1. Experimental task
(1) Experimental goal
· Monitor the running status of your own system to see if suspicious programs are running.
· Analyze a malicious software, analyze the backdoor software generated in Exp2 or Exp3; analysis tools try to use native instructions or sysinternals, systracer suite.
· Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.
(2) Experimental content
System operation monitoring
(1) Use such as scheduled tasks to record every minute which programs of your computer are connected to the network and where the connected external IP is. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.
(2) Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behaviors of the main host of your host.
Malware analysis
Analyze the software when it starts back up, installs to the target machine and other arbitrary operations (such as process migration or screen capture, it is important that you are interested).
· What registry entries are
read, added, and deleted
· What files are read, added, and deleted · What external IPs are connected, what data is transferred (capture analysis)
2. Experimental procedure
1. Use schtasks instruction to monitor the system
Use commands to schtasks /create /TN netstat5309 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"create scheduled tasksnetstat5309
Create a new schtasks5309.bat and enter the following:
date /t >> c:\netstat20175309.txt
time /t >> c:\netstat20175309.txt
netstat -bn >> c:\netstat20175309.txt
Open the computer-managed task scheduler library, you can see this newly created task
Double-click this task and click Action-> Edit-> Program or Script to change to our new one net5309.bat.
常规Select 不管用户是否登录都要运行and in one column 使用最高权限运行.
After opening, netstat5309.txtyou can view the operation results. After accumulating more than ten hours, the data is organized into a graph through WPS as follows:
It can be seen that in addition to TCP, the most used are VM virtual machines, QQ and WeChat (WeChat), there are no other programs.
2. Use the sysmon tool to monitor the system
Download SysinternalsSuite.zip and unzip it.
Select Sysmon64.exe, right-click 属性, open 详细信息, check the version and find it is 10.42.
Then write sysmon20175309.xml in this directory
<Sysmon schemaversion="10.42">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<ProcessCreate onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
</ProcessCreate>
<ProcessCreate onmatch="include">
<ParentImage condition="end with">cmd.exe</ParentImage>
</ProcessCreate>
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
</FileCreateTime>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">firefox.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
Then enter cmd as an administrator, enter this directory, enter the command to Sysmon.exe -i sysmon20175309.xmlstart.
Click agreeto start successfully.
Open the computer management-> event viewer-> application and service log-> Microsoft-> Windows-> Sysmon-> Operational, you can view the process information recorded according to the configuration information.
Turn to the last sysmon20175309configuration information you can see
3. Malware analysis
Connect back to the kali virtual machine with the backdoor generated by experiment three
Open wireshark to capture packets this time the connection process (too much data, I only intercept three)
It can be clearly seen that a three-way handshake connection is established during the process of connecting back.
After connecting kali (192.168.95.128) by win10 (192.168.95.1), I can successfully find my backdoor in the logbackdoor5309
Try using the command screenshotscreen capture to see what happens.
· First of all, a lot of data appeared in wireshark, you can be sure that there is data being transmitted, and the specifics are not very clear.
· Check the log, updated a lot of articles, select two here.
This one is very intuitive and the activity of the VM is recorded.
This is SnippingToolthe work of the screenshot tool .
After trying several other commands, there are many data transmission and log records, which are not listed here. (Actually, I forgot to take a screenshot)
Use Systracer for analysis
Download Systracer and install
Remember to enter your own port number
After the installation is complete, enter to take pictures Take snapshot.
I only took pictures three times and then I was prompted to be restricted, and I don't know why.
The backdoor program was not implanted the first time, the backdoor program was implanted the second time, and after the third reconnection.
After connecting back, click on the top- Applications> left side- Running Processes> find the backdoor program- backdoor5309.exe> Opened Ports, you can see the address and port number of the connecting back
Click on the bottom right corner to View differences listcompare the three differences.
The first and second time
we found our backdoor
At the same time, a lot of files and registration forms have been added or deleted (many of them were rejected and cannot be viewed)
For the second and third time
, we found our backdoor program in the running program
Here we also see the IP address and port of the reconnect, which proves that our reconnect is successful.
Other static analysis PEiD
is used here , a tool dedicated to shell inspection.
· First kill the backdoor software without any processing.
· Let's check and kill the backdoor software with compressed shell.
· Finally, kill the backdoor software that adds encryption shell on the basis of compression shell.
Obviously, the compressed shell will be detected, but the encrypted shell is not detected.
Finally, scan with our old friend Virustotal. The
results are as follows:
3. Thinking questions:
1. If you suspect malicious code on a host at work, but just guess, so you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
A: This experiment has taught us several methods: use the schtasks command to monitor the system, use sysmon to record the system log, and also use Systracer to take pictures to compare the difference between before and after.
2. If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
A: Use the comparison provided by Systracer to analyze and check the modification of the registry and other files.
4. Experimental thoughts
This experiment is not difficult, but there are more software to be downloaded. The last experiment taught us how to make our "spear" (backdoor program) more "sharp" (avoid killing), this time we learned how to make our "shield" (protection program) more "sturdy" ( Recording the whereabouts of backdoor programs), learning network confrontation techniques is very similar to playing basketball. Basketball courts say that defense wins championships and protects themselves at least to ensure that they do not suffer losses. It is very likely that the offense will be worth 800 offense If you lose money for a thousand dollars, you can make better use of your "spear" only by making the "shield" stronger, at least to ensure that the back garden will not catch fire.