System Account#
Are there weak passwords on the server (inquiry, tool brute force)
Suspicious accounts
lusrmgr.msc
net user/wmic UserAccount get
Hidden accounts
HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/Names/
D Shield account detection
Ports, Processes#
netstat -ano
tasklist | findstr <pid>
netstat -ano | findstr <port>
The Task Manager can view the PID corresponding to the process, and selecting the corresponding process allows you to view the file location.
Process view: msinfo32
Services: services.msc
Huorong Sword, Process Explorer
Process Observation#
- No signature information
- No description information
- Process owner
- Process path
Terminate suspicious processes
taskkill /f /pid <pid>
Startup Items, Scheduled Tasks, Services#
Startup Items#
Startup Folder
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\CurrentUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Registry
REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
REG query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
REG query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
REG query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
REG query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
msconfig
Group Policy: gpedit.msc
Scheduled Tasks#
taskschd.msc
Automatic Services#
services.msc
Suspicious Files#
Sort suspicious directories by time
Are there new user directories?
find /var/www/ -name "*.php" |xargs egrep 'assert|phpspy|c99sh|milw0rm|eval|(gunerpress|(base64_decoolcode|spider_bc|shell_exec|passthru|($_\POST[|eval (str_rot13|.chr(|${"_P|eval($_R|file_put_contents(.*$_|base64_decode'
grep -i -r eval($_post /app/website/*
find /app/website/ -type f|xargs grep eval($_post
Temporary files: c:\windows\temp\
Recent files: %UserProfile%\Recent
View access requests to the upload directory within a specific time
findstr /s /m /I “UploadFiles” *.log
Patch Information#
systeminfo
Virus Scanning#
Antivirus software
D Shield - webshell scanning
Log Analysis#
Prerequisite: Logs retained, server logs, attack logs retained by security devices
System logs: eventvwr.msc, tool: log parser
Log location:
%SystemRoot%\System32\Winevt\Logs\
Main logs include application, security, system logs, etc. The default log size is 20484K (20M), and the excess part will overwrite expired logs.
Event ID#
See Appendix 1
Each successful login event will be marked with a login type, and different login types represent different login methods.
Login Type | Description | Explanation |
---|---|---|
2 | Interactive Login | User logs in locally. |
3 | Network | The most common case is connecting to a shared folder or shared printer. |
4 | Batch | Batch (reserved for batch programs) |
5 | Service | Service startup (service login) |
7 | Unlock | Screen saver unlock. |
8 | Network Cleartext | The password logged in is transmitted in clear text over the network, such as FTP, IIS login verification. |
9 | New Credentials | Running a program with the RUNAS command with the /Netonly parameter. |
10 | Remote Interactive | Accessing the computer via terminal services, remote desktop, or remote assistance. |
11 | Cached Interactive | Cached domain certificate login |
Web (middleware) logs: log analysis tools, script filtering analysis
Tools#
Antivirus software
http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe
Huorong: https://www.huorong.cn
Weibu Threat Intelligence: https://x.threatbook.cn
DBApp Security Cloud Sandbox: https://sandbox.dbappsecurity.com.cn/
D Shield - webshell scanning: http://www.d99net.net/index.asp
Sangfor Webshell Detection: http://edr.sangfor.com.cn/backdoor_detection.html
Hippo Scanning: http://www.shellpub.com/
thor-lite: https://www.nextron-systems.com/thor-lite/
Memory Shell Scanning: https://github.com/c0ny1/java-memshell-scanner
Logs#
EVTX-ATTACK-SAMPLES
Windows Events Attack Samples
Log analysis tool logparser: https://www.microsoft.com/en-us/download/details.aspx?id=24659
LogParser Lizard: http://www.lizard-labs.com/log_parser_lizard.aspx
Event Log Explorer: https://www.majorgeeks.com/files/details/event_log_explorer.html
Win-Logs-Parse-tool: https://github.com/Clayeee/Win-Logs-Parse-tool
360 Star Map: Can automatically identify IIS/Apache/Nginx logs
The following image is an IIS log:
The following image is an Apache log:
IOC#
This repository will hold PCAP IOC data related with known malware samples (owner: Bryant Smith)
References#
https://github.com/Lorna-Dane/Blue-Team/tree/8e0e2e9dde536bc3941b56f915165db764d7119e
Appendix 1 Event ID#
Attack Type | Event ID |
---|---|
Policy Change | 1102: Clear audit log 4719: System audit policy modified |
Account and Group Enumeration | 4798: Local user group members enumerated 4799: Security-enabled local group members enumerated 4720: User created 4726: Account deleted 4728: Members added to security-enabled global group 4729: Members removed from security-enabled global group |
AdminSDHolder | 4780: ACL set on accounts belonging to the administrator group |
Kekeo | 4624: Account login 4672: Administrator login 4768: Kerberos TGS request |
Silver Ticket | 4624: Account login 4634: Account logout 4672: Administrator login |
Golden Ticket | 4624: Account login 4672: Administrator login |
PowerShell | 4103: Script block logging 400: Engine lifecycle 403: Engine lifecycle 4103: Module logging 600: Provider lifecycle |
DCShadow | 4742: Computer account changed 5137: Directory service object created 5141: Directory service object deleted 4929: Active Directory replication source naming context deleted |
Skeleton Keys | 4673: Privileged service called 4611: A trusted logon process has been registered with local security authority 4688: New process created 4689: Process exited |
PYKEK MS14-068 | 4672: Administrator login 4624: Account login 4768: Kerberos TGS request |
Kerberoasting | 4769: Kerberos ticket requested |
S4U2Proxy | 4769: Kerberos ticket requested |
DCSync | 4662: Operation performed on object |
Password Spraying | 4625: Account login failed 4771: Kerberos pre-authentication failed 4648: Attempt to log in with explicit credentials |
Lateral Movement | 4688: New process created 4689: Process exited 4624: Successful account login 4625: Account login failed |
NTLM | 4776: NTLM authentication |
DNSAdmin | 770: DNS server plugin DLL loaded 541: Setting serverlevelplugindll on scope to 150: DNS server failed to load or initialize plugin DLL |