<Sysmon schemaversion="10.42"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <ProcessCreate onmatch="exclude"> <Image condition="end with">chrome.exe</Image> </ProcessCreate> <ProcessCreate onmatch="include"> <ParentImage condition="end with">cmd.exe</ParentImage> </ProcessCreate> <FileCreateTime onmatch="exclude" > <Image condition="end with">chrome.exe</Image> </FileCreateTime> <NetworkConnect onmatch="exclude"> <Image condition="end with">chrome.exe</Image> <SourcePort condition="is">137</SourcePort> <SourceIp condition="is">127.0.0.1</SourceIp> </NetworkConnect> <NetworkConnect onmatch="include"> <DestinationPort condition="is">80</DestinationPort> <DestinationPort condition="is">443</DestinationPort> </NetworkConnect> <CreateRemoteThread onmatch="include"> <TargetImage condition="end with">explorer.exe</TargetImage> <TargetImage condition="end with">svchost.exe</TargetImage> <TargetImage condition="end with">firefox.exe</TargetImage> <TargetImage condition="end with">winlogon.exe</TargetImage> <SourceImage condition="end with">powershell.exe</SourceImage> </CreateRemoteThread> </EventFiltering> </Sysmon>
Interpretation:
<Sysmon schemaversion="10.42">
Indicates that the version of Sysmon is version 10.42
exclude
Indicates a white list, that is, the programs in the label are not recorded.
include表示
blacklist. onmatch表示
match.
ProcessCreate为
Process creation
NetworkConnect表示
Internet connection
CreateRemote
Indicates remote thread creation.
FileCrete Time表示
Process creation time
Sysmon.exe -i sysmon20175330.xml
事件查看器
in
应用程序和服务日志/Microsoft/Windows/Sysmon/Operational
, you can see the event record.
3. Malware analysis
step1: Run the backdoor program of experiment three before:
step2: View the running record of the backdoor program in the event viewer
SearchProtocolHost.exe and SearchIndexer.exe are indexing programs for desktop search engines in Windows Vista and Windows 7. It automatically scans the file name, attribute information, and file content of a given category when the computer is idle. These index locations include by default Desktop, favorites , start menu , system directory, and directories added to Libraries in Windows 7 (user folders under Windows Vista, such as documents, pictures, music, and video folders) can also be used as backdoors carried out.
Use wireshark to analyze backdoor software
The communication method used by the backdoor program is TCP transmission. When the Windows host implanted into the backdoor invades, the host and the virtual machine first complete a complete three-way handshake
Use VirusTotal to analyze malware
Upload the program to VirusTotal to get detailed information including size, MD5, SHA-1, SHA-256 values and encryption shell type.
Use PEiD to analyze malware
PEiD (PE Identifier) is a well-known search tools shell, its powerful, can detect almost all the shells, their number has more than 470 kinds of PE document shell type and signature.
Scanning mode:
Use PE Explorer to analyze malware
The extremely powerful visualized Chinese integration tool can directly browse and modify software resources, including menus, dialog boxes, string tables, etc. In addition, it also has the decompilation capability of W32DASM software and the PE file header editing function of PEditor software. It is easier to analyze the source code and repair the damaged resources. It can handle PE format files such as EXE, DLL, DRV, BPL, DPL, SYS, CPL, OCX, SCR and other 32-bit executable programs. The software supports plug-ins . You can enhance the functions of the software by adding plug-ins. The original company bundled UPX unpacking plug-ins, scanners and disassemblers in the tool .
Use the import function to view the dynamic link library referenced by the file:
其中系统的内存和管理数据的输入输出操作和中断处理由KERNEL32.dll控制。
msvcrt.dll
The function library
that compiles software for Microsoft is used by backdoor programs KERNEL32.dll
.KERNEL32.dll被调用应当警惕。
Analysis with Systracer
step1: download and installSystracer
step2: Click to take snapshot
store the snapshot.
- Snapshot 1: Backdoor programs not ported
- Snapshot 2: Backdoor implant
- Snapshot 3: Run the backdoor program and connect back in Kali
- Snapshot 4: execute the dir command
step3: Compare snapshots
Comparing snapshot one with snapshot two, you can see that the backdoor file is added20175330.exe
Compare Snapshot 2 and Snapshot 3 and find the program that 20175330.exe出现在了正式
runs after the backdoor starts
There are many more dll files added by backdoor programs
Comparing Snapshot 3 and Snapshot 4, it is found key_local_machine
that the content in the root key has been modified.
Problems encountered in the experiment
Experimental gains and thoughts
This experiment is not difficult to operate, mainly because there are some difficulties in the analysis of the backdoor program. The focus of this experiment is on the analysis of the program's running results and event logs. I don't know what to do at first. The backdoor has read a lot. After the classmate's blog has a general direction, the Chinese body is still very rewarding.
question answer
(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use to monitor
- Upload the suspected program to VirusTotal
- Check if the program is packed with PEiD
- Whether to reference the dynamic link library about the backdoor through the PE Explorer program
- Check whether there is a doubtful port and purpose when transmitting information through wireshark
- Take a snapshot with Systracer tool
2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
Use the systracer tool to view the program modifications to the registry and files.
Monitor related processes through the Process Explorer tool.