KOROMOON

착한 사마리아인이 되고 싶습니다.

10/14/2020

침해 사고 시 사용되는 Windows 명령어 조사 및 Snort 룰 작성

00:22 명령어 , 침해사고 0 Comments


( 1 ) 개요


JPCERT/CC 분석 센터 자료를 토대로 침해 사고 시 공격자가 Windows 시스템에서 비번하게 사용하는 명령어를 조사함.

원본 링크 : https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

한글 링크 : https://koromoon.blogspot.com/2020/09/windows.html


관련 다수 명령어를 Snort 룰 생성 및 탐지 설정하여 침해 사고를 대비함.

관련 참고 파일을 첨부함. 

다운로드 링크(암호 : koromoon1004) : https://drive.google.com/file/d/1Ge7xJFjJSRSIrB7lKX1-ZvA8DfuTr3hq/view?usp=sharing




( 2 ) 룰 선정


JPCERT/CC 분석 센터 자료에서 초기 조사, 탐색과 관련된 명령어 위주로 선정하여 룰 생성 후 Security Onion 어플리케이션(상용 IDS 어플리케이션)에서 테스트 검증 작업함.

아래 16개 명령어를 각각 영문/한글 윈도우 시스템에서 명령어 실행 시 응답 패킷에 대한 룰을 생성함.


명령어

명령어 설명

Snort 룰

arp -a

모든 인터페이스에 대한 현재 arp 캐시 테이블 표시

UDS_NNNN_Windows Command arp -a Eng_YYYYMMDD

UDS_NNNN_Windows Command arp -a Kor_YYYYMMDD

dir

디렉터리의 파일 및 하위 디렉터리 목록 표시

UDS_NNNN_Windows Command dir Eng_YYYYMMDD

UDS_NNNN_Windows Command dir Kor_YYYYMMDD

ipconfig

모든 어댑터에 대한 기본 TCP/IP 구성 정보 표시

UDS_NNNN_Windows Command ipconfig Eng_YYYYMMDD

UDS_NNNN_Windows Command ipconfig Kor_YYYYMMDD

ipconfig /all

모든 어댑터에 대한 전체 TCP/IP 구성 표시

UDS_NNNN_Windows Command ipconfig /all Eng_YYYYMMDD

UDS_NNNN_Windows Command ipconfig /all Kor_YYYYMMDD

net localgroup

서버의 이름과 컴퓨터의 로컬 그룹 이름을 표시

UDS_NNNN_Windows Command net localgroup Eng_YYYYMMDD

UDS_NNNN_Windows Command net localgroup Kor_YYYYMMDD

net share

로컬 컴퓨터에서 공유되는 모든 리소스에 대한 정보 표시

UDS_NNNN_Windows Command net share Eng_YYYYMMDD

UDS_NNNN_Windows Command net share Kor_YYYYMMDD

net use

네트워크 연결 목록을 검색

UDS_NNNN_Windows Command net use Eng_YYYYMMDD

UDS_NNNN_Windows Command net use Kor_YYYYMMDD

net user

컴퓨터의 사용자 계정 목록을 표시

UDS_NNNN_Windows Command net user Eng_YYYYMMDD

UDS_NNNN_Windows Command net user Kor_YYYYMMDD

net view

현재 도메인의 컴퓨터 목록을 표시

UDS_NNNN_Windows Command net view Eng_YYYYMMDD

UDS_NNNN_Windows Command net view Kor_YYYYMMDD

netstat -an

네트워크 인터페이스 통신 정보를 표시

UDS_NNNN_Windows Command netstat -an Eng_YYYYMMDD

UDS_NNNN_Windows Command netstat -an Kor_YYYYMMDD

netstat -ano

네트워크 인터페이스 통신 정보를 표시 (PID 포함)

UDS_NNNN_Windows Command netstat -ano Eng_YYYYMMDD

UDS_NNNN_Windows Command netstat -ano Kor_YYYYMMDD

systeminfo

운영 체제에 대한 자세한 구성 정보를 표시

UDS_NNNN_Windows Command systeminfo Eng_YYYYMMDD

UDS_NNNN_Windows Command systeminfo Kor_YYYYMMDD

tasklist

로컬 컴퓨터에서 현재 실행하고 있는 프로세스의 목록을 표시

UDS_NNNN_Windows Command tasklist Eng_YYYYMMDD

UDS_NNNN_Windows Command tasklist Kor_YYYYMMDD

tasklist -m

각 프로세스에서 로드한 모든 모듈을 표시

UDS_NNNN_Windows Command tasklist -m Eng_YYYYMMDD

UDS_NNNN_Windows Command tasklist -m Kor_YYYYMMDD

tasklist -svc

각 프로세스에 대한 모든 서비스 정보를 나열

UDS_NNNN_Windows Command tasklist -svc Eng_YYYYMMDD

UDS_NNNN_Windows Command tasklist -svc Kor_YYYYMMDD

tasklist -v

자세한 프로세스 정보를 표시

UDS_NNNN_Windows Command tasklist -v Eng_YYYYMMDD

UDS_NNNN_Windows Command tasklist -v Kor_YYYYMMDD




( 3 ) 룰 상세 정보


01. arp -a 명령어 (영문 버전)

룰명 : UDS_NNNN_Windows Command arp -a Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command arp -a Eng_YYYYMMDD"; flow:established,from_server; content:"Interface: "; content:"--- 0x"; content:"|0d 0a 20 20|Internet Address|20 20 20 20 20 20|Physical Address|20 20 20 20 20 20|Type|0d 0a|";)

< 테스트 화면 >


02. arp -a 명령어 (한글 버전)

룰명 : UDS_NNNN_Windows Command arp -a Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command arp -a Kor_YYYYMMDD"; flow:established,from_server; content:"|c0 ce c5 cd c6 e4 c0 cc bd ba 3a 20|"; content:"--- 0x"; content:"|0d 0a 20 20 c0 ce c5 cd b3 dd 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 b9 b0 b8 ae c0 fb 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 c0 af c7 fc 0d 0a|";)

< 테스트 화면 >


03. dir 명령어 (영문 버전)

룰명 : UDS_NNNN_Windows Command dir Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command dir Eng_YYYYMMDD"; flow:established,from_server; content:"|0d 0a 20|Volume Serial Number is "; content:"|0d 0a 0d 0a 20|Directory of|20|"; content:"|20 20 20 20|<DIR>|20 20 20 20 20 20 20 20 20 20|";)

< 테스트 화면 >


04. dir 명령어 (한글 버전)

룰명 : UDS_NNNN_Windows Command dir Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command dir Kor_YYYYMMDD"; flow:established,from_server; content:"|0d 0a 20 ba bc b7 fd 20 c0 cf b7 c3 20 b9 f8 c8 a3 3a 20|"; content:"|20 b5 f0 b7 ba c5 cd b8 ae 0d 0a 0d 0a|"; content:"|20 20 20 20|<DIR>|20 20 20 20 20 20 20 20 20 20|"; distance:22; within:19;)

< 테스트 화면 >


05. ipconfig (영문 버전)

룰명 : UDS_NNNN_Windows Command ipconfig Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command ipconfig Eng_YYYYMMDD"; flow:established,from_server; content:"Windows IP Configuration|0d 0a 0d 0a 0d 0a|Ethernet adapter|20|"; content:"|0d 0a 0d 0a 20 20 20|Connection-specific DNS Suffix|20 20 2e 20 3a 20|";)

< 테스트 화면 >


06. ipconfig (한글 버전)

룰명 : UDS_NNNN_Windows Command ipconfig Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command ipconfig Kor_YYYYMMDD"; flow:established,from_server; content:"|57 69 6e 64 6f 77 73 20 49 50 20 b1 b8 bc ba 0d 0a 0d 0a 0d 0a c0 cc b4 f5 b3 dd 20 be ee b4 f0 c5 cd 20|"; content:"|0d 0a 0d 0a 20 20 20 bf ac b0 e1 ba b0 20 44 4e 53 20 c1 a2 b9 cc bb e7 2e 20 2e 20 2e 20 2e 20 3a 20|";)

< 테스트 화면 >


07. ipconfig /all (영문 버전)

룰명 : UDS_NNNN_Windows Command ipconfig /all Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command ipconfig /all Eng_YYYYMMDD"; flow:established,from_server; content:"Windows IP Configuration|0d 0a 0d 0a 20 20 20|Host Name|20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 3a 20|"; content:"|0d 0a 20 20 20|Primary Dns Suffix|20 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 3a 20|";)

< 테스트 화면 >


08. ipconfig /all (한글 버전)

룰명 : UDS_NNNN_Windows Command ipconfig /all Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command ipconfig /all Kor_YYYYMMDD"; flow:established,from_server; content:"|57 69 6e 64 6f 77 73 20 49 50 20 b1 b8 bc ba 0d 0a 0d 0a 20 20 20 c8 a3 bd ba c6 ae 20 c0 cc b8 a7 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 3a 20|"; content:"|0d 0a 20 20 20 c1 d6 20 44 4e 53 20 c1 a2 b9 cc bb e7 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 2e 20 3a 20|";)

< 테스트 화면 >


09. net localgroup (영문 버전)

룰명 : UDS_NNNN_Windows Command net localgroup Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net localgroup Eng_YYYYMMDD"; flow:established,from_server; content:"Aliases for \\"; content:"|0d 0a 0d 0a|-------------------------------------------------------------------------------|0d 0a|";)

< 테스트 화면 >


10. net localgroup (한글 버전)

룰명 : UDS_NNNN_Windows Command net localgroup Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net localgroup Kor_YYYYMMDD"; flow:established,from_server; content:"\\"; content:"|bf a1 20 b4 eb c7 d1 20 ba b0 c4 aa 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a|";)

< 테스트 화면 >


11. net share (영문 버전)

룰명 : UDS_NNNN_Windows Command net share Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net share Eng_YYYYMMDD"; flow:established,from_server; content:"Share name|20 20 20|Resource|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|Remark|0d 0a 0d 0a|-------------------------------------------------------------------------------|0d 0a|";)

< 테스트 화면 >


12. net share (한글 버전)

룰명 : UDS_NNNN_Windows Command net share Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net share Kor_YYYYMMDD"; flow:established,from_server; content:"|b0 f8 c0 af 20 c0 cc b8 a7 20 20 20 b8 ae bc d2 bd ba 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bc b3 b8 ed 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a|";)

< 테스트 화면 >


13. net use (영문 버전)

룰명 : UDS_NNNN_Windows Command net use Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net use Eng_YYYYMMDD"; flow:established,from_server; content:"New connections will be remembered.|0d 0a 0d 0a 0d 0a|Status|20 20 20 20 20 20 20|Local|20 20 20 20 20|Remote|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|Network|0d 0a 0d 0a|-------------------------------------------------------------------------------|0d 0a|";)

< 테스트 화면 >


14. net use (한글 버전)

룰명 : UDS_NNNN_Windows Command net use Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net use Kor_YYYYMMDD"; flow:established,from_server; content:"|bb f5 20 bf ac b0 e1 20 c1 a4 ba b8 b0 a1 20 c0 fa c0 e5 b5 cb b4 cf b4 d9 2e 0d 0a 0d 0a 0d 0a bb f3 c5 c2 20 20 20 20 20 20 20 20 20 b7 ce c4 c3 20 20 20 20 20 20 bf f8 b0 dd 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 b3 d7 c6 ae bf f6 c5 a9 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a|";)

< 테스트 화면 >


15. net user (영문 버전)

룰명 : UDS_NNNN_Windows Command net user Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net user Eng_YYYYMMDD"; flow:established,from_server; content:"User accounts for \\"; content:"|0d 0a 0d 0a|-------------------------------------------------------------------------------|0d 0a|";)

< 테스트 화면 >


16. net user (한글 버전)

룰명 : UDS_NNNN_Windows Command net user Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net user Kor_YYYYMMDD"; flow:established,from_server; content:"\\"; content:"|bf a1 20 b4 eb c7 d1 20 bb e7 bf eb c0 da 20 b0 e8 c1 a4 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a|";)

< 테스트 화면 >


17. net view (영문 버전)

룰명 : UDS_NNNN_Windows Command net view Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net view Eng_YYYYMMDD"; flow:established,from_server; content:"Server Name|20 20 20 20 20 20 20 20 20 20 20 20|Remark|0d 0a 0d 0a|-------------------------------------------------------------------------------|0d 0a|";)

< 테스트 화면 >


18. net view (한글 버전)

룰명 : UDS_NNNN_Windows Command net view Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command net view Kor_YYYYMMDD"; flow:established,from_server; content:"|bc ad b9 f6 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 bc b3 b8 ed 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a|";)

< 테스트 화면 >


19. netstat -an (영문 버전)

룰명 : UDS_NNNN_Windows Command netstat -an Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command netstat -an Eng_YYYYMMDD"; flow:established,from_server; content:"Active Connections|0d 0a 0D 0A 20 20|Proto|20 20|Local Address|20 20 20 20 20 20 20 20 20 20|Foreign Address|20 20 20 20 20 20 20 20|State|0d 0a 20 20|TCP";)

< 테스트 화면 >


20. netstat -an (한글 버전)

룰명 : UDS_NNNN_Windows Command netstat -an Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command netstat -an Kor_YYYYMMDD"; flow:established,from_server; content:"|c8 b0 bc ba 20 bf ac b0 e1 0d 0a 0d 0a 20 20 c7 c1 b7 ce c5 e4 c4 dd 20 20 b7 ce c4 c3 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 bf dc ba ce 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bb f3 c5 c2 0d 0a 20 20 54 43 50|";)

< 테스트 화면 >


21. netstat -ano (영문 버전)

룰명 : UDS_NNNN_Windows Command netstat -ano Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command netstat -ano Eng_YYYYMMDD"; flow:established,from_server; content:"Active Connections|0d 0a 0d 0a 20 20|Proto|20 20|Local Address|20 20 20 20 20 20 20 20 20 20|Foreign Address|20 20 20 20 20 20 20 20|State|20 20 20 20 20 20 20 20 20 20 20|PID|0d 0a 20 20|TCP";)

< 테스트 화면 >


22. netstat -ano (한글 버전)

룰명 : UDS_NNNN_Windows Command netstat -ano Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command netstat -ano Kor_YYYYMMDD"; flow:established,from_server; content:"|c8 b0 bc ba 20 bf ac b0 e1 0d 0a 0d 0a 20 20 c7 c1 b7 ce c5 e4 c4 dd 20 20 b7 ce c4 c3 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bf dc ba ce 20 c1 d6 bc d2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bb f3 c5 c2 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 0d 0a 20 20 54 43 50|";)

< 테스트 화면 >


23. systeminfo (영문 버전)

룰명 : UDS_NNNN_Windows Command systeminfo Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command systeminfo Eng_YYYYMMDD"; flow:established,from_server; content:"Host Name:|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; content:"|0d 0a|OS Name:|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; content:"|0d 0a|OS Version:|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|";)

< 테스트 화면 >


24. systeminfo (한글 버전)

룰명 : UDS_NNNN_Windows Command systeminfo Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command systeminfo Kor_YYYYMMDD"; flow:established,from_server; content:"|c8 a3 bd ba c6 ae 20 c0 cc b8 a7 3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; content:"|0d 0a 4f 53 20 c0 cc b8 a7 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; content:"|0d 0a 4f 53 20 b9 f6 c0 fc 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|";)

< 테스트 화면 >


25. tasklist (영문 버전)

룰명 : UDS_NNNN_Windows Command tasklist Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist Eng_YYYYMMDD"; flow:established,from_server; content:"Image Name|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|PID|20|Session Name|20 20 20 20 20 20 20 20|Session#|20 20 20 20|Mem Usage|0d 0a|========================= ======== ================ =========== ============|0d 0a|";)

< 테스트 화면 >


26. tasklist (한글 버전)

룰명 : UDS_NNNN_Windows Command tasklist Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist Kor_YYYYMMDD"; flow:established,from_server; content:"|c0 cc b9 cc c1 f6 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 bc bc bc c7 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bc bc bc c7 23 20 20 b8 de b8 f0 b8 ae 20 bb e7 bf eb 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a|";)

< 테스트 화면 >


27. tasklist -m (영문 버전)

룰명 : UDS_NNNN_Windows Command tasklist -m Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -m Eng_YYYYMMDD"; flow:established,from_server; content:"Image Name|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|PID|20|Modules|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a|========================= ======== ============================================|0d 0a|";)

< 테스트 화면 >


28. tasklist -m (한글 버전)

룰명 : UDS_NNNN_Windows Command tasklist -m Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -m Kor_YYYYMMDD"; flow:established,from_server; content:"|c0 cc b9 cc c1 f6 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 b8 f0 b5 e2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a|";)

< 테스트 화면 >


29. tasklist -svc (영문 버전)

룰명 : UDS_NNNN_Windows Command tasklist -svc Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -svc Eng_YYYYMMDD"; flow:established,from_server; content:"Image Name|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|PID|20|Services|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a|========================= ======== ============================================|0d 0a|";)

< 테스트 화면 >


30. tasklist -svc (한글 버전)

룰명 : UDS_NNNN_Windows Command tasklist -svc Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -svc Kor_YYYYMMDD"; flow:established,from_server; content:"|c0 cc b9 cc c1 f6 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 bc ad ba f1 bd ba 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0d 0a|";)

< 테스트 화면 >


31. tasklist -v (영문 버전)

룰명 : UDS_NNNN_Windows Command tasklist -v Eng_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -v Eng_YYYYMMDD"; flow:established,from_server; content:"Image Name|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|PID|20|Session Name|20 20 20 20 20 20 20 20|Session#|20 20 20 20|Mem Usage|20|Status|20 20 20 20 20 20 20 20 20 20|User Name|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|CPU Time|20|Window Title|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a|=========================|20|";)

< 테스트 화면 >


32. tasklist -v (한글 버전)

룰명 : UDS_NNNN_Windows Command tasklist -v Kor_YYYYMMDD

룰정보 : alert tcp any any -> any any (msg:"UDS_NNNN_Windows Command tasklist -v Kor_YYYYMMDD"; flow:established,from_server; content:"|c0 cc b9 cc c1 f6 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 50 49 44 20 bc bc bc c7 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 bc bc bc c7 23 20 20 b8 de b8 f0 b8 ae 20 bb e7 bf eb 20 bb f3 c5 c2 20 20 20 20 20 20 20 20 20 20 20 20 bb e7 bf eb c0 da 20 c0 cc b8 a7 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 43 50 55 20 bd c3 b0 a3 20 c3 a2 20 c1 a6 b8 f1 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 3d 3d 3d 3d 3d 3d 3d 3d 20|";)

< 테스트 화면 >




============================================================

본 게시물은 KOROMOON 님께서 작성하였으며 CCL (Creative Commons License) 에서 "저작자표시-비영리-동일조건변경허락" 이용조건으로 자료를 이용하셔야 합니다.


By v�o l�c
Tags , , , , , , , , ,

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)