Practice content
System operation monitoring
Monitoring system using schtasks command
netstatThe -boption of shows the executable program involved in creating each connection or listening port, but it may fail when there are not enough permissions. The -noption shows the address and port number in numeric form. schtasksThe instructions are similar to the previous planned tasks, except for cli. Since I will use excel analysis later, I will be in place. Write the following contentnetstat5211.bat
date /t >> d:\netstat5211.txt
time/t >> d:\netstat5211.txt
netstat -bn >> d:\netstat5211.txt
Use commandsschtasks /create /tn netstat5211 /sc MINUTE /mo 1 /tr "cmd /c d:\netstat5211.bat"
The specific commands can be seen in the documentation or directly schtasks /?, a brief explanation
/createCreate a scheduled task, empathy as well as/query,end,/delete/tntaskname/scSpecify the plan type. Valid values areMINUTE,HOURLY,DAILY,WEEKLY,MONTHLY,ONCE,ONSTART,ONLOGON,ONIDLE/moSpecify how often the task runs within its plan type/trThe program or command that the specified task runs
It stands to reason that the task plan has already started running batch scripts every minute. But when I opened the txt check, I found a problem
netstatThe permissions are not enough. I remember that the -bpermissions mentioned above are required, which has nothing to do with the permissions to create scheduled tasks. Then I spent a hundred million hours researching how to elevate permissions or switch users on the command line. There are answers on the Internet, but they are all a lot of batch instructions, so let ’s be honest. Open the task scheduler, you can see the newly created task
常规Tick Run with the highest authority in the column, and then change the startup program in operation
You can get the data normally. After waiting patiently for a while, delete this scheduled task
Refer to the Xuejie blog to import the data into excel to make a chart for easy analysis
No strange process SearchUI.exewas found, it is Cortana's process, opsrv.exeand the process svchost.exeafter the search is no risk, other processes can see what program.
Use the sysmon tool to monitor the system
Download the Sysinternals suite. Sysmon is a tool in the suite that can monitor almost all important operations.
Mainly rely on the configuration file in xml format to set up. The
following is my configuration file, which is filtered by event filters and matching rules. The specific rules are also easy to see by name
<Sysmon schemaversion="10.42">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature>
<Signature condition="contains">Windows</Signature>
</DriverLoad>
<ProcessTerminate onmatch="include" >
<Image condition="end with">MsMpEng.exe</Image>
</ProcessTerminate>
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
</FileCreateTime>
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed>
</ImageLoad>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">lsass.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<SourceImage condition="contains">vmware</SourceImage>
</ProcessAccess>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<Image condition="end with">WeChat.exe</Image>
<Image condition="end with">svchost.exe</Image>
<Image condition="contains">vmware</Image>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
<SourceImage condition="end with">cmd.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
I still have a lot of whitelists for this configuration file, such as chromeand WeChatexclude trusted programs in the network connection . Then vmwareexclude all processes that contain fields, because I still open kali as an attack machine.
Use the command to Sysmon.exe -i ..\5211config.xmlinstall
Then we can 事件查看器/应用程序和服务日志/Microsoft/Windows/Sysmon/Operationalsee the record in
Malware analysis
Run the back door in Experiment 3, you can see the process creation in the Sysmon log
Network connection detected at the same time
The source ip port and destination ip port are clearly written, and can be seen by any program initiated
When the kali control terminal uses the webcam_snapcalling camera, you can see the record loaded by the driver
But the signature is invalid.
Use Process Monitor to detect the process, the format of the filter seems to be similar to that of sysmon. Filter the network connection to find the backdoor program, you can even see the backdoor callwsock32.dll
Next, continue to try in the virtual machine win7. After the back door is connected, you can use wireshark to capture tcp connection packets, but they are all tcp packets that do not understand, and there is no upper layer protocol.
Finally, use Systracer for analysis. Systracer can comprehensively monitor the system with snapshot comparison. I took four snapshots of the backdoor before starting, after starting, after escalating privileges, and after disconnecting.
You can Applicationsee the trace of the back door before and after starting the back door
The registry also has new records, but I do n’t understand what it means
Getsystem after bypassUAC at kali end, and then compare, found that the backdoor program has changed
The explanation is that through a simple backdoor at the beginning, a backdoor that can bypass UAC is passed up, and a new connection is established to increase the authority. The registry has changed a lot, but there is no useful information.
Content of report
Answer basic questions
(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
answer:
- The first thing to monitor is the network, you can use schtasks to set up tasks, and then filter out suspicious network behavior. When an attacker wants to operate remotely and establish a connection, it will be recorded to
- Then detect the process, for example, if the attacker wants to catch broiler DDOS or mining, it will definitely lead to abnormal CPU consumption (although I feel that I should rarely catch PC)
- There is also the need to detect the creation and deletion of files. If the attacker conducts further attacks by passing the horse to Malaysia, detecting the creation and deletion of files can prevent further attacks. This can use schtasks or systracer.
- Finally, monitor the calls to the driver and hardware to minimize the loss.
(2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
A: The Process Monitor can clearly see the implementer, port, etc. of this process. If a specific exe can be located, it can be further dropped on vt, or in-depth research such as ida decompilation
Practice summary and experience
To tell the truth, it is not interesting to study how to defend and how to monitor the system. However, we have fewer opportunities to attack others legally. In practice, it is these protective measures that are used more. Through this experiment, we can also be regarded as returning to our original intentions and complementing our knowledge.