Security Incident Management and Disposal—Operation Example

Language 2023-08-25 19:08:46 views: null

1. Disposal of Windows hidden accounts

Use Windows2012 virtual machine

1. Create a user using the command line

1. Open the command line (cmd, run as an administrator), create a new test$ user 

net user test$ 123456 /add
net localgroup administrators test$ /add

Create a test user and join the administrator group

Second, observe the test $ user

1. Use the system computer management tool, right click the win icon

Found that you can see the test$ user

2. Use the command line to view users

Enter at the command line

net user

Can't see test$ user

3. Export test$ and administrator user registry information

1. Open the registry

Enter on the command line

regedit

2. Obtain SAM item permissions

Refresh permissions

3. Export test$ user information

Export the following key as test.reg

Here 0X3EA is a random value, each host will be different

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$

4. Export the UID value of test$

 

 

5. Export the UID item of the administrator

Under Windows, the UID of the administrator is fixed at 1F4

Fourth, modify the exported registry information

1. Copy the F value in admin_id to the F value in uid

edit admin_id

Copy the value of F

edit uid

Paste F value

save document

5. Delete the test$ user and import the registry

1. Delete the test$ user

Use the following command

net user test$ /del

2. Import the test and uid registry files on the desktop

import test

 

import uid

 

6. View hidden accounts

1. Use computer management to view users, but test$ is not found

2. Modify the group policy to allow custom user login

At the command prompt enter

gpedit.msc

Navigate to the security options, do not display the last username

enable, confirm

Log off the administrator user

Login with user test$

Enter username test$
Enter password 123456

login successful

Use Task Manager to view current users

2. Handling of browser hijacking incidents

Principle: Discover driver-level viruses through driver-level tools. Remove the virus and restore the system.

1. Observe hijacking phenomenon

1. Open Google Chrome and find that the domain name of the browser homepage is hp1.dhwz444.top

Then quickly jump to hao123.com

 

 

2. Open the IE browser and find that the homepage is also hijacked

 

2. Try to manually restore the browser home page

Open IE settings

 

select internet options

Use a new tab, click OK

 

Close IE browser

Open the IE browser again, the home page is still hijacked.

3. Check the system driver

1. Use the Microsoft suite autoruns tool

Open the desktop tools folder and open autoruns64.exe

 

consent statement

After autoruns is opened, all boot loaders of the system will be listed. Focus on red items, yellow items, or items with questionable signatures

As shown in the figure, the red box, the marked part, is displayed as (Not verifiedt) Microsoft Corporation, indicating that these two files claim to be Microsoft documents, but they have not obtained Microsoft's signature.

 

Try to delete these two files.

 

 

 

 Refresh the page after deletion and find that these two links still exist.

 Delete again, prompt marked as deleted

 

 4. Restart the computer to see if the above two driver-level services can be deleted.

 Open autoruns again and observe that these two services still exist. It can be presumed that these two services must be "abnormal"

5. Try to delete the file

Right click, select jump to image, open the file path

It was found that the file could not be seen directly

Open the display of hidden files and system files in windows

view options

Set as shown

The folder is still empty.

At this point, it can be concluded that the driver service is a malicious program. And hook the API of the system to hide itself.

6. Use the driver-level tool PC HUNTER to fight

Open the desktop PCHunter tool

 Check the driver module

It can be found that when PCHunter checks the driver module, it does not verify the signature, but only checks the file information.

Remember the path of these two files, C:\USER\Administartor\AppData\Local\Microsoft\WindowsApps\

Browse the file and navigate to this path

Delete Files 

 Observation found that it is invalid. After selecting the file, right click and "prevent file regeneration after deletion"

 force delete

 force delete directory

 Reboot the system again. Open IE browser or chrome browser, the home page has returned to normal

So far, we have solved the virus release driver and the deletion of its startup files.

Next, clean up the registry information, because the relevant files have been deleted, and the protection of the virus on the registered table is gone, so delete it directly

Open autoruns and delete the relevant registry information.

 The other is also deleted in the same way.

This example is here!

3. Sandbox analysis of browser viruses

1. Use Microsoft's process monitor to monitor virus operation

This virus is a virus that hijacks the browser after secondary packaging with the help of an activation tool.

The virus name is "mlxg.exe" and it is located in the desktop mlxg folder

 Open Microsoft's process monitor

Double-click to open and configure monitoring rules as shown in the figure.
The meaning of the monitoring rule is that the monitoring process is named mlxg.exe

click OK

 At this point, we haven't run the virus yet, so nothing is displayed on the screen

2. Run the virus program

Double-click mlxg.exe

 

3. View process monitor

You can see the operation of the mlxg process on the system,

Stop capturing information first, (if you capture too much, it will make the software a bit stuck)

Click on the magnifying glass to stop capturing

Focus on the new registry and new files, and you can focus on some operations and directories
such as

Create a DLL file

 write temp file

 write driver file

 write EXE file

Filter registry operations 

Write registry operation, attempt to establish a GRE tunnel

4. Use cloud sandbox to analyze samples

Open the desktop chrome browser and enter the domain name s.threatbook.cn

 Upload our virus sample

Because we are a 64-bit system, so choose win7 64, view the report,

 Wait, the system analysis is complete, you can view the disposal suggestions

 

Wait for a series of processing

Then you can use the desktop pchunter or other similar tools for emergency response

4. Disposal of ransomware

1. Observe ransomware

Log in to the system and find the desktop background prompt

It can be preliminarily judged that the system has been infected with ransomware

Try using Notepad, open the text document on the desktop

 double click on notepad

 It is found that the file is encrypted and is garbled

Confirmed ransomware

2. View desktop prompt keywords

Discover encrypted keywords through desktop background

ENCRYPTED BY GANDCRAB 5.0.3

3. Understand the GRANCRAB ransomware

Usually major security vendors have ransomware zones, such as international vendors kaspersky, bitdefender, avast, symantec, domestic vendors Sangfor, 360, etc.

such as Avast

https://www.avast.com/zh-cn/ransomware-decryption-tools

 

as convinced

http://edr.sangfor.com.cn/#/information/ransom_search

Here we use Convinced pages to search for the virus name 

 

View the report, which is an introduction to the virus principle of version 5.2, you can check it yourself

4. Try to use tools to decrypt viruses

Try to find decryption tools from different vendors

Find decryption tool in bitdefender

 Find the tag of gandcrab on the avast page

 

Download software

There are many different versions of decryption tools here. In order to avoid download problems, the decryption tools have been built into the experimental environment. Students can also try to download different tools and try to decrypt them.

Open the folder C:\USERS\download2\

Double-click to run the software BDGandCrabDecryptTool

agree to license 

Confirm prompt 

 Select the folder to decrypt, here we take the desktop as an example

 

 start decrypting

 Decryption completed

 Check the notepad on the desktop again, it has been decrypted successfully.

There are only a few ransomware that can be decrypted at present, and we need to strengthen the defense against ransomware. Such as using EDR software for protection, or strengthening the system patch installation.
The mainstream ransomware spreads through automated attacks through RCE vulnerabilities or weak passwords. Defenses should be made against these two points to strengthen active defense. Can prevent ransomware.

5. Disposal of mining virus

Principle: Dispose of mining viruses through task manager, process, startup items, etc.

1. Log in to the system, check the task manager and find that the CPU is full, sort the processes by CPU

Kill high CPU usage processes

It can be observed that after the end, the process will restart itself. Make sure there is a parent process.

Go to process details

 See the process named xmrig.exe

Second, find the parent process

Use the wmic tool directly

open command line

Enter the following command

wmic process where name='xmrig.exe' get caption,parentprocessid

Find the parent process ID is 864

3. Find the parent process startup method

Sort the task manager by PID and find the process of 864 

 It is found that the user name of the process is SYSTEM, and the SYSTEM user is usually started by using system services. Find system services

 Disable service

 After deactivating the service, it was found that the xmrig.exe process also stopped. CPU utilization also drops

4. Processing documents and services

This virus only uses services to load and does not hook system functions, so it is relatively easy to process files and services

1. View services and files

open service

 Double click on the service name

 Remember the service name and executable path

2. Delete files

Find the path and delete the folder C:\USERS\Administrator\c3pool

After deletion, as shown in the figure

3. Delete service

Remove a service using the command line

sc delete c3pool_miner

 5. Restart verification

After restarting, open the task manager, the CPU usage has gone down, and the virus has been cleared. 

Combining wmic and task manager to deal with a very common "miner" virus

Usually mining viruses will take up a lot of CPU, so they will expose themselves directly, and there is no need to use hidden methods such as driver level or HOOK.

Due to profit reasons, mining viruses usually spread automatically. The transmission method is similar to that of ransomware, but the virus performance is completely different. The specific reasons for the spread are mostly RCE vulnerabilities and weak passwords. Do a good job of basic protection, you can easily deal with it.

That's all for this article!

Guess you like

Origin blog.csdn.net/weixin_54055099/article/details/127097706
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com