编程知识 cdmana.com

Emergency response: Windows intrusion troubleshooting

Preface

Emergency response (Incident Response Service,IRS) When the enterprise system suffers from virus transmission 、 Network attack 、 Security incidents such as hacker intrusion lead to information business interruption 、 System downtime 、 Network paralysis , Data loss 、 Damage to corporate reputation , And have a direct or indirect negative impact on the organization and business operation , We need to deal with it in the first time , So that the enterprise's network information system in the shortest possible time to resume normal work , At the same time, analyze the causes of intrusion 、 Restore intrusion process 、 Assess business losses 、 Trace the source of hacker evidence and put forward solutions and preventive measures , Reduce the losses caused by hackers . This article mainly discusses windows The investigation idea after being invaded .

windows Intrusion detection weapon : Flaming sword image.png

2021 Network security \ Penetration test / Safe learning ( A full set of videos 、 Big factory surface 、 Boutique manual 、 Essential Kit ) One > Poke me < One

image.png

0x01 Analyze the intrusion process

The attacker invaded windows Systems often start with weak passwords 、 System vulnerabilities and service vulnerabilities , Get a normal system permission , Then create the startup item after the authorization is raised 、 Modify registry 、 A series of operations such as virus implantation and Trojan horse implantation , So as to maintain control over the target host . At the same time, the operating system will also have exceptions , Including accounts 、 port 、 process 、 The Internet 、 start-up 、 service 、 Tasks and documents, etc , The system operation and maintenance personnel can know according to the above abnormal conditions Where the attacker invaded How the attacker invaded as well as What did the attacker do after the invasion The answers to these questions , So as to reinforce the later system 、 Provide targeted suggestions for safety protection .

Brute force : For the system, there are rdp、ssh、telnet etc. , Services include mysql、ftp etc. , Generally, you can use the super weak password tool 、hydra Blasting

Exploit : Through the system 、 Exploit vulnerabilities in the service , Like eternal blue 、Redis Unauthorized access, etc

Traffic attack : Mainly for the target machine dos attack , This leads to server paralysis

Trojan horse control : It is mainly divided into webshell and PC Trojan horse ,webshell It exists in website applications , and PC Trojans are implanted into the system . The purpose is to have persistent control over the operating system

Viral infection : It is mainly divided into mining virus 、 worm-type virus 、 Blackmail virus, etc , Virus implantation often affects the normal operation of infected computers , Or being controlled without knowing , The computer works normally and only steals data 、 Or be used for other purposes, such as user non spontaneous guidance

0x02 Intrusion detection methods

One 、 Check system account security

The attacker faced windows The system will start with the user password , The first is through rdp The service is right Administrator、Guest Wait for the password of the default account , If the explosion doesn't work, the password will be fixed , Blast the user account , If you fail to join later, the social worker generates an account 、 Password dictionary , If you are lucky, you can log in to the administrator account directly . After getting the system permission , Permission maintenance is an essential step , Creating a new management account is a good way to log in and view later , Of course, in order to increase concealment, the account can be a shadow account . According to these aspects , When checking the system account, you can focus on the weak password 、 Suspicious account number 、 Shadow accounts .

( One ) Check the weak password of the server

Check the method :

Try logging in with a weak password or consult your administrator directly

( Two ) Check suspicious accounts 、 New account

Check the method :

1、 open cmd window , Input lusrmgr.msc 2、 Check whether there are suspicious accounts , Especially the administrator group (Administrators) New account in , If it exists, it needs to be deleted or disabled immediately

image.png

( 3、 ... and ) Check hidden accounts

Check the method 1:

Open the registry , Check the corresponding key value of the administrator 1、 Open and run on the desktop ( You can use the shortcut key win+R), Input regedit, Open registry editor 2、 choice HKEY_LOCAL_MACHINE/SAM/SAM, By default, you cannot view the contents of this option , Right click the menu and select permission , Open the rights management window 3、 Select the current user ( It's usually administrator), Check the permission as full control , Then confirm and close the registry editor 4、 Open the registry editor again , You can choose HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users 5、 stay Names You can see all user names of the instance under , If there is an account not in the local account , That is, the hidden account , On the premise of being confirmed as a non system user , You can delete this user

image.png

Check the method 2:

adopt D shield web Killing tools for testing , It integrates the clone account 、 Hide the function of account detection

image.png

( Four ) Check whether the user is abnormal in combination with the log

Check the method 1:

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input eventvwr.msc command 2、 Open the time viewer , Analyze user login logs

image.png

Check the method 2:

adopt LogFusion View logging

image.png

Two 、 Check for abnormal ports 、 process

The port acts as a window for the computer to interact with external data , In the eyes of the attacker The bestselling The existence of , After the intrusion , An attacker can open a dedicated port on the computer to access the killed host or plant a virus for mining, etc , Friends familiar with computers should know that there are only a few commonly used ports , Therefore, by checking the suspicious port, we can determine whether the host has a back door 、 Whether it has been implanted with mining virus, etc , Then according to the port PID Check the program corresponding to the suspicious process , Determine whether it is a malicious program .

( One ) Check suspicious ports

Check the method 1:

1、 Use netstat Command to view the current network connection , Locate suspicious ESTABLISHED Connect

netstat -ano

2、 according to PID Number passed tasklist Locate the process

tasklist | findstr "PID"

image.png

Check the method 2:

adopt D shield web Check the port with the killing tool

image.png

( Two ) Look for suspicious processes

Check the method 1:

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input msinfo32 command 2、 In turn, click " Software environment -- Running task " You can see the details of the process , For example, the process path 、 process ID、 File creation date and start time, etc .

image.png

Check the method 2:

open D shield _web Check the process of killing tool , Focus on processes without signature information

image.png

Check the method 3:

Through Microsoft's official Process Explorer And other tools

image.png

Looking at suspicious processes and their child processes . You can focus on the following :

1、 Processes without signature verification information 2、 There is no process to describe information 3、 The owner of the process 4、 Whether the path of the process is legal 5、CPU Or processes that take up too much memory for a long time

3、 ... and 、 Check the startup 、 Plan tasks and services

Start item 、 Planning tasks 、 Service is a common means for attackers to maintain privileges . In the invasion windows After the computer , An attacker can modify the registry 、 The replace sticky key program gets permission when the system starts , You can also set scheduled tasks under administrator privileges , Because the planned task back door is divided into administrator permission and ordinary user permission . Administrator privileges can set more scheduled tasks , For example, running after restart . It can also be done through meterpreter Create a back door service .

( One ) Troubleshoot abnormal startup items

Check the method 1:

single click 【 Start 】>【 All the procedures 】>【 start-up 】, By default, this directory is an empty directory , Confirm whether there are non business programs in this directory .

image.png

Check the method 2:

Open and run on the desktop ( You can use the shortcut key win+R), Input msconfig, Check to see if there are startup items with named exceptions , If yes, uncheck the startup item with abnormal name , And go to the path shown in the command to delete the file .

image.png

Check the method 3:

Open and run on the desktop ( You can use the shortcut key win+R), Input regedit, Open the registry , Check whether the boot entry is normal , Pay special attention to the following three registry keys :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce

 Copy code 

Check whether there are items with abnormal startup on the right side , If so, please delete , It is recommended to install anti-virus software to check and kill viruses , Remove residual viruses or trojans .

image.png

image.png

image.png

Check the method 4:

Use security software to view startup items 、 Boot time management, etc .

image.png

Check the method 5:

Open and run on the desktop ( You can use the shortcut key win+R), Input gpedit.msc View group policy

image.png

( Two ) Check the planned tasks

Check the method 1:

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input control Open the control panel 2、 stay Systems and security View scheduled task properties in , You can find the Trojan file path .

image.png

Check the method 2:

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input cmd Open the command line window 2、 Check the sessions or scheduled tasks between the computer and other computers on the network , if there be , Then confirm whether it is normal connection , The planned task is windows7 And previous versions of the operating system at Command to call , In from windows8 Used in operating systems starting with version schtasks Command invocation .

windows server 2016 perform schschtasks

image.png

windows 7 perform at

image.png

Check the method 3:

Use security software to view scheduled tasks .

image.png

( 3、 ... and ) The troubleshooting service starts automatically

Check the method :

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input services.msc 2、 Pay attention to service status and startup type , Check for abnormal service

image.png

Four 、 Check system information

If there are loopholes in the system itself , Then the result is often fatal , If the computer has eternal blue vulnerability and no protective measures are taken . Then the attacker can directly pass through MSF Exploit program to get the target windows Systematic system jurisdiction . meanwhile , Attackers often leave some clues after entering the system , If the uploaded file is not cleared 、 Browser browsing record not deleted 、 The downloaded file has not been deleted, etc . When checking system related information, you need to focus on the vulnerabilities of the system itself and the files used by the attacker .

( One ) Check the system version and patch information

Check the method :

1、 Open and run on the desktop ( You can use the shortcut key win+R) Input systeminfo 2、 View system information and patch status

image.png

3、 Import content into text , utilize windows-exploit-suggester Analyze the vulnerability of the system patch

python windows-exploit-suggester.py --database 2021-08-26-mssb.xls --systeminfo systeminfo.txt

 Copy code 

image.png

( Two ) Check suspicious directories and files

Check the method 1:

View the user directory , Whether there is a new user directory

Window 2003 edition  : C:\Documents and Settings
Window 2003 Later versions  : C:\Users\

 Copy code 

image.png

Check the method 2:

1、 Open and run on the desktop ( You can use the shortcut key win+R) Input %UserProfile%\Recent 2、 Analyze recently opened suspicious files

image.png

Check the method 3:

1、 Click File Explorer , Find each folder in the server 2、 Sort folder files by time , Look for suspicious files , If the modification time is before the creation time, it is a suspicious file , You can also search for files modified at a certain time in the search . Focus on windows\system32 Of sethc.exe Whether it is replaced by cmd Program

image.png

Check the method 4:

For recycle bin 、 Check the browser download directory and history

image.png

image.png

image.png

( 3、 ... and ) View hidden files

Check the method 1:

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input control, Go to the control panel 2、 Find the file explorer options , Click on see after , Cancel ” Hide protected operating system files “ Check , Under hidden files and folders, radio select Show hidden files 、 Folders and drives

image.png

Check the method 2:

If the operating system version is high enough, set it directly in the resource manager

image.png

Check the method 3:

With the help of fileseek see file

image.png

5、 ... and 、 Log analysis

Mainly view system logs and web journal , Logs can help us verify the judgment of the intrusion process and find other intrusion behaviors . But its premise is that logging can only be obtained when logging is turned on . This will be mentioned later in the log analysis

( One ) system log

Analysis method :

1、 Open and run on the desktop ( You can use the shortcut key win+R), Input eventvwr.msc 2、 Find the event viewer , see windows journal ( Including applications 、 Security 、Setup、 System 、 event )

image.png

( Two )web journal

Analysis method :

1、 Find the middleware 、 application 、WAF Log ( Including but not limited to IIS、Nginx、 pagoda 、 Website, etc ) 2、 Package locally for analysis , Search for keywords in the editor

image.png

6、 ... and 、 Tools kill

webshell And viruses are windows The enemy of the system , They can maintain the attacker's system privileges 、 Theft of information 、 Infect other hosts 、 Encrypt files, etc , Cause great harm to the operating system . It's recommended here D Shield and tinder Software ( Of course, the more killing software, the better ). A full scan of the virus , And yes webshell Conduct web Directory scanning . image.png

image.png

0x03 summary

When making emergency response, we still need to think more from the perspective of the attacker , Knowing one's own and the other's will ensure a hundred battles , So for windows That's all for the intrusion detection of the system , Welcome to leave a message in the comment area .

版权声明
本文为[Kali_ Ma]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/09/20210909124112689t.html

Scroll to Top