xfeng

xfeng

Sporting | Reading | Technology | Recording
github
bilibili
Home作品集ArchivesAbout

Emergency response

#应急响应100
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses emergency response measures for Windows and Linux systems. For Windows, it covers file analysis, account security, port processes, and webshell detection. For Linux, it covers file analysis, account security, port processes, history commands, environment variables, and backdoor detection using the tool "rkhunter."

1. Windows Emergency Response#

1.1 File Analysis#

1.1.1 Startup Items#

Check the Windows startup menu

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

image

1.1.2 tmp Temporary Files#

In the Run window, enter %tmp% to directly open the temporary folder

Check if there are suspicious files (exe, dll, sys) in this folder

image

1.1.3 Browser History#

Use this tool

1.1.4 File Properties#

Check the file's creation time, modification time, and access time (disabled by default). By default, the computer displays the modification time.

1.1.5 Recently Opened Files#

In the Run window, enter %UserProfile%\Recent to directly open the recently used files

image

1.2 Account Security#

1.2.1 Suspicious Accounts, New Accounts#

Open the cmd window and enter the command lusrmgr.msc to check for new/suspicious accounts, such as newly added accounts in the Administrators group. If there are any, immediately disable or delete them.

1.2.2 Hidden Accounts, Cloned Accounts#

  • Open the registry and check the corresponding key value for the administrator
  • Use the D Shield web scanning tool, which integrates the detection of cloned accounts

1.2.3 Login Logs#

Press Win+R to open the Run window, enter "eventvwr.msc", and press Enter to open the "Event Viewer"

image

  • 4624: Account successfully logged in
  • 4648: Attempted login with plaintext credentials
  • 4778: Reconnected to a Windows host session
  • 4779: Disconnected from a Windows host session

image

1.3 Port Processes#

1.3.1 Ports#

Check the port connections to see if there are remote connections or suspicious connections

  • Use netstat -ano to view the current network connections and locate suspicious ESTABLISHED connections
  • Use the tasklist command to locate the process based on the PID obtained from netstat

1.3.2 Processes#

Investigate using tools provided by Microsoft, such as Process Explorer

1.3.3 Scheduled Tasks#

image

image

1.4 Webshell Detection#

Common tools: D Shield

2. Linux Emergency Response#

2.1 File Analysis#

/tmp is a special temporary directory file that can be read and written by every user

2.2 Account Security#

User Information File /etc/passwd

  • root:0:0:root:/root:/bin/bash
    account:password:UID:GID:GECOS:directory

  • Username: Password: User ID: Group ID: User Description: Home Directory: Shell
    Note: No password allows only local login, remote login is not allowed

Shadow File /etc/shadow

  • root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqw
    NVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

  • Username: Encrypted Password: Last Password Change Date: Password Change Interval: Password Validity Period: Password Expiry Warning Days: Password Expiry Grace Period: Account Expiration Time: Reserved

Common commands

who - View currently logged-in users (tty for local login, pts for remote login)
w - View system information, to see user behavior at a specific moment
uptime - View how long the system has been running, number of users, and system load

Intrusion investigation

  • Query privileged users (UID 0)

    awk -F: '$3==0{print $1}' /etc/passwd

  • Query account information that can be remotely logged in

    awk '/$1|$6/{print $1}' /etc/shadow

  • Except for the root account, check if other accounts have sudo privileges. If not required for administration, ordinary accounts should have sudo privileges removed

    more /etc/sudoers | grep -v "^#|^$" | grep "ALL=(ALL)"

  • Disable or delete unnecessary and suspicious accounts

    usermod -L user - Disable the account, the account cannot be logged in (the second column in /etc/shadow starts with !)
userdel user - Delete the user account
userdel -r user - Delete the user account and delete the user directory under /home

2.3 Port Processes#

  1. Use the netstat command to analyze suspicious ports, IPs, and PIDs
netstat -antlp | more
  1. Check the file path corresponding to the PID
Run ls -l /proc/$PID/exe or file /proc/$PID/exe ($PID is the corresponding PID number)
  1. Analyze processes using the ps command
ps aux | grep pid

2.4 Command History#

In a Linux system, the previously executed commands are recorded in the /root/.bash_history file by default.

Users can use cat /root/.bash_history to view or use the history command to view.

2.5 Environment Variables#

Environment variables determine which directories the shell searches for commands or programs. The value of PATH is a series of directories.

image

2.6 Backdoor Detection#

Tool: rkhunter

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.