Focus on Logs and Files
Not only should the operating system logs be emphasized, but attention should also be paid to the files on the operating system. A comprehensive investigation should be conducted to avoid carelessness. Many attack behaviors may not be reflected in the logs, such as scanning tools uploaded by attackers (like fscan), which may remain on the operating system.
Analyze Linux Command History
In Linux systems, the history command can be used to view the user's command execution history. If an attacker has executed commands, this is crucial for identifying the attacker’s behavior patterns. As defenders, it is also necessary to regularly review the ~/.bash_history file to ensure that no sensitive information (such as passwords, keys, etc.) is left behind, and consider periodically cleaning the history. Additionally, the auditd tool can be used to monitor command execution to ensure that each command's execution is traceable.
Log Analysis
In addition to operating system logs, Windows users should also pay attention to application system logs, such as those from Apache, IIS, SQL Server, etc. These logs can provide more information about system behavior, helping to identify potential security threats.
Trojan Virus Scanning
On Windows systems, antivirus software can be uploaded and used to scan for potential virus files. At the same time, tools like D 盾 can be used to scan for Webshells to detect and remove malicious code.
Organized Thinking
During the emergency response process, the thought process should remain clear, systematically investigating issues. Deeply analyze the attacker's attack methods to gradually trace their activity patterns and find the source of the attack.
Screen Recording
If necessary, screen recording software can be uploaded on Windows systems to record the entire operation for evidence collection. This can provide important evidence for post-analysis.
Tools
In emergency response, the use of tools is very important, such as process analysis, everything, etc. If a report is received about a malicious IP, corresponding applications can be searched for that malicious IP, which may lead to new discoveries. With the IP, it can be submitted to threat intelligence platforms to check if this IP has any threat labels, while also performing whois queries and reverse domain lookups to see if there is any registration or domain information for the IP.
Timeline
The timing of the event is crucial for clarifying the context of the incident. By analyzing the timeline, the scene of the event can be better restored, helping to formulate effective emergency response strategies. It is recommended to use timeline tools to visualize the sequence of events and combine them with log records to quickly identify key time points and related events.