Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

์›๋ณธ ๊ฒŒ์‹œ๋ฌผ์€ https://itm4n.github.io/windows-registry-rpceptmapper-eop/

์š”์•ฝ

ํ˜„์žฌ ์‚ฌ์šฉ์ž์— ์˜ํ•ด ์“ฐ๊ธฐ ๊ฐ€๋Šฅํ•œ ๋‘ ๊ฐœ์˜ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ํ‚ค๊ฐ€ ๋ฐœ๊ฒฌ๋˜์—ˆ์Šต๋‹ˆ๋‹ค:

  • HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
  • HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper

RpcEptMapper ์„œ๋น„์Šค์˜ ๊ถŒํ•œ์„ regedit GUI๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ™•์ธํ•  ๊ฒƒ์„ ์ œ์•ˆํ–ˆ์Šต๋‹ˆ๋‹ค. ํŠนํžˆ ๊ณ ๊ธ‰ ๋ณด์•ˆ ์„ค์ • ์ฐฝ์˜ ์œ ํšจํ•œ ๊ถŒํ•œ ํƒญ์„ ํ†ตํ•ด ํŠน์ • ์‚ฌ์šฉ์ž ๋˜๋Š” ๊ทธ๋ฃน์— ๋ถ€์—ฌ๋œ ๊ถŒํ•œ์„ ๊ฐœ๋ณ„์ ์œผ๋กœ ๊ฐ ์ ‘๊ทผ ์ œ์–ด ํ•ญ๋ชฉ(ACE)์„ ๊ฒ€ํ† ํ•  ํ•„์š” ์—†์ด ํ‰๊ฐ€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์Šคํฌ๋ฆฐ์ƒท์€ ๋‚ฎ์€ ๊ถŒํ•œ์˜ ์‚ฌ์šฉ์ž์—๊ฒŒ ํ• ๋‹น๋œ ๊ถŒํ•œ์„ ๋ณด์—ฌ์ฃผ์—ˆ์œผ๋ฉฐ, ๊ทธ ์ค‘ ํ•˜์œ„ ํ‚ค ์ƒ์„ฑ ๊ถŒํ•œ์ด ์ฃผ๋ชฉํ•  ๋งŒํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ถŒํ•œ์€ AppendData/AddSubdirectory๋ผ๊ณ ๋„ ํ•˜๋ฉฐ, ์Šคํฌ๋ฆฝํŠธ์˜ ๋ฐœ๊ฒฌ๊ณผ ์ผ์น˜ํ•ฉ๋‹ˆ๋‹ค.

ํŠน์ • ๊ฐ’์„ ์ง์ ‘ ์ˆ˜์ •ํ•  ์ˆ˜๋Š” ์—†์ง€๋งŒ, ์ƒˆ๋กœ์šด ํ•˜์œ„ ํ‚ค๋ฅผ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ๋Š” ๋Šฅ๋ ฅ์ด ์ฃผ๋ชฉ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, ImagePath ๊ฐ’์„ ๋ณ€๊ฒฝํ•˜๋ ค๋Š” ์‹œ๋„๊ฐ€ ์žˆ์—ˆ์œผ๋‚˜ ์ ‘๊ทผ ๊ฑฐ๋ถ€ ๋ฉ”์‹œ์ง€๊ฐ€ ๋‚˜ํƒ€๋‚ฌ์Šต๋‹ˆ๋‹ค.

์ด๋Ÿฌํ•œ ์ œํ•œ์—๋„ ๋ถˆ๊ตฌํ•˜๊ณ , RpcEptMapper ์„œ๋น„์Šค์˜ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ตฌ์กฐ ๋‚ด์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ์กด์žฌํ•˜์ง€ ์•Š๋Š” Performance ํ•˜์œ„ ํ‚ค๋ฅผ ํ™œ์šฉํ•  ๊ฐ€๋Šฅ์„ฑ์„ ํ†ตํ•ด ๊ถŒํ•œ ์ƒ์Šน์˜ ์ž ์žฌ๋ ฅ์ด ํ™•์ธ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” DLL ๋“ฑ๋ก ๋ฐ ์„ฑ๋Šฅ ๋ชจ๋‹ˆํ„ฐ๋ง์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Performance ํ•˜์œ„ ํ‚ค์™€ ์„ฑ๋Šฅ ๋ชจ๋‹ˆํ„ฐ๋ง์„ ์œ„ํ•œ ํ™œ์šฉ์— ๋Œ€ํ•œ ๋ฌธ์„œ๊ฐ€ ์ฐธ๊ณ ๋˜์—ˆ๊ณ , ์ด๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ ๊ฐœ๋… ์ฆ๋ช… DLL์ด ๊ฐœ๋ฐœ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด DLL์€ OpenPerfData, CollectPerfData, ClosePerfData ํ•จ์ˆ˜๋ฅผ ๊ตฌํ˜„ํ•˜๋Š” ๊ฒƒ์„ ๋ณด์—ฌ์ฃผ์—ˆ์œผ๋ฉฐ, rundll32๋ฅผ ํ†ตํ•ด ํ…Œ์ŠคํŠธํ•˜์—ฌ ์„ฑ๊ณต์ ์œผ๋กœ ์ž‘๋™ํ•จ์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.

๋ชฉํ‘œ๋Š” ์กฐ์ž‘๋œ Performance DLL์„ ๋กœ๋“œํ•˜๋„๋ก RPC Endpoint Mapper ์„œ๋น„์Šค๋ฅผ ๊ฐ•์ œํ•˜๋Š” ๊ฒƒ์ด์—ˆ์Šต๋‹ˆ๋‹ค. ๊ด€์ฐฐ ๊ฒฐ๊ณผ, PowerShell์„ ํ†ตํ•ด ์„ฑ๋Šฅ ๋ฐ์ดํ„ฐ์™€ ๊ด€๋ จ๋œ WMI ํด๋ž˜์Šค ์ฟผ๋ฆฌ๋ฅผ ์‹คํ–‰ํ•˜๋ฉด ๋กœ๊ทธ ํŒŒ์ผ์ด ์ƒ์„ฑ๋˜์–ด LOCAL SYSTEM ์ปจํ…์ŠคํŠธ์—์„œ ์ž„์˜ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋˜์–ด ๊ถŒํ•œ์ด ์ƒ์Šนํ–ˆ์Šต๋‹ˆ๋‹ค.

์ด ์ทจ์•ฝ์ ์˜ ์ง€์†์„ฑ๊ณผ ์ž ์žฌ์  ์˜ํ–ฅ์ด ๊ฐ•์กฐ๋˜์—ˆ์œผ๋ฉฐ, ์ด๋Š” ํ›„์† ๊ณต๊ฒฉ ์ „๋žต, ์ธก๋ฉด ์ด๋™ ๋ฐ ์•ˆํ‹ฐ๋ฐ”์ด๋Ÿฌ์Šค/EDR ์‹œ์Šคํ…œ ํšŒํ”ผ์™€ ๊ด€๋ จ์ด ์žˆ์Œ์„ ๋‚˜ํƒ€๋ƒ…๋‹ˆ๋‹ค.

์ด ์ทจ์•ฝ์ ์€ ์ฒ˜์Œ์— ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํ†ตํ•ด ์˜๋„์น˜ ์•Š๊ฒŒ ๊ณต๊ฐœ๋˜์—ˆ์ง€๋งŒ, ๊ทธ ์ด์šฉ์€ ๊ตฌ์‹ Windows ๋ฒ„์ „(์˜ˆ: Windows 7 / Server 2008 R2)์— ์ œํ•œ๋˜๋ฉฐ ๋กœ์ปฌ ์ ‘๊ทผ์ด ํ•„์š”ํ•˜๋‹ค๋Š” ์ ์ด ๊ฐ•์กฐ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ