Table of Contents of Series Articles
Web network security-----Red and blue attack and defense information collection
Web network security-----Detailed explanation of Log4j high-risk vulnerability principles and repair
Shell classification (graphical interface + command line) Linux security----Common commands
for emergency traceability
An actual combat successfully traced the source and countered getshell
Article directory
- Table of Contents of Series Articles
- 1. Emergency response overview
- 2. Intrusion investigation
-
- Basic Information
- User Info
- Startup items
- Scheduled Tasks
- System process
- Service troubleshooting
- File traces
- Log analysis (Windows)
- Log analysis (Linux)
-
- Storage directory
- Record login entry, exit, data exchange, shutdown and restart, that is, last, which is a binary file and can be viewed using last
- Record log information related to scheduled tasks
- Record information and error logs after system startup
- Record Apache access logs
- Record system authorization information, including user login and permission mechanism used, etc.
- Logs that record user information of all levels
- Record linux FTP logs
- Record logged in users, you can use the command lastlog to view
- Record the accounts and passwords entered for most applications, as well as whether the login is successful or not
- Record account information of unsuccessful logins to the system
- View email related log files
- Can detect attacks on port 80 (when web access is abnormal, an alarm email will be sent to the email address currently configured in the system in a timely manner)
- For Linux system log analysis, commands such as grep sed sort awk are mainly used.
- View how many lines in the log file
- *.log command to count the number of independent IP addresses in the log file
- Command to find logs for a specified time period
- Log analysis and troubleshooting (other logs)
- Memory analysis
- Redline
- Volatility
- Traffic Analysis
- Threat intelligence
- Summarize
1. Emergency response overview
event level
1.
Red alert for particularly major events, Level 1 response
2.
Orange alert for major events, Level 2 response
3. Yellow alert for major events
, Level 3 response
4.
Blue alert for general events, Level 4 response
event type
1. Application security
WebShell, web page tampering, web page hanging horse...
2. System security
ransomware, mining Trojans, remote control backdoors...
3. Network security
DDoS attacks, ARP attacks, traffic hijacking...
4. Data security
such as data leakage and damage ,encryption…
emergency response model
1. Preparation phase (Preparation)
• Emergency team building
• Emergency plan formulation
• Penetration test assessment
• Security baseline inspection
2. Detection phase (Detection)
• Determine the event type
• Determine the event level
• Determine the emergency plan
3. Containment phase (Containment)
restrictions The scope of attack/destruction also reduces potential losses:
• Block: IP addresses, network connections, dangerous hosts... •
Close: suspicious processes, suspicious services...
• Delete: illegal accounts, dangerous files...
4 , Eradication phase
identifies the source of eradication through event analysis and eradicates it completely to avoid being used again:
• Enhancement: security policy, full network monitoring…
• Repair: application vulnerabilities, system vulnerabilities, patch updates…
• Restore: Operating systems, business systems...
5. Recovery phase (Reconvery)
completely restores the damaged information to normal operation:
• Restore business system
• Recover user data
• Restore network communication
6. Summary phase (Follow-up)
review And integrate relevant information about the emergency response process, conduct post-mortem analysis, summarize and revise security plans, policies, and procedures, and conduct training to prevent the recurrence of intrusions: • Incident meeting
summary
• Response report output
• Response effort optimization
2. Intrusion investigation
Basic Information
-
Windows
msinfo32
systeminfo -
Linux
CPU information
lscpu
operating system information
uname -a
cat /proc/version
module information
lsmod
User Info
- Windows
Check for malicious accounts
net user
lusrmgr.msc (Computer Management->Local Users and Groups->Users)
Registry view hidden users: Enter regedit during operation, open the registry editor, and
view the SIDs of all users of the computer in the SAM option under HKEY_LOCAL_MACHINE :wmic useraccount get name,sid
-
Linux
View user information
cat /etc/passwd
分析超级权限账户
awk -F: '$3==0{print $1}' /etc/passwd
查看可登录的账户
cat /etc/passwd | grep 'bin/bash'
View the user's wrong login information
lastb
View the last login time of all users
lastlog
View the user's most recent login information
last
View the current user's login status
who
Startup items
-
Windows view msconfig details
through the "System Configuration" dialog box HKEY_CLASSES_ROOT (HKCR) configuration information for the logged in user HKEY_CURRENT_USER (HKCU) computer hardware-specific information HKEY_LOCAL_MACHINE (HKLM) configuration information for all user profiles HKEY_USERS (HKU) stores information about the current configuration of the system Information for HKEY_CURRENT_CONFIG(HCU) -
Linux
View the contents of the rc.local file added to the init.d file
cat /etc/init.d/rc.local
View the contents of the rc.local file
cat /etc/rc.local
View the details of all files in the init.d folder Info
ls -alt /etc/init.d
Scheduled Tasks
-
Windows
View
Computer Management -> System Tools -> Task Scheduler -> Task Scheduler Library Get-ScheduledTask command line schtasks
under powershell -
Linux
Command input
crontab -l
crontab -u root -l to view the task plan file ls /etc/cron*
in the /etc directory
System process
-
Windows
can check through the task manager to
check the correspondence between processes and services
tasklist /svc
for some DLL malicious processes
tasklist /m
to check the process that calls the ntdll.dll module
tasklist /m ntdll.dll
(ntdll.dll is a core in the Windows operating system Component, which integrates different functional modules, including core system API, memory management, exception handling, process and thread management, etc.)
can be filtered through /fi
tasklist /svc /fi "PID eq 2820" (display PID equal to 2820 running service process.)
View the current network connection
netstat -ano | findstr "ESTABLISHED"
locates the PID through netstat, and locates the program through the tasklist command
wmic process get name,executablepath,processid|findstr pid (process number)
wmic process where processid=602444 get processid,executablepath,name
quickly locate the program corresponding to the port (administrator privileges)
netstat -anb
uses Powershell for troubleshooting
get-wmiobject win32_process | select name, processid, parentprocessid, path
(used to obtain information about all processes in the Windows system, and select to display the name of the process (name), process ID (processid), parent process ID (parentprocessid) and path (path).)
Display data in csv format
wmic process list full /format:csv
wmic query
• wmic process get name,parentprocessid,processid /format:csv
• wmic process get executablepath,processid /format:csv
• wmic process where processid= 2020 get executablepath,processid /format:csv
• wmic process where name="httpd.exe" get executablepath,processid /format:csv -
Linux
displays all network connections and listening ports
netstat -anptl
View the executable program of the 3364 process
ls -alt /proc/3364
View the files opened by the
process lsof -p 3364
Kill the process
kill -9 3364
Delete the suspicious Trojan
rm -rf Trojan file
View attributes
lsattr file name
remove i attribute
chattr -i file name
process real-time status
top
Service troubleshooting
-
Open "Run" in the Windows
view
and enter the services.msc command to open the "Services" window and view all service items, including service name, description, status, etc. -
Linux
Check the status of system running services
chkconfig --list
all services
service --status-all
File traces
1. Sensitive directory
-
Windows
temp (tmp) related directory
Browser history, downloaded files and cookie information
View user Recent file
C:\Users\Administrator\Recent, C:\Users\username\Recent, or through "Run" -> enter " "Recent"
prefetch folder to view
the location of the Prefetch folder is "%SystemRoot%\Prefetch\". You can enter prefetch or %SystemRoot%\Prefetch\ in the "Run" dialog box, or open: C:\WINDOWS\prefetch -
Linux
temporary folder/tmp
command directory/usr/bin, /usr/sbin, etc.
Directory for storing SSH connection information and configuration files.ssh
SSH server configuration file and key storage directory/etc/ssh
2. Time point
Check the creation time, modification time, and access time of the file
. For emergency response events of manual intrusion, sometimes attackers will modify the corresponding time of the document in order to disguise the intrusion behavior to avoid some troubleshooting strategies. For example, the attacker may pass " Tools such as "Chop Knife" modify the time. Therefore, if there are obvious logical problems with the relevant time of the file, you need to focus on troubleshooting . It is likely to be a malicious file (for example, the creation time is 2021 and the modification time is 2018)
-
Windows
Displays the search for txt files created after 2021/11/27
forfiles /m *.txt /d +2021/11/27 /s /pc:\ /c "cmd /c echo @path @fdate @ftime" 2 >null
displays files whose pptx name contains "Network" after 2021//11/1
forfiles /m *Network*.pptx /pf:\ /d +2021/11/1 /s /c "cmd /c echo @path @ fdate @ftime” 2>null
displays all accessed files after 2021//11/27
forfiles /m *.* /pf:\ /d +2021/11/27 /s /c “cmd /c echo @path @ fdate @ftime” 2>null -
Linux
searches for block devices, directories, character devices, pipes, symbolic links, and ordinary files.
Find -type b/d/c/p/l/f
searches for files based on file change time. -n refers to within n days, +n refers to n. days ago
find -mtime -n +n
Search by file access time
find -atime -n +n
Search by file creation time
find -ctime -n +n
Find files named .txt that have been modified in the last day
find / -ctime 0 -name " .txt"
Find txt files newly added within 3 days
find / -ctime -3 -name " .txt"
View detailed information of the first 10 files or folders in the current directory.
ls -alt | head -n 10
Check the creation time, modification time and access time of the file
stat file name
3.Webshell
-
Windows
D盾
HwsKill
webshellKill -
Linux
Special permission file search
find /tmp -perm 777
Find all php files under /var/www
find /var/www/ -name "*.php"
Regular search with POST variables (replace /path/to/directory with the directory path to be searched)
grep -rnE '$_POST\[[\'\"][a-zA-Z0-9_]+[\'\"]\]' /path/to/directory
Troubleshoot system commands (list all files and folders in the /bin/ directory and display their detailed information)
ls -alht /bin/
tool
chkrootkit
rkhunter
troubleshoot SUID programs
('-uid 0' means only find those belonging to File for root user (user ID is 0). '2>/dev/null' redirects error output to an empty device file so that no error message is displayed in the terminal.) find / -type f -perm
- 04000 -ls -uid 0 2>/dev/null
Log analysis (Windows)
Log location before Windows2003
• System log: C:\Windows\System32\config\SysEvent.evt
• Security log: C:\Windows\System32\config\SecEvent.evt
• Application log: C:\Windows\System32\config\AppEvnet.evt
Log location after Windows 2008
• System log is C:\Windows\System32\winevt\Logs\System.evtx
• Security log is C:\Windows\System32\winevt\Logs\Security.evtx
• Application log is C:\Windows\System32\winevt \Logs\Application.evtx
• Other logs are often used in emergency response. PowerShell log
Get-EventLog application | Export-Clixml –Path C:\PowerShell\applog.xml –Depth 2
(This script will The information is saved to the C:\PowerShell\applog.xml file.)
• Or open "Run" and enter eventvwr.msc
Log common event ID
Log event IDs related to common startup events
Log event ID related to the log being cleared
powershell log analysis
1. Get only traditional event logs
and view all log lists: Get-EventLog -list
2. Get events from traditional event logs and event logs generated by new Windows event log technology. View
all log lists: Get-WinEvent -ListLog *
Get all log information under the security log with event ID 4625 (failed login)
get-eventlog security -instanceid 4625
(requires Windows Vista, Windows Server 2008 or higher versions of Windows systems, and Microsoft .NET Framework 3.5 and above Version.)
Logging tool
• FullEventLogView: It is a lightweight log retrieval tool. It is a green version and requires no installation. The retrieval speed is faster than the tools that come with the Windows system, and the display effect is good • Event Log Explorer: Software for detecting system security, which can be viewed
, Monitor and analyze event records
• Log Parser: A log analysis tool launched by Microsoft, which is powerful and easy to use
• For example: LogParser.exe -i:EVT -o:DATAGRID “SELECT*FROM c:\Security.evtx where EventID=4624 "
Log analysis (Linux)
Storage directory
/var/log/
Record login entry, exit, data exchange, shutdown and restart, that is, last, which is a binary file and can be viewed using last
/var/log/wtmp
Record log information related to scheduled tasks
/var/log/cron
Record information and error logs after system startup
/var/log/messages
Record Apache access logs
/var/log/apache2/access.log
Record system authorization information, including user login and permission mechanism used, etc.
/var/log/auth.log
Logs that record user information of all levels
/var/log/userlog
Record linux FTP logs
/var/log/xferlog(vsftpd.log)
Record logged in users, you can use the command lastlog to view
/var/log/loadlog
Record the accounts and passwords entered for most applications, as well as whether the login is successful or not
/var/log/secure
Record account information of unsuccessful logins to the system
/var/log/faillog
View email related log files
ls -alt /var/spool/mail
Can detect attacks on port 80 (when web access is abnormal, an alarm email will be sent to the email address currently configured in the system in a timely manner)
cat /var/spool/mail/root
For Linux system log analysis, commands such as grep sed sort awk are mainly used.
View how many lines in the log file
• tail -n 10 test.log: View the last 10 lines of logs
• tail -n +10 test.log: View all logs after 10
• head -n 10 test.log: Query the first 10 lines of logs
• head -n - 10 test.log: Query all logs except the last 10 entries
*.log command to count the number of independent IP addresses in the log file
• awk ‘{print $1}’ test.log | sort | uniq | wc -l
• awk ‘{print $1}’ /access.log | sort | uni1 -c | sort -nr| head -10
Command to find logs for a specified time period
• sed -n ‘/2020-12-17 16:17:20/,/2020-12-17 16:17:36/p’ test.log
• grep ‘2020-12-17 16:17:20’ test.log
Log analysis and troubleshooting (other logs)
Location of IIS logs
• %SystemDrive%\inetpub\logs\LogsFiles
• %SystemRoot%\System32\LogFiles\W3SVC1
• %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
• %SystemDrive%\Windows\System32\LogFiles\HTTPERR
Location of Apache logs
• /var/log/httpd/access.log
• /var/log/apache/access.log
• /var/log/apache2/access.log
• /var/log/httpd-access.log
Nginx log location
By default,
accessl.log represents the access log and
error.log represents the error log in the /usr/local/nginx/logs directory.
If it is not in the default path, you can search it in the nginx.conf configuration file.
Tomcat log location
By default , there are catalina.out, catalina.YYYY-MM-DD.log, localhost.YYYY-MM-DD.log, localhost_access_log.YYYY-MM-DD.txt, hostm-anager.YYYY-MM in the TOMCAT_HOME/logs/ directory. -DD.log, manager.YYYY-MM-DD.log and other types of logs
Weblogic log location
• By default, WebLogic has three logs, namely access log, server log and domain log
• The location of access log is
$MW_HOME\user_projects\domains\server\logs\access.log
• The location of server log is
$MW_HOME\ user_projects\domains<domain_name>\server<server_name>\logs<server_name>.log
• The location of domain log is
$MW_HOME\user_projects\domains<domain_name>\server, <adminserver_name>\logs<domain_name>.log
Database log
• The method to view the Oracle database is as follows: Use the select * from v$logfile command to query the log path. By default, the log file is recorded as ORACLE / rdbms / log. Use select ∗ fromv ORACLE/rdbms/log. Use select * from vOR A C L E / r d bm s / l o g . Usese l ec t _∗f ro m v sql command to query previously used SQL
• The method to view the MySQL database is as follows: Use the show variables like '%log_%' command to check whether the log is enabled. If the log is enabled, the default path is /var/log /mysql, use the show variables like '%general%' command to view the log location
• The method of viewing the MsSQL database is as follows: Generally, it cannot be viewed directly. You need to log in to SQL Server Management Studio and view it in "Management-SQL Server Log"
Memory analysis
The methods of memory acquisition are as follows:
• Memory acquisition based on user mode program
• Memory acquisition based on kernel mode program
• Memory acquisition based on system crash dump • Memory
acquisition based on operating system injection
• Memory acquisition based on system hibernation file
• Memory acquisition based on virtualization snapshot
• System cold boot-based memory acquisition
• Hardware-based memory acquisition
Common methods
1. Memory acquisition based on kernel mode programs:
This acquisition method generally requires the help of tools. Commonly used extraction tools include Dumpit, Redline, RAM Capturer, FTK Imager, etc.
2. Memory acquisition based on system crash dump:
Open "System" Properties" dialog box, select the "Advanced" tab, click the "Settings" button in "Startup and Recovery", open the "Startup and Recovery" dialog box, select "Core Memory Dump" and find the dump file. Acquisition
3. Memory acquisition based on virtualization snapshot:
This acquisition method is achieved through virtualization software such as VMware Workstation and ESXI. VMware Workstation will automatically generate a virtual memory file when generating a snapshot.
tool
Redline
After obtaining the memory file, you can use Redline for import analysis, which mainly collects information about the processes running on the host, drivers in memory, and other data, such as metadata, registry databases, tasks, services, network information, and Internet history and more, ultimately generating reports
Volatility
Volatility is an open source memory forensic tool that can analyze traces of intrusion attacks, including network connections, processes, services, driver modules, DLLs, Handles, process injection, cmd history commands, IE browser history, startup items, users, shimcache, userassist, some rootkit hidden files, cmdliner, etc.
netscan: troubleshoot network connections in the memory image psxview
: view a list of all processes with hidden processes in the memory image, use the psxview command to troubleshoot hidden processes
malfind: find hidden or injected code , DLL
cmdscan: can extract execution-related command records
procdump: can extract process files. Specific process files can be extracted by specifying the PID value of the process, such as: procdump -p 3203 -D (used to extract process files)
Traffic Analysis
• wireshark
• PCHunter
• Process
• Monitor
Can filter specific IP addresses
• ip.addr == ip
Can filter specified source IP address
• ip.src == ip
Port numbers can be filtered
• tcp.port == port number
• udp.port == port number
Keywords in the data package can be retrieved
• tcp contains strings
Threat intelligence
There are many threat intelligence centers of major manufacturers. For details, see:
Web Network Security-----Red and Blue Attack and Defense Information Collection (web, Android...)
Summarize
`How can we sweep the world if we don't sweep one house?