1. Answers to basic questions
- If you suspect that there is malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and how to monitor them.
You can use the schtasks that comes with window7, or download Sysmon to monitor the computer, but for analysis, you need to click on each one, which is rather cumbersome. Or use wireshark to capture packets to detect traffic, etc. For each packet analysis, there is a lot of data to assist, such as port information, source IP address; or use PE Explore to analyze the content of malware, and virus analysis websites The built-in text carries out text analysis reports, and we can also read some of the data we need from where.
- If it has been determined that the problem is with a program or process, what tools do you have to get further information about it.
Go to the website to scan and analyze files, use Wireshark for packet capture analysis, systracer to view registry information changed by specific processes, sysmon to monitor and record system activities to see log analysis, etc. A series of the above. If you can master the above tools, you can do better network attack and defense.
Practical content
1. Use the schtasks command to monitor system operation
Create a netstatlog5219.bat file in the C drive directory to format and output the recorded networking results to the netstatlog.txt file. The content of netstatlog.bat is:
date /t >> c:\netstatlog.txt
time /t >> c:\netstatlog.txt
netstat -bn >> c:\netstatlog.txt2. Enter the command schtasks /create /TN netstat /sc MINUTE /MO 2 /TR "d:\netstatlog.bat" in the command line to create a task and record the networking content every two minutes
get the created txt file
3. Open the netstatlog.txt file to view the recorded content. The following problems occurred when it was first opened:
It may be that the permissions are not enough, and the network recording cannot be completed even after it is set to run as an administrator. The problem is the same as above. I went to the blog of the senior and senior and found that they did not solve this problem very well. So I searched online and saw a lot of ways.
Right-click on the program you need, Properties - Compatibility - Run this program as an administrator.
It is useless to set the highest privilege to run only in the scheduled task... You must also set the corresponding program
got the answer.
So it was successful, and here are some pictures of the main steps.
Open the scheduled task and run the netstatlog task.
Right-click, the property will light up as shown in the button, and the problem is finally solved.
The relevant analysis is carried out below. The
processes monitored include Tencent Security Manager
, Youdao Cloud Notes,
UC Browser, etc. (Some of them are .exe =_= I don’t know what they are).
Second, install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the key suspicious behavior of your own host.
First download sysmon, the address is here Sysmon v7.01
The first thing to do is to configure the software. Here are some instructions: Recording all network connections can simply be written as, if not written, it will not be recorded.
Generally, it is written as a rule similar to the following, which will filter out some. Exclude is equivalent to a whitelist, which is the content that does not need to be recorded. include is equivalent to a blacklist. For ordinary computer users, it is safer to use the whitelist, and record everything that is not known.
The following is the xml file
<Sysmon schemaversion="4.00">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<NetworkConnect onmatch="exclude">//监控白名单
<Image condition="end with">vmware.exe</Image>
<Image condition="end with">iexplorer.exe</Image>
<Image condition="end with">WeChat.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<CreateRemoteThread onmatch="include">// 监控黑名单
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
After the installation is complete, see if sysmon is running.
As shown, it is already running.
Open the event viewer, as shown below:
After doing some activities, check some records of sysmon, I found the following:
This is the display I use IE browser
This is the display I use wireshark:
Then use kali for backdoor connection.
sysmon immediately captures the movement of the backdoor
Then use the search function to filter, otherwise it will be difficult to choose what you want from 2000+ options, as shown below:
We can clearly see how the backdoor program sneaks into our computer step by step.
The first is network connection detection
, followed by process creation, and then the kali side can operate on the local computer.
After the operation is completed, exit the monitor on the kali side, and the display of the process termination is also displayed in the event viewer.
This completes a complete monitoring.
3. Use the SysTracer tool to analyze malware
1. Use the SysTracer tool to take the following five snapshots:
- 1. At the beginning, take a snapshot on the target host and save it as Snapshot #1;
- 2. Generate backdoor software in the virtual machine, and save the snapshot as Snapshot #2 after transferring the file to the target host;
- 3. When the virtual machine is enabled for monitoring, the snapshot is saved as Snapshot #3 after the target host runs the backdoor program;
- 4. After the virtual machine takes a screenshot of the target host, save the snapshot in the target host as Snapshot #4;
- 5. After the virtual machine obtains the camera of the target host, save the snapshot of the target host as Snapshot #5.
2. Comparison and analysis of snapshot results:
(1) Snapshot 1 and Snapshot 2:
You can see that there is more backdoor.exe we transferred in the ncat folder:
It can also be seen that there are network demands during the transmission process
(2) Snapshot 2 and Snapshot 3:
After successfully connecting back, I found that some registry keys were added
(3) Snapshot 3 and Snapshot 4:
Registry information has changed
4) Snapshot 4 and Snapshot 5:
After acquiring the camera of the target host, the snapshot found that the transferred program has network requirements
Fourth, use wireshark to analyze the transmission of malicious code files
1. Send malicious code to the target host through the virtual machine, and use wireshark to capture packets. We captured the three-way handshake packet between the virtual machine and the host.
2. After the connection is established, look at the content of the data packet. This packet is sent from the virtual machine to the host. The port is 5219 and uses IPv4 protocol
3. At the same time, wireshark also captures the connection between my virtual machine and other IP addresses.
4. Use virscan to analyze malware
1. The backdoor program we generated before we analyzed it on the virus analysis website
(1) It was found that 21/39 anti-virus software can detect and kill this malicious code
(2) You can see the shell of this code added by PACKER:UPolyX v0.5 according to the figure below
(3) This virus can establish a connection to a specified socket, and can delete registry keys and registry key values
5. Use PE Explore to analyze malware
1. Use PE Explore to open the executable file, it can be seen that the compilation time of the file is July 7, 2009 00:09:45, and the linker version number is 6.0
2. Take a look at the dll files contained in the import table of this file:
(1) ADVAPI32.dll can control the registry
(2) WSOCK32.dll and WS2_32.dll are used to create sockets
Experiment summary and experience
This experiment carried out some monitoring on my own host, and found that some malicious code can not be detected by anti-software, and some programs are really silently doing some things in the computer, even when it is not turned on, it can be carried out. some connections. In the future, we can no longer rely on anti-virus software. What we learn is only the skin. There are too many lurkers that we don’t know. We should improve our awareness of prevention and use the software provided by teachers for real-time monitoring. In the future You will definitely benefit a lot from studying and working. Again, it's up to you. . .