Microsoft์˜ Graph API๋ฅผ ํ™œ์šฉํ•œ ์œ„ํ˜‘

2024. 5. 3. 16:13ยท๋ณด์•ˆ ์ด์Šˆ

 

๐Ÿ’ก Microsoft Graph API๋ž€?

Microsoft Graph์€ Microsoft 365 ์„œ๋น„์Šค์— ์ €์žฅ๋œ ๋ฐ์ดํ„ฐ์— ์•ก์„ธ์Šค ํ•  ์ˆ˜ ์žˆ๋Š” API
์ด API๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์‚ฌ์šฉ์ž ์ง€์ • ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์ด ์กฐ์ง์˜ ๋ฐ์ดํ„ฐ์— ์—ฐ๊ฒฐํ•˜๊ณ  ์กฐ์ง ๋‚ด์—์„œ ์ƒ์‚ฐ์„ฑ์„ ํ–ฅ์ƒ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Œ

 

์ฆ‰, ํด๋ผ์šฐ๋“œ ๊ธฐ๋ฐ˜์œผ๋กœ Microsoft 365์— ์ €์žฅ๋œ ๋ฐ์ดํ„ฐ์— ์•ก์„ธ์Šค๋ฅผ ์ œ๊ณตํ•˜๋Š” API์ž„

 

โฌ‡  Microsoft Graph ์„œ๋น„์Šค ์ดํ•ด 
https://learn.microsoft.com/ko-kr/training/modules/msgraph-intro-overview/3-microsoft-graph-services

 

Microsoft Graph ์„œ๋น„์Šค ์ดํ•ด - Training

Microsoft Graph ๋ฐ ์„œ๋น„์Šค์—์„œ ์‚ฌ์šฉ์ž ๋ฐ ๊ทธ๋ฃน์„ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ์•Œ์•„๋ด…๋‹ˆ๋‹ค.

learn.microsoft.com

 

 

โš” ๊ณต๊ฒฉ์— ์ด์šฉ๋œ Graph API

ํด๋ผ์šฐ๋“œ ๊ธฐ๋ฐ˜ C2 ์„œ๋ฒ„ ํ†ต์‹ ์— ์‚ฌ์šฉ๋จ

Microsoft ํด๋ผ์šฐ๋“œ ์„œ๋น„์Šค์—์„œ ํ˜ธ์ŠคํŒ… ๋˜๋Š” C2 ์ธํ”„๋ผ์™€์˜ ํ†ต์‹ ์„ ์šฉ์ดํ•˜๊ธฐ ์œ„ํ•ด Graph API๋ฅผ ํ™œ์šฉํ•˜๋Š” ์œ„ํ˜‘์ด ์ฆ๊ฐ€ํ•จ

 

 

๐Ÿ“ข Graph API๋ฅผ ์ด์šฉํ•œ ์‹ค์ œ ๊ณต๊ฒฉ ์‚ฌ๋ก€

์ด๋Ÿฌํ•œ ๊ธฐ์ˆ ์ด ์šฐํฌ๋ผ์ด๋‚˜์˜ ํ•œ ์กฐ์ง์— ๋Œ€ํ•œ ๊ณต๊ฒฉ์—์„œ ๊ฐ€์žฅ ์ตœ๊ทผ์— ์‚ฌ์šฉ๋˜์—ˆ์Œ
์ด ๊ณต๊ฒฉ์— ์‚ฌ์šฉ๋œ ์•…์„ฑ์ฝ”๋“œ๋Š” ์ด์ „์— ๋ฐœ๊ฒฌ๋˜์ง€ ์•Š์•˜์Œ

ํ•ด๋‹น ์•…์„ฑ์ฝ”๋“œ๋Š” Graph API๋ฅผ ์‚ฌ์šฉํ•ด C2 ๋ชฉ์ ์œผ๋กœ Microsoft OneDrive๋ฅผ ํ™œ์šฉํ•จ

 

 

๐Ÿงซ Graph API๋ฅผ ์ด์šฉํ•œ ์•…์„ฑ์ฝ”๋“œ: BirdyClient

์šฐํฌ๋ผ์ด๋‚˜์—์„œ ๋ฐœ๊ฒฌ๋œ ์•…์„ฑ์ฝ”๋“œ๋กœ, BirdyClient ๋˜๋Š” OneDriveBirdyClient๋กœ ๋ช…๋ช…๋œ ๊ฒƒ์œผ๋กœ ๋ณด์—ฌ์ง

์œ„์ฒ˜๋Ÿผ ๋ช…๋ช…๋œ ์ด์œ ๋Š” ํ•ด๋‹น ์•…์„ฑ์ฝ”๋“œ๊ฐ€ ๋ฐœ๊ฒฌ๋œ ํŒŒ์ผ์ธ vxdiff.dll์—์„œ BirdyClient์™€ OneDriveBirdyClient์— ๋Œ€ํ•œ ์–ธ๊ธ‰์ด ๋ฐœ๊ฒฌ๋จ

 

vxdiff.dll์€ ๋…ธํŠธ๋ถ์—์„œ ํ”ํžˆ ๋ณผ ์ˆ˜ ์žˆ๋Š” Alps์‚ฌ์—์„œ ์ œ๊ณตํ•˜๋Š” Alps ํฌ์ธํŒ… ์žฅ์น˜(๋งˆ์šฐ์Šค๋‚˜ ํ„ฐ์น˜ํŒจ๋“œ)์˜ ๋“œ๋ผ์ด๋ฒ„ ๊ด€๋ฆฌ ๋ฐ ์ œ์–ด ์†Œํ”„ํŠธ์›จ์–ด์ธ Apoint (apoint.exe)์™€ ์—ฐ๊ด€๋œ ์œ ํšจํ•œ DLL๊ณผ ๋™์ผํ•จ

 

ํ•˜์ง€๋งŒ ์ด ์•…์„ฑ์ฝ”๋“œ๊ฐ€ ์œ ํšจํ•œ DLL๋กœ ์œ„์žฅํ•œ ๊ฒƒ์ธ์ง€, DLL์„ ํ†ตํ•ด ์‚ฌ์ด๋“œ๋กœ๋“œ ๋˜๋Š”์ง€๋Š” ์•Œ๋ ค์ง€์ง€ ์•Š์Œ

 

 

๐Ÿ“‘ BirdyClient์˜ ์ฃผ์š” ๊ธฐ๋Šฅ

  1. Microsoft Graph API์— ์—ฐ๊ฒฐ
  2. ๊ณต๊ฒฉ์ž์˜ Microsoft OneDrive๋ฅผ C&C ์„œ๋ฒ„์ฒ˜๋Ÿผ ์ด์šฉํ•ด ํŒŒ์ผ์„ ์—…๋กœ๋“œํ•˜๊ณ  ๋‹ค์šด๋กœ๋“œํ•จ

โฌ‡ Graph API๋ฅผ ์ด์šฉํ•œ ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ ๋ฌธ์„œ
https://learn.microsoft.com/en-us/graph/api/driveitem-get-content?view=graph-rest-1.0&tabs=http

 

Download a file - Microsoft Graph v1.0

Download the contents of the primary stream (file) of a driveItem. Only driveItems with the file property can be downloaded.

learn.microsoft.com

 

โฌ‡  Graph API๋ฅผ ์ด์šฉํ•œ ํŒŒ์ผ ์—…๋กœ๋“œ/๋ฎ์–ด์“ฐ๊ธฐ ๋ฌธ์„œ

https://learn.microsoft.com/en-us/graph/api/driveitem-put-content?view=graph-rest-1.0&tabs=http

 

Upload small files - Microsoft Graph v1.0

Provide the contents of a new file or update the contents of an existing file in a single API call.

learn.microsoft.com

 

 

ํ•ด๋‹น ์•…์„ฑ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋กœ๊ทธ ํŒŒ์ผ์„ ์ƒ์„ฑํ•จ

%AllUsersProfile%/{0134AA2C-03BE-448D-8D28-7FFE94EA3A49}/config/001.temp

 

 

๐Ÿ“ฝ Graph API๋ฅผ ์•…์šฉํ•œ ๊ณผ๊ฑฐ ์‚ฌ๋ก€

๋ถํ•œ์˜ APT37์ด ๊ฐœ๋ฐœํ•œ Bluelight ์•…์„ฑ์ฝ”๋“œ์—์„œ ์ตœ์ดˆ๋กœ ์•…์šฉ๋จ

์ดํ›„ Backdoor.Graphon, Graphite, SiestaGraph์—์„œ๋„ Graph API๊ฐ€ ์ด์šฉ๋จ

์ž‘๋…„ 6์›”์˜ APT15์˜ ๊ณต๊ฒฉ์—์„œ๋„ ๋™์ผํ•œ ์ˆ˜๋ฒ•์ด ์ด์šฉ๋œ ๊ฒƒ์ด ๋ฐœ๊ฒฌ๋จ

 

 

๐Ÿ‘ฉ‍๐Ÿ’ป ๊ณต๊ฒฉ์ž ๊ด€์ ์—์„œ์˜ Graph API ํ™œ์šฉ

์ผ๋ฐ˜์ ์ธ ๋ฐฉ์‹์œผ๋กœ C2 ํ†ต์‹ ์„ ํ•˜๋Š” ๊ฒฝ์šฐ, ํ•ด๋‹น ํ–‰์œ„๊ฐ€ ํฌ์ฐฉ๋˜๊ธฐ ์‰ฌ์›€
๊ทธ๋Ÿฌ๋‚˜ Graph API๋Š” ์‚ฌ๋žŒ๋“ค์ด ๋„๋ฆฌ ์ด์šฉํ•˜๊ณ  ์žˆ๋Š” ์ •์ƒ์ ์ธ ์„œ๋น„์Šค์ด๊ธฐ ๋•Œ๋ฌธ์—, ๊ณต๊ฒฉ ํ–‰์œ„์ž์—๊ฒŒ๋Š” ์˜์‹ฌ์Šค๋Ÿฌ์šด ํŠธ๋ž˜ํ”ฝ์œผ๋กœ ๋ณด์—ฌ์ง€์ง€ ์•Š์„ ์ˆ˜ ์žˆ๋Š” ์•ˆ์ „ํ•œ ์ธํ”„๋ผ๋กœ ์—ฌ๊ฒจ์ง
๋˜ํ•œ, OneDrive์™€ ๊ฐ™์€ ์„œ๋น„์Šค๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ ๋ฌด๋ฃŒ๋กœ ์ด์šฉํ•  ์ˆ˜ ์žˆ์–ด ์ ์€ ์˜ˆ์‚ฐ์œผ๋กœ ์ด์šฉํ•  ์ˆ˜ ์žˆ์Œ

 

 

๐Ÿ”’ ๋งˆ๋ฌด๋ฆฌ

ํด๋ผ์šฐ๋“œ ํ”Œ๋žซํผ์— ๋Œ€ํ•œ ์ ‘๊ทผ ๊ถŒํ•œ ๋ถ€์—ฌ์— ๋Œ€ํ•œ ์ค‘์š”์„ฑ์ด ๊ฐ•์กฐ๋จ

 

 


์ฐธ๊ณ 

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats

 

Graph: Growing number of threats leveraging Microsoft API

Graph API is often used for inconspicuous communications to cloud-based command-and-control servers.

symantec-enterprise-blogs.security.com


https://www.darkreading.com/cloud-security/microsoft-graph-api-emerges-as-top-attacker-tool-to-plot-data-theft

์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€ (์ƒˆ์ฐฝ์—ด๋ฆผ)

'๋ณด์•ˆ ์ด์Šˆ' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

AI ํ™˜๊ฐ์œผ๋กœ ์ธํ•œ ์ƒˆ๋กœ์šด ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ: ์Šฌ๋กญ์Šค์ฟผํŒ…(Slopsquatting)  (0) 2025.04.14
์‚ฌ์ด๋ฒ„ ๋ฒ”์ฃ„ ํฌ๋Ÿผ์— ์œ ์ถœ๋œ Amazon์˜ ์ง์› ์ •๋ณด  (2) 2024.11.13
ํ•˜๋“œ์›จ์–ด ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ์€ ์‚ฌ์ด๋ฒ„ ๊ณต๊ฒฉ์ผ๊นŒ?  (1) 2024.09.30
SpyAgent: ์ด๋ฏธ์ง€ ์ธ์‹์„ ํ†ตํ•œ ์•”ํ˜ธ ํ™”ํ ์ž๊ฒฉ ์ฆ๋ช… ํƒˆ์ทจ ์•ˆ๋“œ๋กœ์ด๋“œ ์ŠคํŒŒ์ด์›จ์–ด  (0) 2024.09.09
๋ฐฑ์•…๊ด€, ์ธํ„ฐ๋„ท์˜ ์ทจ์•ฝํ•œ ์—ฐ๊ฒฐ๊ณ ๋ฆฌ BGP ๋ณด์•ˆ ๊ฐ•ํ™” ํ•„์š”์„ฑ ์ œ๊ธฐ  (6) 2024.09.04
'๋ณด์•ˆ ์ด์Šˆ' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€
  • ์‚ฌ์ด๋ฒ„ ๋ฒ”์ฃ„ ํฌ๋Ÿผ์— ์œ ์ถœ๋œ Amazon์˜ ์ง์› ์ •๋ณด
  • ํ•˜๋“œ์›จ์–ด ๊ณต๊ธ‰๋ง ๊ณต๊ฒฉ์€ ์‚ฌ์ด๋ฒ„ ๊ณต๊ฒฉ์ผ๊นŒ?
  • SpyAgent: ์ด๋ฏธ์ง€ ์ธ์‹์„ ํ†ตํ•œ ์•”ํ˜ธ ํ™”ํ ์ž๊ฒฉ ์ฆ๋ช… ํƒˆ์ทจ ์•ˆ๋“œ๋กœ์ด๋“œ ์ŠคํŒŒ์ด์›จ์–ด
  • ๋ฐฑ์•…๊ด€, ์ธํ„ฐ๋„ท์˜ ์ทจ์•ฝํ•œ ์—ฐ๊ฒฐ๊ณ ๋ฆฌ BGP ๋ณด์•ˆ ๊ฐ•ํ™” ํ•„์š”์„ฑ ์ œ๊ธฐ
602zzang
602zzang
  • 602zzang
    yks_STUDY
    602zzang
  • ์ „์ฒด
    ์˜ค๋Š˜
    ์–ด์ œ
    • ๋ถ„๋ฅ˜ ์ „์ฒด๋ณด๊ธฐ (77)
      • Programming Language (36)
        • C (15)
        • PYTHON (9)
        • RUST (12)
      • Reverse Engineering (3)
      • OS (17)
        • LINUX (17)
      • ๋ณด์•ˆ ์ด์Šˆ (6)
      • Digital Forensics (1)
      • CTF (8)
      • ๊ธฐํƒ€ (6)
  • ๋ธ”๋กœ๊ทธ ๋ฉ”๋‰ด

    • ํ™ˆ
    • ํƒœ๊ทธ
    • ๋ฐฉ๋ช…๋ก
  • ๋งํฌ

  • ๊ณต์ง€์‚ฌํ•ญ

  • ์ธ๊ธฐ ๊ธ€

  • ํƒœ๊ทธ

    cyberdefenders
    bandit
    ๋“œ๋ฆผํ•ต
    ๊ณต๊ธ‰๋ง
    umassctf2025
    TeamH4C
    c
    picoCTF
    python
    ๋ณด์•ˆ์ด์Šˆ
    Rocky Linux
    ๋ณด์•ˆ๋™ํ–ฅ
    ๋ฐฑ์ค€
    P4C
    rust
    ํŒŒ์ด์ฌ
    ์ฝ”๋“œ์—…
    rustling
    ๋นก๊ณตํŒŸ
    ์†Œ์ผ“ ํ†ต์‹ 
  • ์ตœ๊ทผ ๋Œ“๊ธ€

  • ์ตœ๊ทผ ๊ธ€

  • hELLOยท Designed By์ •์ƒ์šฐ.v4.10.0
602zzang
Microsoft์˜ Graph API๋ฅผ ํ™œ์šฉํ•œ ์œ„ํ˜‘
์ƒ๋‹จ์œผ๋กœ

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”