{"id":61577,"date":"2025-07-24T11:46:27","date_gmt":"2025-07-24T19:46:27","guid":{"rendered":"https:\/\/www.sumologic.com\/blog\/sharepoint-toolshell-%ec%a0%9c%eb%a1%9c%eb%8d%b0%ec%9d%b4"},"modified":"2026-02-25T04:27:00","modified_gmt":"2026-02-25T12:27:00","slug":"investigate-sharepoint-toolshell","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/ko\/blog\/investigate-sharepoint-toolshell","title":{"rendered":"SharePoint ‘ToolShell’ \uc81c\ub85c\ub370\uc774"},"content":{"rendered":"\n
\n
\n
\n
\n
\"CVE-2025-53770 CVE-2025-53771 \"<\/figure>\n<\/div>\n\n\n

<\/p>\n\n\n\n

Microsoft \uc628\ud504\ub808\ubbf8\uc2a4 SharePoint \uc11c\ubc84\ub97c \ub300\uc0c1\uc73c\ub85c \ud55c ‘ToolShell’ \uacf5\uaca9\uacfc \uad00\ub828\ud574 \ucee4\ubba4\ub2c8\ud2f0\uc640 \uc5c5\uacc4\uac00 \ubcf4\uc5ec\uc900 \ud6cc\ub96d\ud55c \ub178\ub825\uc5d0 \uacbd\uc758\ub97c \ud45c\ud569\ub2c8\ub2e4. \uc774 \uae00\uc758 \ubaa9\uc801\uc740 \uc774\ub7ec\ud55c \ud6cc\ub96d\ud55c \uc791\uc5c5\uc744 \ubc14\ud0d5\uc73c\ub85c, \uc628\ud504\ub808\ubbf8\uc2a4 SharePoint \uc11c\ubc84\ub97c \uc0ac\uc6a9\ud558\ub294 Sumo Logic \uace0\uac1d\uc774 \uc790\uccb4 \ud658\uacbd\uc5d0\uc11c \uacf5\uaca9 \uc99d\uac70\ub97c \uc870\uc0ac\ud558\uace0 \uc2dd\ubcc4\ud560 \uc218 \uc788\ub3c4\ub85d \uc9c0\uc6d0\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc0ac\uace0 \uac1c\uc694<\/h2>\n\n\n\n

2025\ub144 7\uc6d4 18\uc77c, Eye Security1\uc740 \uc628\ud504\ub808\ubbf8\uc2a4 SharePoint \uc11c\ubc84\uc5d0\uc11c \uc758\uc2ec\uc2a4\ub7ec\uc6b4 .aspx \ud30c\uc77c\uc774 \uc791\uc131\ub418\uace0 \ub514\uc9c0\ud138 \uba38\uc2e0 \ud0a4\uac00 \ucd94\ucd9c\ub418\ub294 \uacf5\uaca9\uc744 \ud655\uc778\ud588\uc2b5\ub2c8\ub2e4. \uacf5\uaca9 \uccb4\uc778 \ubd84\uc11d \uacb0\uacfc, \uc774\uc804\uc758 \ucde8\uc57d\uc810 \ubc0f Microsoft\uc5d0\uc11c \ubc1c\ud45c\ud55c \ud328\uce58\uc640 \uad00\ub828\ub41c \ub450 \uac00\uc9c0 \ucde8\uc57d\uc810\uc774 \ud655\uc778\ub418\uc5c8\uc2b5\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

\uacf5\uaca9\uc790\ub294 \uc2ec\uac01\ud55c \uc6d0\uaca9 \ucf54\ub4dc \uc2e4\ud589 \ucde8\uc57d\uc810(CVE-2025-53770<\/a>)\uacfc \uc11c\ubc84 \uc2a4\ud478\ud551 \ucde8\uc57d\uc810(CVE-2025-53771<\/a>)\uc744 \uc774\uc6a9\ud574 \uc628\ud504\ub808\ubbf8\uc2a4 SharePoint \uc11c\ubc84(2013, 2016, 2019, Subscription Edition)\uc5d0 \uc6f9\uc178\uc744 \ubc30\ud3ec\ud574 \uc11c\ubc84\uc758 \ub514\uc9c0\ud138 \uba38\uc2e0 \ud0a4\uc5d0 \uc811\uadfc\ud558\ub294 \uac83\uc744 \ubaa9\ud45c\ub85c \ud588\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

2025\ub144 7\uc6d4 19\uc77c, Microsoft\ub294 SharePoint \uc11c\ubc84\uc6a9 \uae34\uae09 OOB(Out-of-band) \ud328\uce58\ub97c \ubc30\ud3ec\ud558\uace0, SharePoint \uc11c\ubc84<\/a> \ud328\uce58 \uc801\uc6a9, SharePoint Server ASP.NET \uba38\uc2e0 \ud0a4 \uad50\uccb4, \ud0d0\uc9c0 \ubc0f \ud5cc\ud305\uc744 \uc704\ud55c \ucd94\uac00 \uad8c\uace0\uc0ac\ud56d\uc744 MSRC \ube14\ub85c\uadf8\ub97c \ud1b5\ud574 \uc548\ub0b4\ud588\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

Sumo Logic\uc5d0\uc11c\uc758 \ud5cc\ud305 \ubc0f \ud0d0\uc9c0 \ubc29\ubc95<\/h2>\n\n\n\n

\uacf5\uaca9\uc744 \uad6c\uc131 \uc694\uc18c\ubcc4\ub85c \ub098\ub204\uc5b4 \ubd84\uc11d\ud558\uba74 \uac80\uc0c9\uacfc Cloud SIEM \ud0d0\uc9c0\ub97c \uad6c\ucd95\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

Sumo Logic \ud50c\ub7ab\ud3fc\uc5d0\uc11c \uace0\uac1d \ud658\uacbd\uc758 \uc6d0\uc2dc \ub85c\uadf8\uc640 Sumo Logic Cloud SIEM\uc758 \uc815\uaddc\ud654\ub41c \ub808\ucf54\ub4dc\uc5d0 \ub300\ud55c \uc608\uc2dc \uac80\uc0c9\uc744 \uc0ac\uc6a9\ud574 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc775\uc2a4\ud50c\ub85c\uc787 \uccb4\uc778\uc744 \uc2dc\uc791\ud558\ub294 \ucd08\uae30 \uc811\uadfc\uc740 ToolPane.aspx\ub85c\uc758 POST \uc694\uccad\uc774\uba70, \uc774\ub294 \uace0\uc720\ud55c URI \ud328\ud134\uc73c\ub85c \ub85c\uadf8\uc5d0\uc11c \uc2dd\ubcc4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc544\ub798\uc758 \uae30\ubcf8 \ucffc\ub9ac\ub294 \uc774\ub7ec\ud55c \ubc29\uc2dd\uc73c\ub85c SharePoint\uc640 \uc0c1\ud638\uc791\uc6a9\uc744 \uc2dc\ub3c4\ud55c \ud754\uc801\uc744 \ud5cc\ud305\ud558\ub294 \ub370 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n_sourceCategory=prod\/web\/iis \"ToolPane\"| parse \"* * * * * * * * * * * * * * *\" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken| where cs-method matches \"POST\"\u00a0\u00a0\u00a0\u00a0AND cs-uri-stem matches \"*\/_layouts\/*\/ToolPane.aspx*\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_network \"ToolPane\"| where http_method matches \"POST\"\u00a0\u00a0\u00a0\u00a0AND %\"fields.cs-uri-stem\" matches \"*\/_layouts\/*\/ToolPane.aspx*\"\u00a0\u00a0\u00a0AND http_referer_path matches \"\/_layouts\/SignOut.aspx\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

http_referrer_path = \/_layouts\/SignOut.aspx<\/code>\ub294 \uc775\uc2a4\ud50c\ub85c\uc787 \uccb4\uc778\uc758 \ub610 \ub2e4\ub978 \ud575\uc2ec \uc694\uc18c\uc785\ub2c8\ub2e4. \uc2a4\ud478\ud551\ub41c \ub9ac\ud37c\ub7ec(referrer) \uac12\uc774 \uc778\uc99d \uc81c\uc5b4\ub97c \uc6b0\ud68c\ud558\ub3c4\ub85d \ub9cc\ub4e4\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\ub2e4\uc74c\uc740 \uc775\uc2a4\ud50c\ub85c\uc787 \uccb4\uc778\uc758 \ud575\uc2ec \uc545\uc131 \uc694\uc18c\uc778 \uc6f9\uc178\uc744 \ud0d0\uc9c0\ud558\uae30 \uc704\ud55c \uac80\uc0c9 \uc608\uc2dc\uc785\ub2c8\ub2e4. \uacf5\uaca9\uc790\ub294 \uc774 \uc6f9\uc178\uc744 \uc0ac\uc6a9\ud574 \ub300\uc0c1 SharePoint \uc11c\ubc84\uc5d0\uc11c \uba38\uc2e0 \ud0a4\ub97c \ucd94\ucd9c\ud558\ub294 \ub4f1 \uc5ec\ub7ec \uc791\uc5c5\uc744 \uc218\ud589\ud55c \uac83\uc73c\ub85c \uad00\ucc30\ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

Sumo Logic \uac80\uc0c9:<\/p>\n\n\n\n_sourceCategory=prod\/web\/iis| parse \"* * * * * * * * * * * * * * *\" as date time cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken| where cs-uri-stem matches \/spinstall\\S?\\.aspx\/\u00a0\u00a0\u00a0\u00a0AND cs-method = \"GET\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_network \"aspx\"| where http_method = \"GET\"\u00a0\u00a0\u00a0\u00a0AND %\"fields.cs-uri-stem\" matches \/spinstall\\S?\\.aspx\/<\/code>\n\n\n\n

<\/p>\n\n\n\n

\uc704\uc758 \uc6f9\uc178\uc740 \uacf5\uaca9\uc790\uac00 \ub300\uc0c1 \uc11c\ubc84\uc5d0\uc11c \ubaa9\ud45c\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub3c4\ub85d \ud574\uc90d\ub2c8\ub2e4. \uc774\ub7ec\ud55c \ud65c\ub3d9\uc740 \ubc29\uc5b4\uc790\ub4e4\uc774 \uc774\ubbf8 \uc9c0\uc801\ud588\ub4ef SharePoint \uc11c\ubc84\uc758 \uc815\uc0c1 \ub3d9\uc791\uc5d0\uc11c \ubc97\uc5b4\ub098\ub294 \uc911\uc694\ud55c \uc774\uc0c1 \ud589\uc704\uc774\uba70 \ud0d0\uc9c0\uac00 \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

\uccab\uc9f8, cmd.exe\uc758 \uc0c1\uc704 \ud504\ub85c\uc138\uc2a4\ub85c w3wp.exe<\/code>\uac00 \ub098\ud0c0\ub098\ub294\uc9c0\ub97c \ud655\uc778\ud558\uaca0\uc2b5\ub2c8\ub2e4. \uc774 \uac80\uc0c9 \uacb0\uacfc\ub294 \uc774\ud6c4 PowerShell \uc2e4\ud589 \ubc0f \uc774 \uacf5\uaca9\uc5d0\uc11c \uc0ac\uc6a9\ub41c \uc6f9\uc178 .aspx \ud30c\uc77c\uacfc \uc5f0\uad00\ub41c \uac80\uc0c9\uc5d0 \ud65c\uc6a9\ub429\ub2c8\ub2e4.<\/p>\n\n\n\n

Sumo Logic \uac80\uc0c9:<\/p>\n\n\n\n_sourceCategory=windows_event_logs| json field=_raw \"EventData.CommandLine\" as commandLine| json field=_raw \"Computer\"| json field=_raw \"EventData.ParentImage\" as parentImage| json field=_raw \"EventData.Image\" as image| where toLowerCase(Image) matches \"*cmd.exe\"\u00a0\u00a0\u00a0AND toLowerCase(parentImage) matches \"*w3wp.exe\"| count by Computer,parentImage,image,commandLine<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_endpoint\u00a0| where toLowerCase(parentBaseImage) matches \"*w3wp.exe\"\u00a0\u00a0\u00a0\u00a0AND toLowerCase(baseImage) matches \"*cmd.exe\"| count by device_hostname,parentBaseImage,baseImage,commandLine<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ud65c\uc6a9 \ud301: \uc704\uc758 \ucffc\ub9ac\ub97c \uc0ac\uc6a9\ud558\uba74 \ubcf4\ub2e4 \uba74\ubc00\ud55c \uc870\uc0ac(\ubc0f SIEM \uc54c\ub9bc\uc5d0\uc11c\uc758 \uc2ec\uac01\ub3c4 \uc0c1\ud5a5 \uc870\uc815)\uac00 \ud544\uc694\ud55c \ud638\uc2a4\ud2b8\ub97c \ucc3e\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM \uace0\uac1d\uc5d0\uac8c \uc720\uc6a9\ud55c \ub9e4\uce58 \ub9ac\uc2a4\ud2b8(Match Lists) \uae30\ub2a5\uc744 \uc0ac\uc6a9\ud558\uba74 \uc815\uaddc\ud654\ub41c \ub808\ucf54\ub4dc\uc5d0 \uba54\ud0c0\ub370\uc774\ud130\ub97c \ucd94\uac00\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ub610\ud55c \uc774\ub294 \ubbfc\uac10\ud55c \uc7a5\ube44\ub97c \ucd94\uc801\ud558\uace0 \ube60\ub974\uac8c \ub808\ucf54\ub4dc\ub97c \uac80\uc0c9\ud558\ub294 \ub370\uc5d0\ub3c4 \uc720\uc6a9\ud569\ub2c8\ub2e4. \ucd94\uac00\ub85c \uc5d4\ud130\ud2f0 \ud0dc\uae45(Entity Tagging) \ubc0f \uc5d4\ud130\ud2f0 \uc911\uc694\ub3c4(Entity Criticality) \uae30\ub2a5\ub3c4 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc5d4\ud130\ud2f0 \uc911\uc694\ub3c4\ub97c \ub192\uc774\uba74 \ud574\ub2f9 \uc5d4\ud130\ud2f0\uc5d0 \ub300\ud55c \uc2dc\uadf8\ub110\uc758 \uc2ec\uac01\ub3c4 \uacc4\uc0b0\uc774 \uc0c1\ud5a5 \uc870\uc815\ub429\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

\uc774\ub7ec\ud55c \ubaa8\ub4e0 \uae30\ub2a5\uc744 \uc0ac\uc6a9\ud558\uba74 \ub808\ucf54\ub4dc \uac80\uc0c9\uc5d0\uc11c \uc0ac\uc6a9\uc790 \ud658\uacbd\uc758 SharePoint \uc11c\ubc84\ub97c \ube60\ub974\uac8c \uc2dd\ubcc4\ud558\uace0(\ub9e4\uce58 \ub9ac\uc2a4\ud2b8 \uc0ac\uc6a9), SharePoint \uc11c\ubc84\ub97c \ud0dc\uae45\ud558\uc5ec \uc5d4\ud130\ud2f0 \uc911\uc694\ub3c4\ub97c \uc99d\uac00\uc2dc\ud0a4\uba70, Sumo Logic Cloud SIEM\uc5d0\uc11c \uad00\ub828 \uc2dc\uadf8\ub110\uacfc \uc778\uc0ac\uc774\ud2b8\uac00 \uc0dd\uc131\ub418\ub3c4\ub85d \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\ub458\uc9f8, \uc704 \ud638\uc2a4\ud2b8\uc5d0\uc11c \ubc1c\uc0dd\ud55c PowerShell \uc2e4\ud589\uc744 \uac80\uc0c9\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

Sumo Logic \uac80\uc0c9:<\/p>\n\n\n\n_sourceCategory=windows_event_logs| json field=_raw \"Computer\"| json field=_raw \"EventData.ParentImage\" as parentImage| json field=_raw \"EventData.Image\" as image| where Computer IN (\"[insert list of hosts above]\",\"...\")\u00a0\u00a0\u00a0\u00a0AND toLowerCase(image) matches \"*powershell.exe\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_endpoint\u00a0| where device_hostname IN (\"[insert list of hosts above]\",\"...\")\u00a0\u00a0\u00a0\u00a0AND toLowerCase(baseImage) matches \"*powershell.exe\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

\uac80\uc0c9 \uc2dc \uc8fc\uc758 \uc0ac\ud56d: PowerShell\uc740 command line\uc744 \ud1b5\ud574 \ub2e4\uc591\ud55c \ubc29\uc2dd\uc73c\ub85c \uc2e4\ud589\ub420 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc704 \uac80\uc0c9 \ubc29\ubc95\uc740 \uadf8\uc911 \ud55c \uac00\uc9c0\uc774\uba70, \uc774 \uacf5\uaca9 \uad00\ub828 \ucc38\uace0 \uc790\ub8cc\uc5d0\uc11c\ub3c4 \ubc18\ubcf5\uc801\uc73c\ub85c \ub098\ud0c0\ub09c \ubc29\uc2dd\uc785\ub2c8\ub2e4. \uc2dc\uac04\uacfc \uc778\uc2dc\ub358\ud2b8 \uc0c1\ud669\uc774 \ud5c8\ub77d\ud558\ub294 \ubc94\uc704\uc5d0\uc11c, \uc774 \uacf5\uaca9\uc758 \uc601\ud5a5 \ubc94\uc704\uc5d0 \ud3ec\ud568\ub420 \uc218 \uc788\ub294 \ub2e4\ub978 \uc2dc\uc2a4\ud15c\uae4c\uc9c0 \uc2ec\uce35 \uc870\uc0ac\ud560 \uac83\uc744 \uad8c\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

\ud504\ub85c\uc138\uc2a4\uc758 \uc138 \ubc88\uc9f8 \ub2e8\uacc4\ub294 \ub124\ud2b8\uc6cc\ud06c \uc804\uccb4\uc758 \ud638\uc2a4\ud2b8 \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc5d0 \uc6f9\uc178\uc774 \uae30\ub85d\ub418\ub294 \ub2e8\uacc4\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

Sumo Logic \uac80\uc0c9:<\/p>\n\n\n\n\"aspx\"| json field=_raw \"EventData.TargetFilename\" as targetFilename nodrop| json field=_raw \"EventData.CommandLine\" as commandLine nodrop| json field=_raw \"Computer\" nodrop| json field=_raw \"EventData.ParentImage\" as parentImage nodrop| json field=_raw \"EventData.Image\" as image nodrop| where toLowerCase(targetFilename) contains \"aspx\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_endpoint aspx| where baseImage matches \"*powershell.exe\"\u00a0\u00a0\u00a0\u00a0\u00a0AND changeTarget contains \"aspx\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

[\ubcf4\ub108\uc2a4 \ub0b4\uc6a9] \uc704 \uac80\uc0c9\uc744 \ubcc0\ud615\ud558\uc5ec, \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ub808\ucf54\ub4dc \ub0b4\uc5d0\uc11c \uc791\uc131\ub41c .aspx \ud30c\uc77c\uc758 \ub2e4\ub978 \uc0dd\uc131 \uc6d0\ucc9c\uc744 \ucc3e\ub294 \ubc29\ubc95\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM \ub808\ucf54\ub4dc \uac80\uc0c9:<\/p>\n\n\n\n_index=sec_record_endpoint aspx| where changeTarget contains \"aspx\"<\/code>\n\n\n\n

<\/p>\n\n\n\n

\uc774 \uac80\uc0c9\uc740 \uc815\uaddc\ud654\ub41c \uc5d4\ub4dc\ud3ec\uc778\ud2b8 \ub808\ucf54\ub4dc\uc5d0\uc11c .aspx<\/code> \ud30c\uc77c \uc0dd\uc131 \uc5ec\ubd80\ub97c \uc2dd\ubcc4\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud558\uc9c0\ub9cc PowerShell\uc774 \ud574\ub2f9 \ud30c\uc77c\uc744 \uc791\uc131\ud55c \uacbd\uc6b0\ub85c\ub9cc \uc81c\ud55c\ub418\uc9c0\ub294 \uc54a\uc2b5\ub2c8\ub2e4. \uc774 \ubd84\uc11d\uc740 \ud5cc\ud305 \ubaa9\uc801\uc774\uba70, \uc9c0\uc18d\uc801\uc778 \uc6b4\uc601\uc744 \uc704\ud55c \uac83\uc774 \uc544\ub2c8\ub77c \ub9e4\uc6b0 \ud2b9\uc815\ud55c \ud0d0\uc0c9 \uc0c1\ud669\uc5d0\uc11c \uc0ac\uc6a9\ud558\uae30 \uc704\ud55c \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\ucc38\uace0: \ucffc\ub9ac\uc758 \ubc94\uc704\ub97c _sourceCategory=<\/code> (raw logs)\ub85c \ud55c\uc815\ud558\uace0 sec_record<\/code> \uc778\ub371\uc2a4\ub97c \ud65c\uc6a9\ud558\ub294 \ubc29\uc2dd\uc740 \uc815\ud655\ud558\uace0 \ube60\ub978 \uac80\uc0c9\uc5d0 \ub9e4\uc6b0 \uc720\uc6a9\ud558\ubbc0\ub85c \uc801\uadf9 \uad8c\uc7a5\ud569\ub2c8\ub2e4. \uadf8\ub7ec\ub098 \uc5ec\ub7ec \uc18c\uc2a4 \ubc94\uc8fc\uc5d0 \uac78\uccd0 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud65c\ub3d9\uc744 \ucc3e\ub294 \uacbd\uc6b0, \ucc98\uc74c\uc5d0\ub294 \ub113\uac8c \uc2dc\uc791\ud574 \ube60\ub974\uac8c \ud65c\ub3d9\uc744 \uc2dd\ubcc4\ud55c \ub4a4 \ud544\uc694\uc5d0 \ub530\ub77c \ubc94\uc704\ub97c \uc881\ud788\ub294 \ubc29\uc2dd\ub3c4 \ud6a8\uacfc\uc801\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc774\ub7ec\ud55c \ucffc\ub9ac\ub294 \uc601\ud5a5\ubc1b\uc740 SharePoint \uc778\ud504\ub77c \uc804\uccb4\ub97c \uc644\uc804\ud788 \ud0d0\uc0c9\ud558\uae30 \uc704\ud55c \ubaa9\uc801\uc774 \uc544\ub2d9\ub2c8\ub2e4. \ub300\uc2e0, \uc7a0\uc7ac\uc801\uc73c\ub85c \uc601\ud5a5\uc744 \ubc1b\uc740 \ud658\uacbd\uc5d0\uc11c \uc870\uc0ac\ub97c \ube60\ub974\uac8c \uc9c4\ud589\ud560 \uc218 \uc788\ub3c4\ub85d \ub3d5\ub294 \uac83\uc744 \ubaa9\ud45c\ub85c \ud569\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

Sumo Logic Cloud SIEM \ud0d0\uc9c0<\/h3>\n\n\n\n

\uc601\ud5a5\uc744 \ubc1b\uc740 \uc2dc\uc2a4\ud15c(\ubc0f \uad00\ub828 \uc5d4\ud130\ud2f0)\uc758 \uc2dc\uadf8\ub110\uacfc \uc778\uc0ac\uc774\ud2b8\ub97c \uc2dd\ubcc4\ud558\uace0 \ub300\uc751\ud558\uae30 \uc704\ud574 Sumo Logic Cloud SIEM \uace0\uac1d \ud658\uacbd\uc5d0\uc11c\ub294 \uc544\ub798\uc640 \uac19\uc740 \uaddc\uce59\ub4e4\uc774 \uc2e4\ud589\ub418\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM \uaddc\uce59 \uc911 \uc544\ub798 \ud56d\ubaa9\ub4e4\uc740 \ub300\uc0c1 SharePoint \uc11c\ubc84\uc5d0\uc11c\uc758 \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \uc2e4\ud589 \ud65c\ub3d9\uc5d0 \ucd08\uc810\uc744 \ub9de\ucd94\uace0 \uc788\uc73c\uba70, \uc774\ub294 SharePoint \uc804\ubc18\uc5d0\uc11c \ubc1c\uc0dd\ud558\ub294 \ub2e4\uc591\ud55c \ud65c\ub3d9(\uc77c\ubd80\ub294 \ub354 \uc77c\ubc18\uc801\uc784)\uc744 \ud0d0\uc9c0\ud558\ub3c4\ub85d \uc124\uacc4\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc55e\uc11c \uc124\uba85\ud588\ub4ef\uc774, Cloud SIEM\uc758 \uc5d4\ud130\ud2f0 \ud0dc\uae45(Entity Tagging) \ubc0f \ub9e4\uce58 \ub9ac\uc2a4\ud2b8(Match Lists)<\/a> \uae30\ub2a5\uc740 SharePoint \uc11c\ubc84\ub97c \uc2dd\ubcc4\ud558\uace0 \uadf8 \uc2ec\uac01\ub3c4\ub97c \ub192\uc774\ub294 \ub370 \ub9e4\uc6b0 \uc720\uc6a9\ud55c \ub3c4\uad6c\uc785\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

Cloud SIEM \uaddc\uce59 ID<\/td>\uaddc\uce59\uba85<\/td><\/tr>
MATCH-S00164<\/td>\uc6f9 \uc11c\ubc84\uc5d0\uc11c \uc0dd\uc131\ub41c \uc758\uc2ec\uc2a4\ub7ec\uc6b4 \uc178(Shell)<\/td><\/tr>
MATCH-S00539<\/td>\uc758\uc2ec\uc2a4\ub7ec\uc6b4 \ud504\ub85c\uc138\uc2a4\ub97c \uc2e4\ud589\ud558\ub294 \uc6f9 \uc11c\ubc84*<\/td><\/tr>
FIRST-S00010<\/td>\ud574\ub2f9 \ucef4\ud4e8\ud130\uc5d0\uc11c \ucd5c\ucd08\ub85c \uad00\ucc30\ub41c PowerShell \uc2e4\ud589<\/td><\/tr>
MATCH-S00136<\/td>PowerShell \uc778\ucf54\ub529 \uba85\ub839<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n\n\n\n

* MATCH-S00539 \uaddc\uce59\uc740 \uc6f9 \uc11c\ubc84\uc5d0\uc11c \uc2e4\ud589\ub41c \ud504\ub85c\uc138\uc2a4\ub97c \ubc94\uc704 \ub0b4\uc5d0\uc11c \ud0d0\uc9c0\ud558\uae30 \uc704\ud574 \u2018web_servers\u2019 \ub9e4\uce58 \ub9ac\uc2a4\ud2b8\ub97c \uc0dd\uc131\ud558\uace0 \ud574\ub2f9 \ubaa9\ub85d\uc744 \ucc44\uc6cc \ub123\uc5b4\uc57c \ud569\ub2c8\ub2e4. \ub9e4\uce58 \ub9ac\uc2a4\ud2b8 \uc0dd\uc131 \ubc29\ubc95<\/a>\uc740 \uc5ec\uae30\uc11c \ud655\uc778\ud558\uc2e4 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4\ub294 \uc2e0\uaddc \uc704\ud611 \ub610\ub294 \uc2e0\ud765 \uc704\ud611\uc744 \ud0d0\uc9c0\ud558\ub294 \ub370 \ud575\uc2ec \uc694\uc18c\uc785\ub2c8\ub2e4. \uc774\ubc88 \uacf5\uaca9\uacfc \uad00\ub828\ud574\uc11c\ub3c4 \uc5ec\ub7ec \uce68\ud574 \uc9c0\ud45c(IOC)\uac00 \uacf5\uc720\ub418\uc5c8\uc2b5\ub2c8\ub2e4. SharePoint \uc778\ud504\ub77c\uc640 \uad00\ub828\ub41c \uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4(Threat Intel) \ub9e4\uce58\ub97c \ud655\uc778\ud574 \uc870\uc0ac\uac00 \ud544\uc694\ud55c \uac00\ub2a5\uc131 \uc788\ub294 \uc774\ubca4\ud2b8\ub97c \ud0d0\uc0c9\ud560 \uac83\uc744 \uad8c\uc7a5\ud569\ub2c8\ub2e4. \uc774 \ubb38\uc11c \uc791\uc131 \uc2dc\uc810 \uae30\uc900\uc73c\ub85c \uad00\ub828 IOC\ub294 \ube14\ub85c\uadf8\ub97c \ud1b5\ud574 \uacf5\uc720\ub418\uc5c8\uace0, \uc544\uc9c1\uc740 \ub354 \ud070 \uaddc\ubaa8\uc758 \uc704\ud611 \ud53c\ub4dc\uc5d0\uc11c \ubcf4\uc774\uc9c0\ub294 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM \uaddc\uce59 ID<\/td>\uaddc\uce59\uba85<\/td><\/tr>
MATCH-S01023<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – \uc704\ud611 \ud53c\ub4dc IP\uc5d0\uc11c \uc720\uc785\ub41c \ud2b8\ub798\ud53d(\uc2e0\ub8b0\ub3c4 \ub192\uc74c)<\/td><\/tr>
MATCH-S01027<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – \uc704\ud611 \ud53c\ub4dc IP\uc5d0\uc11c \uc720\uc785\ub41c \ud2b8\ub798\ud53d(\uc2e0\ub8b0\ub3c4 \ubcf4\ud1b5)<\/td><\/tr>
MATCH-S01025<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – \uc704\ud611 \ud53c\ub4dc IP\uc5d0\uc11c \uc720\uc785\ub41c \ud2b8\ub798\ud53d(\uc2e0\ub8b0\ub3c4 \ub0ae\uc74c)<\/td><\/tr>
MATCH-S01000<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – MD5 \uc77c\uce58<\/td><\/tr>
MATCH-S01003<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – SHA1 \uc77c\uce58<\/td><\/tr>
MATCH-S01004<\/td>\uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 – SHA256 \uc77c\uce58<\/td><\/tr>
<\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n\n\n\n

Sumo Logic\uc758 \uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4<\/a>\ub97c \uc0ac\uc6a9\ud558\uba74 \uace0\uac1d\uc774 \uc790\uccb4 \uc9c0\ud45c\ub97c \uc5c5\ub85c\ub4dc\ud560 \uc218 \uc788\uc744 \ubfd0 \uc544\ub2c8\ub77c, \uc0ac\uc6a9\uc790 \uc815\uc758 \uc18c\uc2a4(custom sources)\ub85c\ubd80\ud130 \uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4\ub97c \uc218\uc9d1\ud560 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4. \ucee4\ubba4\ub2c8\ud2f0\uc5d0 \uacf5\uc720\ub41c \uc9c0\ud45c\uac00 \ub9ce\uc9c0 \uc54a\uc740 \uc0c1\ud669\uc5d0\uc11c\ub294 Cloud SIEM \uaddc\uce59\uc5d0 \ub300\ud55c \uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 \uc18c\uc2a4\ub97c \ub9cc\ub4dc\ub294 \uac83\uc774 \uc704 \uaddc\uce59\ub4e4\uc5d0 \ube60\ub974\uac8c \ubc18\uc601\ud558\uace0 \uc801\uc6a9\ud558\ub294 \ub370 \uc720\uc6a9\ud569\ub2c8\ub2e4. \ub610\ud55c \uace0\uac1d\uc774 \uc9c1\uc811 \uc0dd\uc131\ud55c \uc0ac\uc6a9\uc790 \uc815\uc758 \uc18c\uc2a4\ub97c \ud65c\uc6a9\ud574 \ub85c\uceec \uc704\ud611 \uc778\ud154\ub9ac\uc804\uc2a4 \uaddc\uce59\uc744 \ub9cc\ub4e4 \uc218\ub3c4 \uc788\uc2b5\ub2c8\ub2e4(\uc608\uc2dc: hasThreatMatch([srcDevice_ip,file_hash_md5,file_hash_sha256],\u00a0 source=\u201dtoolshell iocs\u201d).<\/p>\n\n\n\n

\ub85c\uceec \uaddc\uce59 \uac1c\ubc1c\uc744 \uc704\ud55c \ud0d0\uc9c0 \uc774\ub860<\/h3>\n\n\n\n

\uc81c\uc548 \uc544\ub798\ub294 \uc774 \uacf5\uaca9\uc758 \uc694\uc18c\ub97c \ud0d0\uc9c0\ud558\uae30 \uc704\ud574 Cloud SIEM \ub9e4\uce58 \ud45c\ud604\uc73c\ub85c \ubcc0\ud658\ud55c \ud0d0\uc9c0 \uc774\ub860\uc758 \uc608\uc2dc\uc785\ub2c8\ub2e4. \uc774\ub97c \ucc38\uace0\ud558\uc5ec \uc0ac\uc6a9\uc790 \ud658\uacbd\uc5d0 \ub9de\ub294 \uaddc\uce59\uc744 \uc9c1\uc811 \uac1c\ubc1c\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub420 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM\uc744 \ud1b5\ud55c \uc775\uc2a4\ud50c\ub85c\uc787 \uccb4\uc778\uc758 \ucd08\uae30 \uc811\uadfc(POST \uc694\uccad)<\/p>\n\n\n\nhttp_method = 'POST'AND http_response_statusCode IN (200, 302)AND http_referer_path MATCHES \/(?i)_layouts\\\/1[56]\\\/signout\\.aspx$\/AND fields['cs_uri_stem'] MATCHES \/(?i)_layouts\\\/1[56]\\\/toolpane\\.aspx$\/<\/code>\n\n\n\n

<\/p>\n\n\n\n

\ud0d0\uc9c0 \uc774\ub860: \uacf5\uaca9\uc758 \ucd08\uae30 \uc811\uadfc\uc744 \uc2dc\uc791\uc2dc\ud0a4\uace0 \ucde8\uc57d\ud55c \uc2dc\uc2a4\ud15c\uc5d0 \uc6f9\uc178 \uc124\uce58\ub85c \uc774\uc5b4\uc9c0\ub294 POST \uc694\uccad\uc744 \ud0d0\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

Cloud SIEM \uc2e4\ud589 \ud30c\uc77c\uc774 IIS \ub514\ub809\ud1a0\ub9ac\uc5d0 \ucd94\uac00\ub41c \uacbd\uc6b0<\/p>\n\n\n\naction = \"FileCreate\"AND changeTarget MATCHES \/(?i:\\\\wwwroot\\\\|\\\\windows\\\\microsoft\\.net\\\\framework\\\\|\\\\microsoft shared\\\\web server extensions\\\\).+\\.(?i:as[hmp]x|cshtml)$\/AND baseImage NOT MATCHES \/(?i)(?:\\\\w3wp|\\\\msdeploy|\\\\svchost|\\\\explorer)\\.exe$\/<\/code>\n\n\n\n

<\/p>\n\n\n\n

\ud0d0\uc9c0 \uc774\ub860: IIS \ub514\ub809\ud1a0\ub9ac\uc5d0 \uc2e4\ud589 \ud30c\uc77c(\uc5ec\uae30\uc11c\ub294 \uc6f9\uc178)\uc774 \uae30\ub85d\ub418\ub294 FileCreate \uc774\ubca4\ud2b8\ub97c \ud0d0\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

GET \uc694\uccad\uc744 \ud1b5\ud55c Cloud SIEM\uc758 \uc6f9\uc178 \uc0c1\ud638\uc791\uc6a9:<\/p>\n\n\n\nhttp_method = 'GET'AND http_response_statusCode IN (200,302)AND fields['cs_uri_stem'] MATCHES \/(?i)_layouts\\\/1[56]\\\/spinstall\\d{0,2}\\.aspx\/<\/code>\n\n\n\n

<\/p>\n\n\n\n

\ud0d0\uc9c0 \uc774\ub860: \uacf5\uaca9\uc790\uac00 POST \uae30\ubc18 \uc775\uc2a4\ud50c\ub85c\uc787\uc73c\ub85c \uc2dc\uc2a4\ud15c\uc744 \uc774\ubbf8 \uce68\ud574\ud55c \ud6c4, \ubaa9\ud45c \uc11c\ubc84\uc5d0\uc11c \ubaa9\uc801 \uc218\ud589\uc744 \uc704\ud574 \uc6f9\uc178\uacfc \uc0c1\ud638\uc791\uc6a9\ud558\ub294 \uc694\uccad\uc744 \ud0d0\uc9c0\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc774\ub7ec\ud55c \ud0d0\uc9c0 \uc774\ub860\uc740 \ub85c\uceec \ud0d0\uc9c0 \uaddc\uce59\uc744 \ube60\ub974\uac8c \uc791\uc131\ud560 \uc218 \uc788\ub3c4\ub85d \uc81c\uacf5\ub41c \ud504\ub85c\ud1a0\ud0c0\uc785\uc73c\ub85c, \uc758\uc2ec\ub418\ub294 \ucde8\uc57d \ud658\uacbd\uc744 \ud0d0\uc9c0\ud558\uace0 \uc870\uc0ac\ud558\ub294 \ub370 \ub3c4\uc6c0\uc744 \uc90d\ub2c8\ub2e4. \uc774\ub4e4\uc740 Sumo Logic Cloud SIEM\uc5d0\uc11c \ub9e4\uce58 \ud45c\ud604\uc73c\ub85c \uc2e4\ud589\ub418\ub3c4\ub85d \ud2b9\ubcc4\ud788 \uc124\uacc4\ub418\uc5c8\uc73c\uba70, \uc55e\uc11c \uacf5\uc720\ub41c \uac80\uc0c9\uacfc \uc720\uc0ac\ud55c \uacb0\uacfc\ub97c \uc5bb\ub3c4\ub85d \uc870\uc815\ud574 \uc0ac\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uad8c\uc7a5 \uc0ac\ud56d<\/h2>\n\n\n\n

Microsoft\ub294 \ud574\ub2f9 \ucde8\uc57d\uc131\uc774 \uc0ac\uc6a9\uc790 \ud658\uacbd\uc5d0\uc11c \uc545\uc6a9\ub418\ub294 \uac83\uc744 \ubc29\uc9c0\ud558\ub294 \ubc29\ubc95\uacfc SharePoint \uc11c\ubc84\uac00 \uce68\ud574\ub41c \uacbd\uc6b0\uc758 \ub300\uc751 \ubc29\ubc95\uc5d0 \uad00\ud55c \uc0c1\uc138\ud55c \uac00\uc774\ub4dc<\/a>\ub97c \uc81c\uacf5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

SharePoint \ucde8\uc57d\uc131\uc758 \uc545\uc6a9\uc740 \ub9e4\uc6b0 \uc27d\uc2b5\ub2c8\ub2e4. \ub530\ub77c\uc11c \ud658\uacbd \ub0b4\uc5d0 \ucde8\uc57d\ud55c SharePoint \uc11c\ubc84\uac00 \uc788\ub2e4\uba74 \ud574\ub2f9 \uc11c\ubc84\uc5d0 \uce68\ud574\uac00 \ubc1c\uc0dd\ud588\ub294\uc9c0, \uce68\ud574\ub41c \uacbd\uc6b0 \uc190\uc0c1\uc758 \ubc94\uc704\ub294 \ubb3c\ub860 \ud544\uc694\ud55c \uc644\ud654 \uc870\uce58\uac00 \ubb34\uc5c7\uc778\uc9c0 \ud30c\uc545\ud574\uc57c \ud569\ub2c8\ub2e4. \uacf5\uaca9\uc790\uac00 SharePoint \uc11c\ubc84\ub97c \uc131\uacf5\uc801\uc73c\ub85c \uce68\ud574\ud558\uba74 \ud574\ub2f9 \uc11c\ubc84\ub97c \uae30\ubc18\uc73c\ub85c \ud658\uacbd \ub0b4 \ub2e4\ub978 \uc790\uc0b0\uc744 \ud53c\ubc97\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uc774\ubc88 \ube14\ub85c\uadf8\uc5d0\uc11c \uc18c\uac1c\ud55c \ucffc\ub9ac\ub294 \uce68\ud574\uac00 \ubc1c\uc0dd\ud588\ub294\uc9c0\ub97c \ud310\ub2e8\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub420 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

\uc9c0\uae08\uae4c\uc9c0 \uc628\ud504\ub808\ubbf8\uc2a4 SharePoint \uc11c\ubc84\ub97c \ub300\uc0c1\uc73c\ub85c \ud55c \ud604\uc7ac \uc9c4\ud589 \uc911\uc778 \uacf5\uaca9\uc5d0 \ub300\ud55c \uac04\ub2e8\ud55c \ubd84\uc11d\uacfc \ud0c0\uc784\ub77c\uc778, \uadf8\ub9ac\uace0 Sumo Logic\uc744 \uc0ac\uc6a9\ud558\uc5ec \uad00\ub828 \uc758\uc2ec \ud65c\ub3d9\uc744 \ud0d0\uc9c0\ud558\uace0 \uac80\uc0c9\ud558\ub294 \ubc29\ubc95\uc744 \uc0b4\ud3b4\ubcf4\uc558\uc2b5\ub2c8\ub2e4. \uc774 \uc8fc\uc81c\uc640 \uad00\ub828\ud558\uc5ec \ub354 \uc790\uc138\ud55c \uc0ac\ud56d\uc744 \uc6d0\ud558\uc2dc\uba74 \uc544\ub798\uc758 \ucd94\uac00 \uc790\ub8cc\ub97c \ucc38\uace0\ud574 \uc8fc\uc2dc\uae30 \ubc14\ub78d\ub2c8\ub2e4.\u00a0<\/p>\n\n\n\n

\uadf8\ub9ac\uace0 \uc544\uc9c1 Cloud SIEM\uc744 \uc0ac\uc6a9\ud558\uace0 \uc788\uc9c0 \uc54a\ub2e4\uba74, \uc774\uc640 \uac19\uc740 \uc704\ud611\uc744 \ud0d0\uc9c0\ud558\uace0 \ub300\uc751\ud558\ub294 \ub370 Cloud SIEM\uc774 \uc5b4\ub5bb\uac8c \ub3c4\uc6c0\uc774 \ub418\ub294\uc9c0 \ub370\ubaa8\ub97c \uc608\uc57d<\/a>\ud558\uc5ec \uc790\uc138\ud788 \uc54c\uc544\ubcf4\uc138\uc694.<\/p>\n\n\n\n

\ucc38\uace0 \uc790\ub8cc \ubc0f \ucd94\uac00 \ub9ac\uc18c\uc2a4<\/h2>\n\n\n\n

NIST \ucde8\uc57d\uc131 \uc815\ubcf4:<\/strong><\/p>\n\n\n\n