1. Disposal of Windows hidden accounts
Use Windows2012 virtual machine
1. Create a user using the command line
1. Open the command line (cmd, run as an administrator), create a new test$ user
net user test$ 123456 /add
net localgroup administrators test$ /add
Create a test user and join the administrator group
Second, observe the test $ user
1. Use the system computer management tool, right click the win icon
Found that you can see the test$ user
2. Use the command line to view users
Enter at the command line
net user
Can't see test$ user
3. Export test$ and administrator user registry information
1. Open the registry
Enter on the command line
regedit
2. Obtain SAM item permissions
Refresh permissions
3. Export test$ user information
Export the following key as test.reg
Here 0X3EA is a random value, each host will be different
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$
4. Export the UID value of test$
5. Export the UID item of the administrator
Under Windows, the UID of the administrator is fixed at 1F4
Fourth, modify the exported registry information
1. Copy the F value in admin_id to the F value in uid
edit admin_id
Copy the value of F
edit uid
Paste F value
save document
5. Delete the test$ user and import the registry
1. Delete the test$ user
Use the following command
net user test$ /del
2. Import the test and uid registry files on the desktop
import test
import uid
6. View hidden accounts
1. Use computer management to view users, but test$ is not found
2. Modify the group policy to allow custom user login
At the command prompt enter
gpedit.msc
Navigate to the security options, do not display the last username
enable, confirm
Log off the administrator user
Login with user test$
Enter username test$
Enter password 123456
login successful
Use Task Manager to view current users
2. Handling of browser hijacking incidents
Principle: Discover driver-level viruses through driver-level tools. Remove the virus and restore the system.
1. Observe hijacking phenomenon
1. Open Google Chrome and find that the domain name of the browser homepage is hp1.dhwz444.top
Then quickly jump to hao123.com
2. Open the IE browser and find that the homepage is also hijacked
2. Try to manually restore the browser home page
Open IE settings
select internet options
Use a new tab, click OK
Close IE browser
Open the IE browser again, the home page is still hijacked.
3. Check the system driver
1. Use the Microsoft suite autoruns tool
Open the desktop tools folder and open autoruns64.exe
consent statement
After autoruns is opened, all boot loaders of the system will be listed. Focus on red items, yellow items, or items with questionable signatures
As shown in the figure, the red box, the marked part, is displayed as (Not verifiedt) Microsoft Corporation, indicating that these two files claim to be Microsoft documents, but they have not obtained Microsoft's signature.
Try to delete these two files.
Refresh the page after deletion and find that these two links still exist.
Delete again, prompt marked as deleted
4. Restart the computer to see if the above two driver-level services can be deleted.
Open autoruns again and observe that these two services still exist. It can be presumed that these two services must be "abnormal"
5. Try to delete the file
Right click, select jump to image, open the file path
It was found that the file could not be seen directly
Open the display of hidden files and system files in windows
view options
Set as shown
The folder is still empty.
At this point, it can be concluded that the driver service is a malicious program. And hook the API of the system to hide itself.
6. Use the driver-level tool PC HUNTER to fight
Open the desktop PCHunter tool
Check the driver module
It can be found that when PCHunter checks the driver module, it does not verify the signature, but only checks the file information.
Remember the path of these two files, C:\USER\Administartor\AppData\Local\Microsoft\WindowsApps\
Browse the file and navigate to this path
Delete Files
Observation found that it is invalid. After selecting the file, right click and "prevent file regeneration after deletion"
force delete
force delete directory
Reboot the system again. Open IE browser or chrome browser, the home page has returned to normal
So far, we have solved the virus release driver and the deletion of its startup files.
Next, clean up the registry information, because the relevant files have been deleted, and the protection of the virus on the registered table is gone, so delete it directly
Open autoruns and delete the relevant registry information.
The other is also deleted in the same way.
This example is here!
3. Sandbox analysis of browser viruses
1. Use Microsoft's process monitor to monitor virus operation
This virus is a virus that hijacks the browser after secondary packaging with the help of an activation tool.
The virus name is "mlxg.exe" and it is located in the desktop mlxg folder
Open Microsoft's process monitor
Double-click to open and configure monitoring rules as shown in the figure.
The meaning of the monitoring rule is that the monitoring process is named mlxg.exe
click OK
At this point, we haven't run the virus yet, so nothing is displayed on the screen
2. Run the virus program
Double-click mlxg.exe
3. View process monitor
You can see the operation of the mlxg process on the system,
Stop capturing information first, (if you capture too much, it will make the software a bit stuck)
Click on the magnifying glass to stop capturing
Focus on the new registry and new files, and you can focus on some operations and directories
such as
Create a DLL file
write temp file
write driver file
write EXE file
Filter registry operations
Write registry operation, attempt to establish a GRE tunnel
4. Use cloud sandbox to analyze samples
Open the desktop chrome browser and enter the domain name s.threatbook.cn
Upload our virus sample
Because we are a 64-bit system, so choose win7 64, view the report,
Wait, the system analysis is complete, you can view the disposal suggestions
Wait for a series of processing
Then you can use the desktop pchunter or other similar tools for emergency response
4. Disposal of ransomware
1. Observe ransomware
Log in to the system and find the desktop background prompt
It can be preliminarily judged that the system has been infected with ransomware
Try using Notepad, open the text document on the desktop
double click on notepad
It is found that the file is encrypted and is garbled
Confirmed ransomware
2. View desktop prompt keywords
Discover encrypted keywords through desktop background
ENCRYPTED BY GANDCRAB 5.0.3
3. Understand the GRANCRAB ransomware
Usually major security vendors have ransomware zones, such as international vendors kaspersky, bitdefender, avast, symantec, domestic vendors Sangfor, 360, etc.
such as Avast
https://www.avast.com/zh-cn/ransomware-decryption-tools
as convinced
http://edr.sangfor.com.cn/#/information/ransom_search
Here we use Convinced pages to search for the virus name
View the report, which is an introduction to the virus principle of version 5.2, you can check it yourself
4. Try to use tools to decrypt viruses
Try to find decryption tools from different vendors
Find decryption tool in bitdefender
Find the tag of gandcrab on the avast page
Download software
There are many different versions of decryption tools here. In order to avoid download problems, the decryption tools have been built into the experimental environment. Students can also try to download different tools and try to decrypt them.
Open the folder C:\USERS\download2\
Double-click to run the software BDGandCrabDecryptTool
agree to license
Confirm prompt
Select the folder to decrypt, here we take the desktop as an example
start decrypting
Decryption completed
Check the notepad on the desktop again, it has been decrypted successfully.
There are only a few ransomware that can be decrypted at present, and we need to strengthen the defense against ransomware. Such as using EDR software for protection, or strengthening the system patch installation.
The mainstream ransomware spreads through automated attacks through RCE vulnerabilities or weak passwords. Defenses should be made against these two points to strengthen active defense. Can prevent ransomware.
5. Disposal of mining virus
Principle: Dispose of mining viruses through task manager, process, startup items, etc.
1. Log in to the system, check the task manager and find that the CPU is full, sort the processes by CPU
Kill high CPU usage processes
It can be observed that after the end, the process will restart itself. Make sure there is a parent process.
Go to process details
See the process named xmrig.exe
Second, find the parent process
Use the wmic tool directly
open command line
Enter the following command
wmic process where name='xmrig.exe' get caption,parentprocessid
Find the parent process ID is 864
3. Find the parent process startup method
Sort the task manager by PID and find the process of 864
It is found that the user name of the process is SYSTEM, and the SYSTEM user is usually started by using system services. Find system services
Disable service
After deactivating the service, it was found that the xmrig.exe process also stopped. CPU utilization also drops
4. Processing documents and services
This virus only uses services to load and does not hook system functions, so it is relatively easy to process files and services
1. View services and files
open service
Double click on the service name
Remember the service name and executable path
2. Delete files
Find the path and delete the folder C:\USERS\Administrator\c3pool
After deletion, as shown in the figure
3. Delete service
Remove a service using the command line
sc delete c3pool_miner
5. Restart verification
After restarting, open the task manager, the CPU usage has gone down, and the virus has been cleared.
Combining wmic and task manager to deal with a very common "miner" virus
Usually mining viruses will take up a lot of CPU, so they will expose themselves directly, and there is no need to use hidden methods such as driver level or HOOK.
Due to profit reasons, mining viruses usually spread automatically. The transmission method is similar to that of ransomware, but the virus performance is completely different. The specific reasons for the spread are mostly RCE vulnerabilities and weak passwords. Do a good job of basic protection, you can easily deal with it.
That's all for this article!