1. According to the intelligence, first judge what type of event needs to be emergency.
Common event types:
- massive fall
- type of situation
- content of the situation
- mining virus
- ransomware
- No document landing
- Undead (Stubborn) Horse
- fishing
- data hijacking
2. Keep the first scene
The first field contains:
- first discoverer
- first intelligence
- Fallen subject, group
- subject, group behavior
- Fallen environment
Three, blocking
The so-called blocking has only three steps:
- Close station;
- off service;
- Unplug the network cable (the network card is disabled).
4. Trace Analysis
Analyze three major pieces: logs, traffic, and samples.
- The log mainly pays attention to: time, action, and result; when does this action start and when does it end, this action is login, exit, modification, etc., and the result is login success, failure, uploading, downloading files, and executing code wait.
- The main points of traffic flow are: status code, interaction process, and data rationality; the status code of each interaction, whether the interaction process conforms to the correct interaction process of the protocol, whether the filling of each field, and the rendering of each traffic flow are normal.
- The main attention of the sample is: startup method, camouflage method, and function; choose sandbox or analysis tool according to startup method; camouflage method to judge whether to pack for anti-killing and opening method; judge damage range according to function.
1. Basic system information
Focus:
- Whether there are illegal accounts in the system;
- Whether there is an exception service program in the system;
- Whether some files in the system have been tampered with, or new files have been found;
- Abnormal logins in the system security log;
- Whether there is any record of unauthorized access to the management page in the website log;
- View Trojan horse activity information based on programs associated with information such as processes and connections;
- If the system commands (such as netstat ls, etc.) are replaced, for further investigation, you need to download a new one or copy the new command from other uninfected hosts;
- If you find a suspicious executable Trojan file, don’t rush to delete it, but pack a backup copy first;
- Find suspicious Trojan horse files, and use text tools to analyze their contents, including link-back IP addresses, encryption methods, keywords (in order to expand the file feature extraction of the entire directory), etc.
2. Troubleshoot abnormal connections
Windows
|
Troubleshoot abnormal connections
|
Order
|
|
View current network connections,
Locate Suspicious ESTABLISHED Processes
|
netstat -ano | findstr ESTABLISHED
|
|
View the PID corresponding to the port
|
netstat -ano | findstr <PORT>
|
|
View executables involved in connections or listening ports
(requires administrator privileges)
|
netstat -nb
|
eg: View the executable program involved in the connection or listening port (requires administrator privileges)
Linux
|
Troubleshoot abnormal connections
|
Order
|
|
List all processes with open network sockets
|
lsof -i
lsof -i | grep -E "LISTEN|ESTABLISHED
|
|
Display all open ports and connection status
|
netstat -anptul
netstat -ano
|
eg: Display all open ports and connection status
3. Troubleshoot abnormal processes
Windows
|
Troubleshoot abnormal processes
|
Order
|
|
View all processes (task manager)
|
taskmgr
|
|
View all processes running on a local or remote computer
|
tasklist
tasklist | findstr <KEY_WORDS>
|
|
View the complete command of the process
|
wmic process | findstr "cmd.exe"
|
|
View process details
|
msinfo32/Software Environment/Running Tasks
|
|
close process
|
wmic process where processid=<PID> delete
|
eg:
view all processes (task manager)
Linux
|
Troubleshoot abnormal processes
|
Order
|
|
Find process PID
|
netstat -anptl
lsof -i:<PID>
|
|
Find files by PID
|
cd /proc/<PID>
ls -ail
ls -ail | grep exe
|
|
View the system resources occupied by each process
|
top
bpytop
|
|
View current process information
|
ps to
|
|
Realize the precise search of a process
|
ps -ef | grep <KEY_WORDS>
|
|
end process
|
kill -9 <PID>
|
|
view process tree
|
pstree -p
|
|
search keywords
|
find / -name <KEY_WORDS>
|
eg:查看各进程占用的系统资源
4、异常账号排查
Windows
|
排查异常账号
|
命令
|
|
查看当前的账户和用户组
|
lusrmgr.msc
|
|
查看当前账户情况
|
net user
net user aa$
|
|
查看当前组的情况
|
net localgroup administrators
|
|
查看当前系统会话
* 是否有人使用远程终端登陆服务器
|
query user
|
|
踢掉用户
|
logoff <USERID>
|
eg:
查看当前的账户和用户组
Linux
|
排查异常账号
|
命令
|
|
查看当前系统正在登陆账户的信息
|
w
|
|
查看当前登陆用户
(tty 本地登陆,pts 远程登录)
|
who
|
| 查看账号情况 |
cat /etc/passwd
cat /etc/shadow
|
|
查看所有账户最后一次登陆时间
|
lastlog
|
|
查看用户登陆错误的记录
(检查暴力破解)
|
last
lastb
|
|
查看登陆多久,多少用户,负载
|
uptime
|
eg:查看当前系统正在登陆账户的信息
5、异常文件分析
Windows
|
分析异常文件
|
命令 |
|
查看文件时间
|
右键查看文件属性,查看文件时间
|
|
查看某个用户相关文件
|
%UserProfile%\Recent
|
根据文件夹内文件列表时间进行排序,查找可疑文件。当然也可以搜索指定日期范围的文件及查看文件时间,创建时间、修改时间、访问时间,黑客通过菜刀类工具改变的是修改时间。所以如果修改时间在创建时间之前明显是可疑文件。
Linux
|
分析异常文件
|
命令
|
|
分析文件日期
|
stat <FILE_PATH>
|
|
查看最近24 小时内修改过的文件
|
find ./ -mtime 0
find ./ -mtime 1
find ./ -mtime 0 -o -mtime 1 -o -mtime 2
find ./ -mtime 0 -name "*.php"
|
|
按照时间顺序查找敏感目录文件
|
ls –alht /tmp/
|
|
查找特殊权限文件
|
find / *.jsp -perm 777
find / -perm 777
find / *.sh -perm 777
|
|
查找隐藏的文件
|
ls -ar | grep "^\."
|
|
查看拥有不可修改权限的文件
(不可修改,不能删除,只能追加)
|
lsattr <FILENAME>
|
|
查看SSH 公钥
|
ls -alh ~/.ssh
|
eg:查找隐藏的文件
五、清除日志
|
情况
|
做法
|
|
常态
|
* 全盘重装
* 数据迁移、系统盘重装
* 杀进程、删文件、清除账号等
|
|
攻防演习
(对抗)
|
* 存在不死马、内存马、顽固马、APT 等威胁
* 修复漏洞、打补丁
* 恢复生产,保障业务正常
* 取证、溯源
|
六、总结报告
分析事件原因
- 攻击来源:IP 等信息
- 攻击行为分析:方式(攻击手法与漏洞利用)、路径(攻击途径)等信息。
输出应急报告
- 时间
- 报告人
- 项目
- 应急前症状
- 应急措施
- 领导确认签字
- ...