GB/T 36643—2018 信息安全技術 網絡安全威脅信息格式規范附錄B (資料性附錄) 網絡安全威脅信息表達示例
本附錄給出了一個采用本標準所規定的網絡安全威脅信息表達模型8大組件描述的“永恒之藍”勒索蠕蟲網絡安全威脅信息表達示例,目的是演示本標準所規定的網絡安全威脅信息表達模型的使用方法。為確保示例的可讀性,本示例并沒有將“永恒之藍”勒索蠕蟲的所有信息全部表達出來。
{
"id":"campaign--e2e1a340-4415-4ba8-9671-f7343fbf0836",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊活動",
"description":"基于“永恒之藍”生成的蠕蟲病毒,通過Windows系統的445文件共享端口進行傳播,往聯網的計算機中植入勒索程序。計算機系統在感染后,勒索蠕蟲在后臺進行文件加密,完成加密后將彈出勒索通知的窗口,要求用戶支付價值300美元的比特幣才能解鎖,不能按時支付贖金的系統會被銷毀數據。同時,受害主機會自動隨機掃描網絡內開放445端口的、有漏洞的其他主機,并通過SMB協議將該勒索蠕蟲再植入到新的目標主機中,擴散傳播速度極快。",
"short_description":"基于Windows系統445端口傳播,加密文件,索要贖金。",
"aliases":"",
"intended_effect":"Theft",
"status":"Ongoing",
"related_TTPs":["ttp--5ee9db36-4a1e-4dd4-bb32-2551eda97f4a"],
"related_incidents":["incident--34098fce-860f-48ae-8e50-ebd3cc5e41da"," incident--613f2e26-407d-48c7-9eca-b8e91df99dc9"," incident--f88d31f6-486f-44da-b317-01333bde0b82"],
"attributed_to":["threatactor--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"],
"associated_campaigns":[],
"confidence":"100",
"activity":"",
"information_source":"XX公司XX團隊"
}
{
"id":"ttp--5ee9db36-4a1e-4dd4-bb32-2551eda97f4a",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊方法",
"description":"勒索蠕蟲通過漏洞遠程執行時,會從資源文件夾下釋放一個壓縮包,此壓縮包在內存中通過密碼(WNcry@2ol7)解密并釋放文件。這些文件包含了后續彈出勒索框的exe,桌面背景圖片的bmp,包含各國語言的勒索字體,還有輔助攻擊的兩個exe文件。這些文件會釋放到了本地目錄,并設置為隱藏。然后,繼續掃面網絡中的其它主機,若發現存在SMB漏洞(MS17-010)的Windows系統,則繼續傳播。解壓后在本機的文件,對用戶主機的文件進行加密,并彈出索要贖金的提示框。",
"short_description":"攻擊存在 SMB漏洞(MS17-010)的Windows系統,加密文件,索要贖金",
"intended_effect":"Theft",
"behavior":"加密用戶常用文件,索要贖金",
"resources":["未安裝MS17-010補丁的Windows系統"],
"victim_targeting":["所有連接網聯網的計算機"],
"exploit_targets":["target--b346b4b3-f4b7-4235-b659-f985f65f0009"],
"related_TTPs":[],
"kill_chain_phases":"ActionsonObjective",
"information_source":"XX公司XX團隊",
"kill_chains":""
}
{
"id":"incident--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"url":"",
"title":"“永恒之藍”勒索蠕蟲的安全事件1——連接開關域名",
"external_id":"",
"valid_from":"2017-05-12T15:00:00Z",
"valid_to":"2017-05-14T06:32:45Z",
"description":"勒索蠕蟲啟動后,立即訪問一個特殊域名(開關域名):http:// www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com,如果能訪問到這個域名,則退出運行,不會觸發任何惡意行為。如果訪問不到,則執行后續的勒索和傳播行為。",
"short_description":"訪問開關域名",
"categories":["蠕蟲","勒索軟件"],
"participator":[{
"reporter":"Darien Huss"
}],
"affected_assets":"受感染的計算機",
"impact_assessment":"決定勒索病毒是否產生惡意行為并繼續傳播",
"status":"Open",
"related_indicators":["indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"],
"intended_effect":"Theft",
"security_compromise":"Yes",
"discovery_method":"",
"related_incidents":["incident--613f2e26-407d-48c7-9eca-b8e91df99dc9"," incident--f88d31f6-486f-44da-b317-01333bde0b82"],
"COA_requested":[],
"credibility":"high",
"contact":[],
"history":[],
"info_source":"XX公司XX團隊"
}
{
"id":"incident--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"url":"",
"title":"“永恒之藍”勒索蠕蟲的安全事件2——加密并勒索",
"external_id":"",
"valid_from":"2017-05-12T15:00:00Z",
"valid_to":"2017-05-14T06:32:45Z",
"description":"執行tasksche.exe,解壓資源文件,從t.wnry文件中加載動態鏈接庫,進行文件加密,彈出勒索對話框。",
"short_description":"加密文件,索要贖金",
"categories":["蠕蟲","勒索軟件"],
"participator":[],
"affected_assets":"受感染的計算機",
"impact_assessment":"",
"status":"Open",
"related_indicators":["indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"],
"intended_effect":"Theft",
"security_compromise":"Yes",
"discovery_method":"檢查文件",
"related_incidents":["incident--34098fce-860f-48ae-8e50-ebd3cc5e41da"," incident--f88d31f6-486f-44da-b317-01333bde0b82"],
"COA_requested":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"credibility":"high",
"contact":[],
"history":[],
"info_source":"XX公司XX團隊"
}
{
"id":"incident--f88d31f6-486f-44da-b317-01333bde0b82",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"url":"",
"title":"“永恒之藍”勒索蠕蟲的安全事件3——橫向傳播",
"external_id":"",
"valid_from":"2017-05-12T15:00:00Z",
"valid_to":"2017-05-14T06:32:45Z",
"description":"1.判斷是否處于內網環境,如果是內網,掃描10.0.0.0~10.255.255.255, 172.16.0.0~172.31.255.255,192.168.0.0~192.168.255.255范圍內的主機并進行感染傳播;如果是外網,則隨機產生IP地址并進行感染傳播;2.投遞載荷(由shell code和dll組成),包括32位和64位兩個版本;3.執行shell code并調用dll。",
"short_description":"掃描網絡,投遞載荷",
"categories":["蠕蟲","勒索軟件"],
"participator":[],
"affected_assets":"與受感染計算機連接的計算機",
"impact_assessment":"",
"status":"Open",
"related_indicators":[],
"intended_effect":"Theft",
"security_compromise":"Yes",
"discovery_method":"",
"related_incidents":["incident--34098fce-860f-48ae-8e50-ebd3cc5e41da"," incident--613f2e26-407d-48c7-9eca-b8e91df99dc9"],
"COA_requested":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"credibility":"high",
"contact":[],
"history":[],
"info_source":"XX公司XX團隊"
}
{
"id":"threatactor--5e57c739-391a-4eb3-b6be-7d15ca92d5ed",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的威脅主體",
"description":"不明黑客組織/個人,利用“永恒之藍”網絡武器,通過Windows系統的445文件共享端口,傳播勒索程序。計算機系統在感染后即被鎖定,所有文件被加密,用戶被要求支付價值300美元的比特幣才能解鎖,不能按時支付贖金的系統會被銷毀數據。",
"short_description":"不明黑客組織/個人",
"identity":"",
"type":[],
"motivation":"Financial or Economic",
"sophistication":"eCrime Actor - Malware Developer",
"intended_effect":"Theft",
"planning_and_operational_support":"",
"observed_TTPs":["ttp--5ee9db36-4a1e-4dd4-bb32-2551eda97f4a"],
"associated_campaigns":["campaign--e2e1a340-4415-4ba8-9671-f7343fbf0836"],
"associated_actors":[],
"confidence":"50",
"information_source":"XX公司XX團隊"
}
{
"id":"target--b346b4b3-f4b7-4235-b659-f985f65f0009",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊目標",
"description":"XX省XX市XX加油站,5臺加油卡自助服務終端計算機。",
"short_description":"XX省XX市XX加油站計算機",
"vulnerability": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"],
"weakness":"",
"potential_COAs":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"information_source":"XX公司XX團隊",
"related_exploit_targets":["target--ee916c28-c7a4-4d0d-ad56-a8d357f89fef"," target--5d0092c5-5f74-4287-9642-33f4c354e56d"]
}
{
"id":"target--ee916c28-c7a4-4d0d-ad56-a8d357f89fef",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊目標",
"description":"XX省XX市出入境業務辦理大廳,10臺處理業務的計算機。",
"short_description":"XX省XX市出入境業務辦理大廳計算機",
"vulnerability": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"],
"weakness":"",
"potential_COAs":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"information_source":"XX公司XX團隊",
"related_exploit_targets":["target--b346b4b3-f4b7-4235-b659-f985f65f0009"]
}
{
"id":"target--5d0092c5-5f74-4287-9642-33f4c354e56d",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊目標",
"description":"XX省XX大學XX實驗室,15臺計算機。",
"short_description":"XX省XX大學XX實驗室計算機",
"vulnerability": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0147", "CVE-2017-0148"],
"weakness":"",
"potential_COAs":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"information_source":"XX公司XX團隊",
"related_exploit_targets":["target--ee916c28-c7a4-4d0d-ad56-a8d357f89fef","target--b346b4b3-f4b7-4235-b659-f985f65f0009"]
}
{
"id":"indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的攻擊指標",
"type":"ransomware worm",
"aliases":"WannaCry",
"description":"“永恒之藍”勒索蠕蟲的攻擊指標,涉及到進程、文件、注冊表等多類",
"short_description":"",
"valid_from":"2017-05-12T15:00:00Z",
"valid_to":"2017-05-14T06:32:45Z",
"observable":"observation--089a6ecb-cc15-43cc-9494-767639779123",
"composite_indicator_expression":[
{
"value": "3773a88f65a5e780c8dff9cdc3a056f3",
"source_ref": "provider",
"type": "md5",
"created_time": "2016-12-09T08:58:33Z"
},
{
"value": "0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03",
"source_ref": "provider",
"type": "sha256",
"created_time": "2016-12-09T08:58:33Z"
}
],
"indicated_TTP":["ttp--5ee9db36-4a1e-4dd4-bb32-2551eda97f4a"],
"test_mechanisms":"",
"likely_impact":"",
"suggested_of_coa":["coa--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
"confidence":"89",
"related_indicators":[],
"information_source":"XX公司XX團隊"
}
{
"id":"observation--089a6ecb-cc15-43cc-9494-767639779123",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的可觀測數據",
"description":"“永恒之藍”勒索蠕蟲會改變多個參數,包括……",
"short_description":"",
"object":[
{
"relationship":"or",
"value":[
{
"constraint":"equal",
"object_type":"file",
"file_name":"*.wncry"
},{
"constraint":"equal",
"object_type":"process",
"name": "attrib.exe",
"parameter" :[ "+h ." ]
},{
"constraint":"equal",
"object_type":"process",
"name": "cmd.exe",
"parameter":["/c","regadd HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ]
},{
"constraint":"equal",
"object_type":"process",
"name": "@WanaDecryptor@.exe ",
"parameter" :[ "co" ]
},{
"constraint":"equal",
"object_type":"registry",
"registry_path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"registry_type" :[ "REG_SZ" ],
"registry_key_value" :"tasksche.exe"
}
]
}
]
}
{
"id":"coa--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"idref":"",
"timestamp":"2017-05-14T06:32:45Z",
"version":"1.0",
"title":"“永恒之藍”勒索蠕蟲的應對措施",
"stage":"Response",
"type":["Physical Access Restrictions","Eradication", "Patching"],
"description":"1.拔掉網線再開機,防止繼續感染其它計算機;2.用升級后的殺毒軟件查殺該蠕蟲病毒;3\. 在確定病毒清除后,迅速更新系統補丁MSC17-010(對Windows XP/2003等官方已停止服務的系統,微軟已推出針對該病毒利用漏洞的特別安全補丁);4.若數據價值較高,在確認攻擊者信譽度后,可考慮支付贖金取回。",
"short_description":"斷網,查殺蠕蟲,打補丁,必要時考慮繳納贖金",
"objective":["所有被懷疑的計算機"],
"parameter_observables":"",
"structured_COA":"",
"impact":"",
"cost":"",
"efficacy":"",
"information_source":"XX公司XX團隊",
"related_COAs":[]
}
推薦文章: