banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Windows Emergency Response Manual Notes

System Account#

Are there weak passwords on the server (inquiries, tool brute force)?

Suspicious accounts

lusrmgr.msc

net user/wmic UserAccount get

Hidden accounts

HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/Names/

D Shield account detection

Ports, Processes#

netstat -ano

tasklist | findstr <pid>

netstat -ano | findstr <port>

The Task Manager can view the PID corresponding to the process; selecting the corresponding process allows you to view the file location.

Process viewing: msinfo32

Services: services.msc

Huorong Sword, Process Explorer

Process Observation#

  • No signature information
  • No description information
  • Owner of the process
  • Process path

Terminate suspicious processes

taskkill /f /pid <pid>

Startup Items, Scheduled Tasks, Services#

Startup Items#

Startup Folder

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

C:\Users\CurrentUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Registry

REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce

REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

REG query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

REG query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

REG query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

msconfig

Group Policy: gpedit.msc

Scheduled Tasks#

taskschd.msc

Automatic Services#

services.msc

Suspicious Files#

Sort suspicious directories by time.

Are there new user directories?

find /var/www/ -name "*.php" |xargs egrep 'assert|phpspy|c99sh|milw0rm|eval|(gunerpress|(base64_decoolcode|spider_bc|shell_exec|passthru|($_\POST[|eval (str_rot13|.chr(|${"_P|eval($_R|file_put_contents(.*$_|base64_decode'

grep -i -r eval($_post /app/website/*

find /app/website/ -type f|xargs grep eval($_post

Temporary files: c:\windows\temp\

Recent files: %UserProfile%\Recent

View access requests to the upload directory within a specific time frame.

findstr /s /m /I “UploadFiles” *.log

Patch Information#

systeminfo

Virus Scanning#

Antivirus software

D Shield - webshell scanning

Log Analysis#

Prerequisite: Logs retained, server logs, attack logs retained by security devices.

System logs: eventvwr.msc, tool: log parser

Log location:

%SystemRoot%\System32\Winevt\Logs\

image.png

Main logs include application, security, system logs, etc. The default log size is 20484K (20M), and the excess part will overwrite expired logs.

Event ID#

See Appendix 1

Each successful login event will mark a login type, and different login types represent different login methods.

Login TypeDescriptionExplanation
2Interactive LoginUser logs in locally.
3NetworkThe most common case is connecting to a shared folder or shared printer.
4BatchBatch (reserved for batch programs)
5ServiceService startup (service login)
7UnlockScreen saver unlock.
8Network CleartextThe password is transmitted in clear text over the network, such as FTP, IIS login verification.
9New CredentialsRunning a program with the RUNAS command with the /Netonly parameter.
10Remote InteractiveAccessing the computer via terminal services, remote desktop, or remote assistance.
11Cached InteractiveCached domain certificate login

Web (middleware) logs: log analysis tools, script filtering analysis.

Tools#

Antivirus software

http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

Huorong: https://www.huorong.cn

Weibu Threat Intelligence: https://x.threatbook.cn

DBApp Security Cloud Sandbox: https://sandbox.dbappsecurity.com.cn/

D Shield - webshell scanning: http://www.d99net.net/index.asp

Sangfor webshell detection: http://edr.sangfor.com.cn/backdoor_detection.html

Hippo scanning: http://www.shellpub.com/

thor-lite: https://www.nextron-systems.com/thor-lite/

Memory shell scanning: https://github.com/c0ny1/java-memshell-scanner

Logs#

EVTX-ATTACK-SAMPLES

Windows Events Attack Samples

https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082

Log analysis tool logparser: https://www.microsoft.com/en-us/download/details.aspx?id=24659

LogParser Lizard: http://www.lizard-labs.com/log_parser_lizard.aspx

Event Log Explorer: https://www.majorgeeks.com/files/details/event_log_explorer.html

Win-Logs-Parse-tool: https://github.com/Clayeee/Win-Logs-Parse-tool

360 Star Map: Can automatically identify IIS/Apache/Nginx logs.

The following is the IIS log:

image.png

The following is the Apache log:

image.png

IOC#

References#

https://github.com/Lorna-Dane/Blue-Team/tree/8e0e2e9dde536bc3941b56f915165db764d7119e

https://github.com/Blue-number/Security/blob/9ade37050b1f8e164208191545d457d14a1e341d/1earn/Integrated/Windows/Secure-Win.md

Appendix 1 Event ID#

Attack TypeEvent ID
Policy Change1102: Cleared audit log
4719: System audit policy modified
Account and Group Enumeration4798: Local user group members enumerated
4799: Enabled security local group members enumerated
4720: User created
4726: Account deleted
4728: Member added to enabled security global group
4729: Member removed from security global group
AdminSDHolder4780: ACL set on accounts belonging to the administrator group
Kekeo4624: Account login
4672: Admin login
4768: Kerberos TGS request
Silver Ticket4624: Account login
4634: Account logout
4672: Admin login
Golden Ticket4624: Account login
4672: Admin login
PowerShell4103: Script block logging
400: Engine lifecycle
403: Engine lifecycle
4103: Module logging
600: Provider lifecycle
DCShadow4742: Computer account changed
5137: Directory service object created
5141: Directory service object deleted
4929: Active Directory replication source naming context deleted
Skeleton Keys4673: Privileged service called
4611: A trusted logon process has been registered with local security authentication
4688: New process created
4689: Process exited
PYKEK MS14-0684672: Admin login
4624: Account login
4768: Kerberos TGS request
Kerberoasting4769: Kerberos ticket requested
S4U2Proxy4769: Kerberos ticket requested
DCSync4662: Operation performed on object
Password Spraying4625: Account login failed
4771: Kerberos pre-authentication failed
4648: Attempted login with explicit credentials
Lateral Movement4688: New process created
4689: Process exited
4624: Successful account login
4625: Account login failed
NTLM4776: NTLM authentication
DNSAdmin770: DNS server plugin DLL loaded
541: Setting serverlevelplugindll on the scope to
150: DNS server failed to load or initialize plugin DLL
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.