1. Practical goals
1. Practice content
System operation monitoring
Use such as scheduled tasks to record which programs are connected to the computer every minute and where the connected external IP is. Run for a period of time and analyze the file to summarize the analysis results. Objective: To find out the connection and operation of all networked programs, whether this operation is appropriate and reasonable, and targeted packet capture for further analysis;
install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the focus of the host Suspicious behavior;
the analysis of the actual log also needs to exert its own creativity, combined with previously learned knowledge such as linux text processing instructions, etc. (The difficulty is to find out the rules from the large amount of data and find out the problem).
Malware analysis
Analyze the backdoor software:
read, add, and delete the registry entries when the software is connected to the target machine and any other operations (such as process migration or screen capture) when the software is started back to the connection ;
read, add, Which files were deleted;
which external IPs were connected, and what data was transferred (capture analysis).
Second, practical steps
1. Use schtasks instruction to monitor the system
(1) Use the schtasks instruction to add netstat5307scheduled tasks,schtasks /create /TN netstat5307 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > C:\Users\GSC\netstatlog.txt"
(2) New schtasks5307.txt
date /t >> C:\Users\GSC\netstat20175307.txt
time /t >> C:\Users\GSC\netstat20175307.txt
netstat -bn >> C:\Users\GSC\netstat20175307.txt
And save as C drive schtasks5307.bat
(3) Modify the plan program
First modify the program or script, change to schtasks5307.bat.
Second, modify the security options, set the scheduled task to run regardless of whether the user is logged in, and use the highest permissions.
(4) After 1 hour, check the record file.
(5) Use excel to analyze the data.
After setting, the data is in an Excel file
(6) Visualization
perspective:
reference blog: https://www.cnblogs.com/zjy1997/p/8824717.html#4.1
According to the above picture, the most is svchost.exe is 169, followed by QQLiveService.exe is 165, lkads.exe, lkcitdl.exe, lktsrv.exe, mDNSResponder.exe, nidmsrv.exe, nvcontainer.exe, AppleMobileDeviceService.exe are tied as 110. Except for QQ, I do n’t know what other exes do. I also found backgroundTaskHost.exe.
nidmsrv.exe, lkcitdl.exe, lktsrv.exe, lkads.exe are the service processes of National Instruments by querying.
nvcontainer.exe is a NVIDIA process.
mDNSResponder.exe and AppleMobileDeviceService.exe are services supported by iTunes software for Apple mobile devices.
QQLiveService.exe is a process of Tencent.
backgroundTaskHost.exe is Microsoft Windows through digital signature
2. Use the sysmon tool to monitor the system
(1) Download Sysinternals Suite to view the version information.
(2) Create the configuration file sysmon20175307.xml
(3) Execute as administratorSysmon64.exe -i sysmon20175307.xml
(4) View capture information
open 事件查看器(本地, in 应用程序和服务日志case Microsoft-Windows-Sysmonyou can view the
chart: the local event viewer
in the front of the list I found a searchfilterhost.exe, this is a search process, because the process is captured, I searched 事件查看器, so the process Will be discovered and captured.
3. Use the backdoor file of Experiment 3 for analysis
(1) win10 rebounds to connect with Kali,
(2) Kali gets a shell
(3) The screenshot command, dir, getpid, getuid, etc. are executed
(4) Analysis event viewer
ps: Because the target machine win10 is a virtual machine, and the platform is VM is not VB, so you can not get the camera.
4.SysTracer
SysTracer is a security auxiliary tool that integrates HIPS and process behavior tracking functions. It can track and monitor the modification behavior of processes on the entire system, including file operations, registry operations, memory operations, and dangerous behaviors. SysTracer can monitor all processes, or a process specified by the user and its sub-processes, and provides monitoring logs to help users analyze the behavior of a specific process. You can get countless screen snapshots at any desired time, you can compare any pair of desired screen snapshots, and observe the differences between them. Taking screenshots usually lasts a few minutes, depending on the number of files and folders and the total number of registry entries.
Figure: SysTracer
Snapshot # 1 is before the malware is implanted.
Snapshot # 2 is after performing backlink and after executing MSF
After Compare, I found a new backdoor exe
picture: SysTracer found
according to the following two pictures
systracer found the py_tcp reconnect operation, and accurately recorded the tcp address and port, which happened to be Kali's ip address 192.168.43.132 and port 5307.
At the same time, Kali performed four operations after receiving the reconnection, corresponding to the four question mark operations in Systracer. After that, Windows 10's firewall deleted the backdoor files.
5. Answer questions after the experiment
(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
1. Use Sysmon to monitor through custom xml files.
2. Use Systracer to take a snapshot, and then compare it to get the change of system status.
3. Wireshark captures the packet and analyzes it.
(2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
First of all, you can view the digital certificate of the process or program. The digital certificate of normal exe can withstand verification.
After comparison, you can clearly feel the danger of py backdoor files.
Secondly, the virus detection website VirusTotal in Experiment 3 can be used for detection, or 360 can be used for Trojan horse killing
6. Experimental thoughts
The current defense methods are relatively complete. After the viruses produced in Experiment 3 and Experiment 2 are connected back, they cannot survive for a long time, and will be detected and cleaned up by the computer's antivirus software. This experiment takes a long time. On the one hand, it takes too much time to configure the environment. The problem is that the local Win10 cannot connect to Kali, and Win7 cannot use Sysmon, so only one Win10 virtual machine can be reconfigured. On the other hand is the unfamiliarity with the experimental process, and the inability to accurately and skillfully use software to capture backdoor programs "doing bad things".