{"updated":"2025-01-20T02:21:06.749572+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00187307","sets":["6164:6165:6462:9463"]},"path":["9463"],"owner":"11","recid":"187307","title":["Sysmonを用いたmimikatzの悪用の検知"],"pubdate":{"attribute_name":"公開日","attribute_value":"2017-10-16"},"_buckets":{"deposit":"5f38fb5a-e3d0-4aa9-82b3-31344f4705e0"},"_deposit":{"id":"187307","pid":{"type":"depid","value":"187307","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"Sysmonを用いたmimikatzの悪用の検知","author_link":["423279","423281","423284","423282","423283","423280"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Sysmonを用いたmimikatzの悪用の検知"},{"subitem_title":"Detecting Mimikatz by Sysmon","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"mimikatz，Sysmon，標的型攻撃，横展開，Elasticsearch","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2017-10-16","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"},{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"},{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"},{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"},{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/187307/files/IPSJCSS2017132.pdf","label":"IPSJCSS2017132.pdf"},"date":[{"dateType":"Available","dateValue":"2017-10-16"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJCSS2017132.pdf","filesize":[{"value":"1.3 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"d13bd204-7ce7-4aa8-b0e5-a523234f160c","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2017 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"松田, 亘"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"藤本, 万里子"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"満永, 拓邦"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Wataru, Matsuda","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Mariko, Fujimoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takuho, Mitsunaga","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_18_relation_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_relation_type_id":{"subitem_relation_type_select":"NCID","subitem_relation_type_id_text":"ISSN　1882-0840"}}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"標的型攻撃において，組織に侵入した攻撃者はmimikatzという攻撃ツールを使って組織内で横展開を試みることが多い．mimikatzを使う攻撃では，正規ユーザか攻撃者によるアクセスかを判別するのが難しいという問題がある．そこで，Sysmonを使用して，コンピュータ上でmimikatzがロードしたDLLを検知する研究が行われているが，特定のWindowsやmimikatzのバージョンのみを対象としているため，実環境では誤検知が発生する可能性がある．本研究では，WindowsやmimikatzのバージョンによってロードされるDLLの違いを網羅的に検証し，誤検知を軽減する手法について調査する．また，分析エンジンであるElasticsearchを用いてログを分析し，効率的に検知する方法についても述べる．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"In targeted attacks, attackers who have intruded into an office network often use a tool called \"mimikatz\" to steal credentials in order to attempt to perform lateral movement. It is difficult to judge whether an access is made by a legitimate user or an attacker when mimikatz used. As a breakthrough, some methods have been proposed which detect DLLs loaded by mimikatz using Sysmon. However, false detection can be caused because they are tested on the specific Windows and mimikatz versions. This presentation proposes methods to reduce false detection rate by investigating difference among Windows and mimikatz versions. Furthermore, a technique using Elasticsearch (an analysis engine) to effectively detect compromised machines will be introduced.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2017論文集"}],"bibliographicIssueDates":{"bibliographicIssueDate":"2017-10-16","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"2","bibliographicVolumeNumber":"2017"}]},"relation_version_is_last":true,"weko_creator_id":"11"},"created":"2025-01-19T00:53:59.345420+00:00","id":187307,"links":{}}