xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Emergency response

#应急响应106
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses emergency response measures for both Windows and Linux systems. For Windows, it covers file analysis, account security, port processes, and webshell detection. For Linux, it includes file analysis, account security, port processes, historical commands, and environment variables. The article also mentions tools like D盾 and rkhunter for detecting and investigating potential security breaches.

1. Windows Emergency Response#

1.1 File Analysis#

1.1.1 Startup Items#

Check Windows startup menu

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

image

1.1.2 tmp Temporary Files#

In the Run window, enter %tmp% to directly open the temporary folder

Check for suspicious files (exe, dll, sys) in this folder

image

1.1.3 Browser History#

Use tool

1.1.4 File Properties#

Check the file's creation time, modification time, and access time (disabled by default). By default, the computer displays the modification time.

1.1.5 Recently Opened Files#

In the Run window, enter %UserProfile%\Recent to directly open the recently used files

image

1.2 Account Security#

1.2.1 Suspicious Accounts, New Accounts#

Open the cmd window and enter the command lusrmgr.msc to check for new/suspicious accounts, such as newly added accounts in the Administrators group. If there are any, immediately disable or delete them.

1.2.2 Hidden Accounts, Cloned Accounts#

  • Open the registry and check the corresponding key value for administrators
  • Use D Shield_web scanning tool, which integrates the detection of cloned accounts

1.2.3 Login Logs#

Press Win+R to open Run, enter "eventvwr.msc", and press Enter to open "Event Viewer"

image

  • 4624: Account successfully logged in
  • 4648: Attempt to log in with plaintext credentials
  • 4778: Reconnected to a session on a Windows host
  • 4779: Disconnected from a session on a Windows host

image

1.3 Port Processes#

1.3.1 Ports#

Check the status of port connections for remote connections or suspicious connections

  • netstat -ano to view current network connections and locate suspicious ESTABLISHED connections
  • Use the tasklist command to locate the process based on the PID obtained from netstat

1.3.2 Processes#

Investigate using tools provided by Microsoft, such as Process Explorer

1.3.3 Scheduled Tasks#

image

image

1.4 Webshell Detection#

Common tools: D Shield

2. Linux Emergency Response#

2.1 File Analysis#

/tmp is a special temporary directory file that can be read and written by every user

2.2 Account Security#

User information file /etc/passwd

root:0:0:root:/root:/bin/bash
account:password:UID:GID:GECOS:directory

Username:Password ID ID Description Directory Shell

Note: No password allows only local login, remote login is not allowed

Shadow file /etc/shadow

root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqw
NVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

Username Password Password Change Date Password Change Interval Expiry Warning Days Inactivity Days Expiration Date

Several common commands

who - View current logged-in users (tty for local login, pts for remote login)
w - View system information, to see user behavior at a certain moment
uptime - View how long the system has been running, number of users, and load

Intrusion investigation

  • Query privileged users (UID 0)

    awk -F: '$3==0{print $1}' /etc/passwd

  • Query account information that can be remotely logged in

    awk '/$1|$6/{print $1}' /etc/shadow

  • Except for the root account, check if other accounts have sudo privileges. If not required for administration, ordinary accounts should have sudo privileges removed

    more /etc/sudoers | grep -v "^#|^$" | grep "ALL=(ALL)"

  • Disable or delete redundant and suspicious accounts

    usermod -L user - Disable the account, the account cannot log in, the second column in /etc/shadow starts with !
userdel user - Delete the user account
userdel -r user - Delete the user account and delete the user directory under /home

2.3 Port Processes#

  1. Use the netstat command to analyze suspicious ports, IPs, and PIDs
netstat -antlp | more
  1. Check the file path corresponding to the PID
Run ls -l /proc/$PID/exe or file /proc/$PID/exe ($PID is the corresponding PID number)
  1. Analyze processes using the ps command
ps aux | grep pid

2.4 Command History#

In Linux systems, the previously executed commands are recorded in the /root/.bash_history file by default.

Users can use cat /root/.bash_history to view or use the history command to view.

2.5 Environment Variables#

Environment variables determine which directories the shell searches for commands or programs. The value of PATH is a series of directories.

image

2.6 Backdoor Detection#

Tool: rkhunter

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.