Windows server intrusion detection server

Others 2019-09-25 10:59:05 views: null

     

Basic checkpoint

 

Detecting unusual account

Find the new accounts, especially administrator group (Administrators group) in the new account.

C:\lusrmgr.msc

C:\>net localgroup administrators

C: \> net localgroup administrators

Look for hidden files

View recent new file in the system folder, such as C: \ Windows \ system32.

C:\>dir /S /A:H

Check the registry startup items

Check boot Windoows registry startup items is normal, especially about the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Check the unusual service

    Check all running services, system services and whether there is a camouflage unknown services, see the path to the executable file.

Check the Startup folder Account

    For example: Windows Server 2008

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup

View session is connected

C:\net use

Session between the computer and other computers on the network

C:\net session

Check the Netbios connection

C:\nbtstat –S

The inspection system is not properly connected to the network

C: \ netstat -nao 5

Check the automation tasks

     Check the list of scheduled tasks in the plan unknown

     C:\at

Check the windows log exceptions

Check the firewall, antivirus software, event, or any suspicious records.

Check the large number of login attempts error or blocked accounts.
www import Web server access logs, and view Web access log analysis is complete and there are traces of the attack.

Check www directory exists webshell Trojan, focus on examination of similar upload directory.

3. Check and backdoor Trojan

Trojans and backdoor on advanced inspection should check these items in turn: startup items, processes, modules, core service functions, networking situation. Further inspection tools and backdoor Trojan hidden, you can use PChunter

Click to open the interface process, I first process of investigation, just select a process, right-click menu verify all digital signatures, pchunter will be in different colors to display different types of processes.


Microsoft's digital signature process: Black

Non-Microsoft digital signature process: blue

Microsoft of course, if some non-Microsoft module: khaki

No signature modules: Pink

Suspicious processes hidden services, is the hook function: red

Microsoft is not the focus of the digital signature process and drive the investigation, in particular, no signature and Bin hidden services, processes and functions are linked to the drive, such as:


This driver file comparison doubt, you can right-click upload to online analysis pchunter virscan scan it.

Guess you like

Origin www.cnblogs.com/68xi/p/11582584.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com