Practical goal
1. 监控你自己系统的运行状态,看有没有可疑的程序在运行。
2. 分析一个恶意软件,就分析Exp2或Exp3中生成后门软件;分析工具尽量使用原生指令或sysinternals,systracer套件。
3. 假定将来工作中你觉得自己的主机有问题,就可以用实验中的这个思路,先整个系统监控看能不能找到可疑对象,再对可疑对象进行进一步分析,好确认其具体的行为与性质。
Practice content
System operation monitoring
-
Use as scheduled tasks to record every minute what programs your computer is connected to the Internet and where the connected external IP is. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.
-
Use schtasks to create a task plan, use netstat to record the history of application networking
-
Press
windows+ROpen a command line -
Input
schtasks /create /TN 20175120netstat /sc MINUTE /MO 5 /TR "cmd /c netstat -bn > c:\netstat5120.txt"
参数使用:
/TN : Task Name 任务名称
/sc : Schedule Type 计划类型 我设置的是 minute
/MO : modifier 编辑 指定具体时长,我设置为5,即5分钟启动一次
/TR : Task Run 指定要运行的命令,这里是netstat
-bn : b 表示显示可执行文件名 n 表示显示以数字形式显示IP&&PORT
After the task is created successfully, you can find netstat5120.txtit on the C drive , open it to see
- You can also include the date and specific time in the statistics
- Create '20175120netstat.bat'
Create a new document in the C drive20175120netstat.txt
输入:
date /t >> c:\netstat5120.txt
time /t >> c:\netstat5120.txt
netstat -bn >> c:\netstat5120.txt
Click- 文件>另存为
Choose below所有文件
Modify the file name 20175120netstat.bat, save
- Modify the mission planner and start the bat file
-
Open the task scheduler, double click
20175120netstat -
Modified
操作in程序或脚本as20175120netstat.bat
- After confirming, you can view
netstat5120.txt
- Use excel to view statistical data and analyze application networking
Click 数据-> 导入数据-> 确定->下一步
At that 选择数据源time, select the one that just put the data recordnetstat5120.txt
At that 原始数据类型time, select 分隔符号, next step check all separator types
After creation, the document is as follows
Delete the first three rows of the table (to avoid problems)
In 插入selecting数据透视图
Click 请选择单元格区域the small icon on the right side of the input area, select the second column to be analyzed, or enter Sheet1!$B:$B, select below新工作表
Enter after confirmation
After clicking the left frame, check it on the right 协议, remove the items other than the application name, and 协议drag it into the lower right 值frame to form a histogram
As you can see from the picture, it qmbrowser.exeappears the most, because I am writing a blog ... wps.exeSecond, because I am using excel.
I just don't know if that svchost.exesum et.exeis malicious code ...
- Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of your host's key issues.
- Determine the target to monitor
Use the lightweight tool Sysmon to monitor your system based on online information
我选择了以下项作为监控目标
DriverLoad 驱动加载
ProcessCreate 进程创建
FileCreateTime 文件创建时间
NetworkConnect 网络连接
CreateRemoteThread 远程线程创建
- Write xml configuration file
5120sysmon.xml
<Sysmon schemaversion="4.23">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<ProcessCreate onmatch="include">
<ParentImage condition="end with">cmd.exe</ParentImage>
</ProcessCreate>
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
<Image condition="end with">iexplorer.exe</Image>
</FileCreateTime>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<Image condition="end with">iexplorer.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
- Install and run
sysmon.exe, and事件查看器view in
Enter the placed sysmon.exefolder and enter:
sysmon.exe -i C:\5120sysmon.xml
Right click windows-> 搜索-> 事件查看器, open 应用程序和服务日志-> Microsoft-> windows-> Sysmon-> Operationalyou can see the filtered monitoring items
Open a record item:
The event records the task type and recording time of the application. The detailed information records the destination IP, destination port number, and destination port name.
This is the application information of wps, the degree of suspiciousness is not large, I have scanned other events roughly, and no suspicious application was found
- I tried to use the backdoor program in the anti-kill experiment to make a connection back to see how the log records
I used the jar package to connect back
Huilian was successful, but I only found one java.exerelated to Huilian, the log records are as follows
Recorded the destination IP and port number, but did not see cmd.exethe relevant record of the opening of the back door .
Malware analysis
分析该软件在(1)启动回连,(2)安装到目标机(3)及其他任意操作时(如进程迁移或抓屏,重要是你感兴趣)。该后门软件
(3)读取、添加、删除了哪些注册表项
(4)读取、添加、删除了哪些文件
(5)连接了哪些外部IP,传输了什么数据(抓包分析)
- Use
systracerfor analysis
[systracer compressed package] ( http://www.skycn.net/soft/appid/30266.html) Unzip it
- Compare and analyze the following three operations on the back door (the back door takes the previous win_mt_rt_250.exe as an example)
1) 安装到目标机
2) 回连
3) 获取shell
- You can compare and analyze by taking snapshots obtained after three steps
- Install to target machine
- First get the status of the operation without backdoor, get
Snapshot #1(because I operate on the host, so the time is relatively long ...)
2) Get the status after the back door moves to the host, get Snapshot #4(because I tested a few ...)
- experiment analysis
1) Application changes
Changes are not reflected
2) Registry changes
Here is the registry .... I did n’t understand it. The amount of change is a lot, but the amount of change due to moving into the backdoor program is uncertain. Maybe the green part is related to the backdoor
3) File changes
As you can see, it win_mt_rt_250:5120.exewas moved into the host
4) External IP connection and data transmission
Here you need to use wireshark for packet capture analysis
The file transfer is the first packet at the top, the SYN packet, the connection request is sent, and subsequent packets are retransmitted over time.
We can also see the host IP 192.168.5.41and virtual machine IP 192.168.5.250to determine the two sides of the communication
- Back link
Take a snapshot of the host after reconnecting and compare it with the step where the backdoor moved in
1) Application changes
It can be seen that the changed application events mainly come from win_mt_rt_250:5120.exethe behavior of connecting back
It can be seen from the figure that a lot of dll files are called during the process of connecting back, and they are basically windows inherent services. From the behavior, we can also find the inherent characteristics of the backdoor
Any application that calls the following part of the dll file at the same time may have malicious behavior
2) Registry changes
In this step, we can see that the registry has changed. I suspect that the state of the virtual machine has changed.
3) File changes
The change here is not known to be due to Systracer or backlink.
I found the same modification in the figure in many places
4) External IP connection and data transmission
The packet after reconnecting is as shown above. The host sends a SYN packet to the virtual machine and establishes a connection with three handshakes at the same time. After that, the virtual machine sends a PSH packet to the host, transmitting some data to modify the registry and other information
The above is a screenshot of the transmitted data
Then the virtual machine sends a large number of ACK packets to the host, making the host busy replying to the ACK packet, thus making various modifications easy?
- Get shell
Obtain the host status of Linux after getting the host shell, compared with the previous step
1) Application changes
Mainly called the host cmd.exe, and added a lot of dll files for subsequent operations
2) Registry changes
The same position changed in the previous step, I guess it is also caused by the change of the virtual machine
3) File changes
The changes that occurred are still the same as the previous step, and no cause of cause was found ...
- External IP connection and data transmission
When acquiring the shell, the virtual machine sent a PSH packet to the host, which contained data:
It is estimated that it is also data related to the modification of the registry and files ...
Experimental thinking questions
- (1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
1.使用sysmon工具,在各方面通过事件查看器对应用程序进行监控
2.使用任务计划程序,并通过netstat指令对应用联网历史进行记录,统计联网数据,筛选出可疑程序
3.nmap扫描端口,确定有没有可疑连接
- (2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
1.使用systracer截取快照,通过对比、应用程序启动、注册表、文件等发生更改的地方,获取恶意程序的启动原理
2.使用wireshark进行抓包,对其与主机的通信数据进行提取
Experimental experience
本次实验的难点主要在于分析通过工具获取到的数据,不管是sysmon、netstat,还是systracer、wireshark,使用起来还是比较方便的。
分析数据,就需要知道这些数据怎么和应用进程对应上,但我发现很多地方我都不清楚.......
但这次实验还是让我收获颇丰的,通过对这些工具的实用,我对于恶意代码的攻击和抵御方式又有了新的体会。这些工具都是可以应用于实际生活中的,善加利用这些方法也能让我有一个更加有保障的计算机环境。