001\u671f\u5f85\u3055\u308c\u308b\u540c\u8005\u306e\u884c\u52d5\u3068\u65b0\u3057\u3044\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3068\u3092\u6bd4\u8f03\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u306e\u653b\u6483\u3092\u793a\u5506\u3059\u308b\u7570\u5e38\u306a\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p>\u3055\u3089\u306b Cortex XDR \u3068 XSIAM \u306f\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u653b\u6483\u306b\u95a2\u9023\u3057\u3001\u4ee5\u4e0b\u306e\u4fdd\u8b77\u3082\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u65e2\u77e5\u306e\u60aa\u610f\u306e\u3042\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3092\u9632\u6b62\u3059\u308b\u307b\u304b\u3001Local Analysis Module (\u30ed\u30fc\u30ab\u30eb\u5206\u6790\u30e2\u30b8\u30e5\u30fc\u30eb) \u306b\u3082\u3068\u3065\u304f\u6a5f\u68b0\u5b66\u7fd2\u3068 <a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-threat-prevention\" target=\"_blank\" rel=\"noopener\">Behavioral Threat Protection<\/a> \u306b\u3088\u3063\u3066\u672a\u77e5\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3082\u9632\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li>Cortex XDR 3.4 \u304b\u3089\u5229\u7528\u53ef\u80fd\u306a\u65b0\u3057\u3044 Credential Gathering Protection \u3092\u4f7f\u3063\u3066\u3001\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb\u53ce\u96c6\u30c4\u30fc\u30eb\u30fb\u6280\u8853\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<li>Anti-Exploitation \u30e2\u30b8\u30e5\u30fc\u30eb\u3068 Behavioral Threat Protection \u3092\u4f7f\u3044\u3001 ProxyShell \u3084 ProxyLogon \u542b\u3080\u3001\u3055\u307e\u3056\u307e\u306a\u8106\u5f31\u6027\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>Cortex XDR Pro \u306f<a href=\"https:\/\/docs.paloaltonetworks.com\/cortex\/cortex-xdr\/cortex-xdr-analytics-alert-reference\/cortex-xdr-analytics-alert-reference\/analytics-alerts-by-required-data-source\" target=\"_blank\" rel=\"noopener\">\u632f\u308b\u821e\u3044\u5206\u6790<\/a>\u306b\u3088\u308a\u30af\u30ec\u30c7\u30f3\u30b7\u30e3\u30eb \u30d9\u30fc\u30b9\u653b\u6483\u3092\u542b\u3080\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u5f8c\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3057\u307e\u3059\u3002<\/p>\n<p>\u4fb5\u5bb3\u306e\u61f8\u5ff5\u304c\u3042\u308a\u5f0a\u793e\u306b\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u95a2\u3059\u308b\u3054\u76f8\u8ac7\u3092\u306a\u3055\u308a\u305f\u3044\u5834\u5408\u306f\u3001<a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">\u3053\u3061\u3089\u306e\u30d5\u30a9\u30fc\u30e0<\/a>\u304b\u3089\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001infojapan@paloaltonetworks.com\u307e\u3067\u30e1\u30fc\u30eb\u306b\u3066\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001\u4e0b\u8a18\u306e\u96fb\u8a71\u756a\u53f7\u307e\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044(\u3054\u76f8\u8ac7\u306f\u5f0a\u793e\u88fd\u54c1\u306e\u304a\u5ba2\u69d8\u306b\u306f\u9650\u5b9a\u3055\u308c\u307e\u305b\u3093)\u3002<\/p>\n<ul>\n<li>\u5317\u7c73\u30d5\u30ea\u30fc\u30c0\u30a4\u30e4\u30eb\uff1a866.486.4842 (866.4.UNIT42)<\/li>\n<li>EMEA: +31.20.299.3130<\/li>\n<li>APAC: +65.6983.8730<\/li>\n<li>\u65e5\u672c: (+81) 50-1790-0200<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u3001\u3053\u308c\u3089\u306e\u8abf\u67fb\u7d50\u679c\u3092 Cyber Threat Alliance (CTA: \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9) \u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u3063\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3067\u304d\u307e\u3059\u3002\u8a73\u7d30\u306f <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a> \u306b\u3066\u3054\u78ba\u8a8d\u304f\u3060\u3055\u3044\uff61<\/p>\n<h2><a id=\"post-131138-_ydqdbjg0dngh\"><\/a>IoC (\u4fb5\u5bb3\u6307\u6a19)<\/h2>\n<p>Web \u30b7\u30a7\u30eb<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d<\/span><\/li>\n<\/ul>\n<p>nbtscan<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">63d51bc3e5cf4068ff04bd3d665c101a003f1d6f52de7366f5a2d9ef5cc041a7<\/span><\/li>\n<\/ul>\n<p>WinEggDrop<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">49c3df62c4b62ce8960558daea4a8cf41b11c8f445e218cd257970cf939a3c25<\/span><\/li>\n<\/ul>\n<p>NimScan<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">dacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9<\/span><\/li>\n<\/ul>\n<p>Mimikatz<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">2a6e3b6e42be2f55f7ab9db9d5790b0cc3f52bee9a1272fc4d79c7c0a3b6abda<\/span><\/li>\n<\/ul>\n<p>ProcDump<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">5d1660a53aaf824739d82f703ed580004980d377bdc2834f1041d512e4305d07<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7<\/span><\/li>\n<\/ul>\n<p>Plink<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">13d8d4f4fa483111e4372a6925d24e28f3be082a2ea8f44304384982bd692ec9<\/span><\/li>\n<\/ul>\n<p>Sqlextractor<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a8e63550b56178ae5198c9cc5b704a8be4c8505fea887792b6d911e488592a7c<\/span><\/li>\n<\/ul>\n<p>Pscp.exe<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a112e78e4f8b99b1ceddae44f34692be20ef971944b98e2def995c87d5ae89ee<\/span><\/li>\n<\/ul>\n<p>MultiLayer \u30ef\u30a4\u30d1\u30fc<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">38e406b17715b1b52ed8d8e4defdb5b79a4ddea9a3381a9f2276b00449ec8835<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">f65880ef9fec17da4142850e5e7d40ebfc58671f5d66395809977dd5027a6a3e<\/span><\/li>\n<\/ul>\n<p>PartialWasher \u30ef\u30a4\u30d1\u30fc<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">ec7dc5bfadce28b8a8944fb267642c6f713e5b19a9983d7c6f011ebe0f663097<\/span><\/li>\n<\/ul>\n<p>BFG Agonizer \u30ef\u30a4\u30d1\u30fc<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">c52525cd7d05bddb3ee17eb1ad6b5d6670254252b28b18a1451f604dfff932a4<\/span><\/li>\n<\/ul>\n<p>GMER \u30c9\u30e9\u30a4\u30d0\u30fc\u30ed\u30fc\u30c0\u30fc - <span style=\"font-family: 'courier new', courier, monospace;\">agmt.exe<\/span><\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">8967c83411cd96b514252df092d8d3eda3f7f2c01b3eef1394901e27465ff981<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a2d8704b5073cdc059e746d2016afbaecf8546daad3dbfe4833cd3d41ab63898<\/span><\/li>\n<\/ul>\n<p>GMER \u30c9\u30e9\u30a4\u30d0\u30fc<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7<\/span><\/li>\n<\/ul>\n<p>Rentdrv2 \u30ed\u30fc\u30c0\u30fc - <span style=\"font-family: 'courier new', courier, monospace;\">drvIX.exe<\/span><\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">2fb88793f8571209c2fcf1be528ca1d59e7ac62e81e73ebb5a0d77b9d5a09cb8<\/span><\/li>\n<\/ul>\n<p>Rentdrv2 \u30c9\u30e9\u30a4\u30d0\u30fc<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5<\/span><\/li>\n<\/ul>\n<p>\u30a4\u30f3\u30d5\u30e9<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">185.105.46[.]34<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">185.105.46[.]19<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">93.188.207[.]110<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">109.237.107[.]212<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">217.29.62[.]166<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">81.177.22[.]182<\/span><\/li>\n<\/ul>\n<h2><a id=\"post-131138-_2le3trtvw6xi\"><\/a>\u4ed8\u9332<\/h2>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><b>\u30d5\u30a1\u30a4\u30eb\u540d<\/b><\/td>\n<td style=\"text-align: center;\"><b>SHA256<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Uploader.aspx<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">1ea4d26a31dad637d697f9fb70b6ed4d75a13d101e02e02bc00200b42353985c<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">xcopy.aspx<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">62e36675ed7267536bd980c07570829fe61136e53de3336eebadeca56ab060c2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">css.aspx<\/span><\/td>\n<td><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"color: #999999;\"><em><span style=\"font-size: 8pt;\">\u8868 1. Web \u30b7\u30a7\u30eb\u306e\u30cf\u30c3\u30b7\u30e5<\/span> <\/em><\/span><\/p>\n<h2><a id=\"post-131138-_s69xotarz80f\"><\/a>\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/h2>\n<ul>\n<li><a href=\"https:\/\/assets.sentinelone.com\/sentinellabs\/evol-agrius\" target=\"_blank\" rel=\"noopener\">From Wiper To Ransomware: The Evolution Of Agrius<\/a> \u2013 Amitai Ben Shushan Ehrlich, SentinelLABS Research Team<\/li>\n<li><a href=\"https:\/\/www.welivesecurity.com\/2022\/12\/07\/fantasy-new-agrius-wiper-supply-chain-attack\/\" target=\"_blank\" rel=\"noopener\">Fantasy \u2013 a new Agrius wiper deployed through a supply-chain attack<\/a> \u2013 WeLiveSecurity, ESET<\/li>\n<li><a href=\"https:\/\/research.checkpoint.com\/2023\/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations\/\" target=\"_blank\" rel=\"noopener\">Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations<\/a> \u2013 cp&lt;r&gt;, Check Point<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Unit 42 \u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u30012023 \u5e74 1 \u6708\u304b\u3089 2023 \u5e74 10 \u6708\u307e\u3067\u7d9a\u3044\u305f\u4e00\u9023\u306e\u7834\u58ca\u7684\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u3092\u8abf\u67fb\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002 \u3053\u306e\u653b<\/p>\n","protected":false},"author":323,"featured_media":131013,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1974,4431,4428],"tags":[4499,4861,4863,4865],"product_categories":[4448,4450],"coauthors":[3695,4094,4017,4155],"class_list":["post-131138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-ja","category-threat-actor-groups-ja","category-threat-research-ja","tag-advanced-persistent-threat-ja","tag-agonizing-serpens-ja","tag-agrius-ja","tag-education-ja","product_categories-cortex-xdr-ja","product_categories-cortex-xsiam-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)<\/title>\n<meta name=\"description\" content=\"Unit 42\u306f2023\u5e741\u6708\u59cb\u307e\u3063\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u95a2\u4fc2\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308bAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Agonizing Serpens (Agrius)\u306b\u3088\u308b\u3082\u306e\u3068\u8a55\u4fa1\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u30d5\u30ed\u30fc\u3084\u30c4\u30fc\u30eb\u3092\u89e3\u6790\u3057\u307e\u3059\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)\" \/>\n<meta property=\"og:description\" content=\"Unit 42\u306f2023\u5e741\u6708\u59cb\u307e\u3063\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u95a2\u4fc2\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308bAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Agonizing Serpens (Agrius)\u306b\u3088\u308b\u3082\u306e\u3068\u8a55\u4fa1\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u30d5\u30ed\u30fc\u3084\u30c4\u30fc\u30eb\u3092\u89e3\u6790\u3057\u307e\u3059\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-08T07:38:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-17T09:00:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"919\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Or Chechik, Tom Fakterman, Daniel Frank, Assaf Dahan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)","description":"Unit 42\u306f2023\u5e741\u6708\u59cb\u307e\u3063\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u95a2\u4fc2\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308bAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Agonizing Serpens (Agrius)\u306b\u3088\u308b\u3082\u306e\u3068\u8a55\u4fa1\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u30d5\u30ed\u30fc\u3084\u30c4\u30fc\u30eb\u3092\u89e3\u6790\u3057\u307e\u3059\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/","og_locale":"ja_JP","og_type":"article","og_title":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)","og_description":"Unit 42\u306f2023\u5e741\u6708\u59cb\u307e\u3063\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u95a2\u4fc2\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308bAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Agonizing Serpens (Agrius)\u306b\u3088\u308b\u3082\u306e\u3068\u8a55\u4fa1\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u30d5\u30ed\u30fc\u3084\u30c4\u30fc\u30eb\u3092\u89e3\u6790\u3057\u307e\u3059\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/","og_site_name":"Unit 42","article_published_time":"2023-11-08T07:38:48+00:00","article_modified_time":"2024-06-17T09:00:48+00:00","og_image":[{"width":1600,"height":919,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg","type":"image\/jpeg"}],"author":"Or Chechik, Tom Fakterman, Daniel Frank, Assaf Dahan","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/"},"author":{"name":"Ayako Kimijima","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5502567dd627cdd5a306432cd651a90e"},"headline":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)","datePublished":"2023-11-08T07:38:48+00:00","dateModified":"2024-06-17T09:00:48+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/"},"wordCount":1400,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg","keywords":["Advanced Persistent Threat","Agonizing Serpens","Agrius","Education"],"articleSection":["\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/","name":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg","datePublished":"2023-11-08T07:38:48+00:00","dateModified":"2024-06-17T09:00:48+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5502567dd627cdd5a306432cd651a90e"},"description":"Unit 42\u306f2023\u5e741\u6708\u59cb\u307e\u3063\u305f\u30a4\u30b9\u30e9\u30a8\u30eb\u95a2\u4fc2\u7d44\u7e54\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u653b\u6483\u306f\u30a4\u30e9\u30f3\u3068\u3064\u306a\u304c\u308a\u306e\u3042\u308bAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Agonizing Serpens (Agrius)\u306b\u3088\u308b\u3082\u306e\u3068\u8a55\u4fa1\u3055\u308c\u307e\u3057\u305f\u3002\u653b\u6483\u30d5\u30ed\u30fc\u3084\u30c4\u30fc\u30eb\u3092\u89e3\u6790\u3057\u307e\u3059\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/11\/PA-Agonizing-SerpensCentre.jpg","width":1600,"height":919,"caption":"Pictorial representation of the APT Agonizing Serpens. An illustrated orange and red snake is highlighted by a red circle against a night sky. The constellation serpens."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/agonizing-serpens-targets-israeli-tech-higher-ed-sectors\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u9ad8\u7b49\u6559\u80b2\u30fb\u30c6\u30af\u30ce\u30ed\u30b8\u30fc \u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b Agonizing Serpens (\u5225\u540d Agrius)"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/5502567dd627cdd5a306432cd651a90e","name":"Ayako Kimijima","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Ayako Kimijima"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/akimijima\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/131138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/323"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=131138"}],"version-history":[{"count":8,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/131138\/revisions"}],"predecessor-version":[{"id":135058,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/131138\/revisions\/135058"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/131013"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=131138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=131138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=131138"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=131138"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=131138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}