xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Emergency Response

#应急响应107
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses emergency response measures when detecting attack events, focusing on Windows and Linux systems. It covers file analysis, account security, port processes, webshell detection, and backdoor investigation. It provides commands and tools for identifying suspicious activities and securing systems against potential threats.

1. Windows Emergency Response#

1.1 File Analysis#

1.1.1 Startup Items#

Check the Windows startup menu

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

image

1.1.2 tmp Temporary Files#

In the Run window, enter %tmp% to directly open the temporary folder

Check if there are any suspicious files (exe, dll, sys) in this folder

image

1.1.3 Browser History#

Use tool

1.1.4 File Attributes#

Check the creation time, modification time, and access time of the file (disabled by default). By default, the computer displays the modification time.

1.1.5 Recently Opened Files#

In the Run window, enter %UserProfile%\Recent to directly open the recently used files

image

1.2 Account Security#

1.2.1 Suspicious Accounts, New Accounts#

Open the cmd window, enter the command lusrmgr.msc, and check for new/suspicious accounts, such as newly added accounts in the Administrators group. If there are any, disable or delete them immediately.

1.2.2 Hidden Accounts, Cloned Accounts#

  • Open the registry and check the corresponding key value for administrators
  • Use the D-Shield web scanning tool, which integrates the detection of cloned accounts

1.2.3 Login Logs#

Press Win+R to open the Run window, enter "eventvwr.msc", and press Enter to open the "Event Viewer"

image

  • 4624: Account successfully logged in
  • 4648: Attempt to log in with plaintext credentials
  • 4778: Reconnected to a session on a Windows host
  • 4779: Disconnected from a session on a Windows host

image

1.3 Port Processes#

1.3.1 Ports#

Check the status of port connections, whether there are remote connections or suspicious connections

  • netstat -ano to view current network connections and locate suspicious ESTABLISHED connections
  • Use the tasklist command to locate processes based on the PID obtained from netstat

1.3.2 Processes#

Investigate using tools provided by Microsoft, such as Process Explorer

1.3.3 Scheduled Tasks#

image

image

1.4 Webshell Detection#

Common tools: D-Shield

2. Linux Emergency Response#

2.1 File Analysis#

/tmp is a special temporary directory file that can be read and written by every user

2.2 Account Security#

User information file /etc/passwd

root:0:0:root:/root:/bin/bash
account:password:UID:GID:GECOS:directory

Username: Password: User ID: Group ID: User Description: Home Directory: Login Shell
Note: No password allows only local login, remote login is not allowed {{< /admonition >}}

Shadow file /etc/shadow

root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqw
NVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

Username: Encrypted Password: Last Password Change Date: Minimum Time Between Password Changes:
Password Expiry Date: Password Expiry Warning Days: Password Inactivity Days: Account Expiration Date: Reserved {{< /admonition >}}

Several commonly used commands

who to view current logged-in users (tty for local login, pts for remote login)
w to view system information, to see the behavior of users at a certain moment
uptime to view how long the system has been running, number of users, and system load

Intrusion investigation

  • Query privileged users (uid 0)

    awk -F: '$3==0{print $1}' /etc/passwd

  • Query account information that can be remotely logged in

    awk '/$1|$6/{print $1}' /etc/shadow

  • Except for the root account, check if other accounts have sudo privileges. If not required for administration, ordinary accounts should have sudo privileges removed

    more /etc/sudoers | grep -v "^#|^$" | grep "ALL=(ALL)"

  • Disable or delete redundant and suspicious accounts

    usermod -L user to disable the account, the account cannot be logged in, the second column in /etc/shadow starts with !
userdel user to delete the user
userdel -r user to delete the user and delete the user directory under /home

2.3 Port Processes#

  1. Use the netstat command to analyze suspicious ports, IPs, and PIDs
netstat -antlp | more
  1. Check the file path corresponding to the PID
Run ls -l /proc/$PID/exe or file /proc/$PID/exe ($PID is the corresponding PID number)
  1. Analyze the processes using the ps command
ps aux | grep pid

2.4 Command History#

In a Linux system, the previously executed commands are recorded in the /root/.bash_history file by default.

Users can use cat /root/.bash_history to view or use the history command to view

2.5 Environment Variables#

Environment variables determine which directories the shell searches for commands or programs. The value of PATH is a series of directories

image

2.6 Backdoor Detection#

Tool: rkhunter

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.