banner
[面包]MrTwoC

[面包]MrTwoC

你好,欢迎来到这个基于区块链的个人博客 名字:面包 / MrTwoc 爱好:跑步(5/10KM)、咖啡、游戏(MMORPG、FPS、Minecraft、Warframe) 兴趣方向:Rust、区块链、网络安全、量子信息(量子计算)、游戏设计与开发
bilibili
steam
email
github
HomeArchives[Code]Rust[区块链]Blockchain[引擎]Rust-Bevy[安全]Web2Security

Windows Emergency Response

#Web2Security#Windows44
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Emergency response overview: When a company experiences a security incident such as a hacker intrusion or system crash, it is important to respond promptly in order to restore normal operations and investigate the source of the incident. This involves finding solutions and implementing preventive measures to minimize economic losses. Common emergency response events include web intrusion, system compromise, and network attacks. Basic information gathering involves obtaining system, network, process, user, and historical traffic information. System information can be obtained through Windows commands or tools, while network information can be obtained through commands such as ipconfig and netstat. User information can be obtained through the net user command. Detailed information gathering includes collecting startup and behavior information, using tools like Autoruns and Procmon to monitor malicious program behavior and process information.

Emergency Response Overview#

When a company experiences a security incident that affects normal business operations, such as a hacker intrusion or system crash, immediate action is required to restore the company's network information system to normal operation in the shortest time possible. This includes further investigation into the source of the intrusion, reconstructing the incident process, and providing solutions and preventive measures to mitigate or reduce economic losses for the company.
Common classifications of emergency response incidents include:
Web intrusions: website defacement, homepage tampering, Webshell
System intrusions: viruses, Trojans, ransomware, remote control backdoors
Network attacks: DDOS attacks, DNS hijacking, ARP spoofing

Basic Information Gathering#

This part of basic information gathering can be achieved using Windows built-in commands or tools. It includes system information gathering, network information gathering, process information gathering, user information gathering, and historical traffic gathering.

System Information Gathering#

There are two ways to obtain relevant system information. The first method is for lower version operating systems, where you can use winmsd to gather information. The specific operation is as follows:
Start -> Run -> winmsd
Click on Software Environment -> System Drivers to view the currently loaded drivers
image.png
Click on Software Environment -> Running Tasks to view the currently running processes
Click on Software Environment -> Loaded Modules to view the DLL files loaded by the program

However, this functionality has been removed in higher version operating systems, such as Windows Server 2008, so the second method is introduced below.
The second method is command line output. We can enter systeminfo in the cmd command line, and we can see the patch information marked in red in the image below. Here we can learn about some potential vulnerabilities in the system.
However, it is evident that the difference from the first method is that it does not list loaded processes, DLL files, drivers, etc., but this information can be obtained through other tools. In Windows Server 2008 and later, Windows introduced Resource Monitor. There are two ways to open it:
1. Run -> resmon
2. Task Manager -> Performance -> Resource Monitor
This part can search for loaded DLL files based on related exe files.

Network Information Gathering#

In Windows, enter ipconfig in the cmd command line to first confirm the current IP address allocation of the network card.
Then you can further confirm the network connection status by entering netstat -ano in the cmd command line to obtain the status of network process connections and check for any suspicious process network connection information.

Various States of netstat#

CLOSED
Initial (no connection) state. -9-
LISTEN
Listening state, waiting for connection requests from remote machines.
SYN_SEND
During the TCP three-way handshake, after the active connection side sends the SYN packet, it enters the SYN_SEND state, waiting for the ACK packet from the other side.
SYN_RECV
During the TCP three-way handshake, after the active connection side receives the SYN packet, it enters the SYN_RECV state.
ESTABLISHED
After completing the TCP three-way handshake, the active connection side enters the ESTABLISHED state. At this point, the TCP connection has been established and communication can occur.
FIN_WAIT_1
During the TCP four-way handshake, after the active closing side sends the FIN packet, it enters the FIN_WAIT_1 state.
FIN_WAIT_2
During the TCP four-way handshake, after the active closing side receives the ACK packet, it enters the FIN_WAIT_2 state.
TIME_WAIT
During the TCP four-way handshake, after the active closing side sends the ACK packet, it enters the TIME_WAIT state, waiting for a maximum of MSL time for the passive closing side to receive the ACK packet.
CLOSING
During the TCP four-way handshake, after the active closing side sends the FIN packet and does not receive the corresponding ACK packet, but receives the other side's FIN packet, it enters the CLOSING state.
CLOSE_WAIT
During the TCP four-way handshake, after the passive closing side receives the FIN packet, it enters the CLOSE_WAIT state.
LAST_ACK
During the TCP four-way handshake, after the passive closing side sends the FIN packet, it enters the LAST_ACK state, waiting for the ACK packet from the other side.

Summary#

Possible states for the active connection side include: CLOSED, SYN_SEND, ESTABLISHED
Possible states for the active closing side include: FIN_WAIT_1, FIN_WAIT_2, TIME_WAIT. Possible states for the passive connection side include: LISTEN, SYN_RECV, ESTABLISHED.
Possible states for the passive closing side include: CLOSE_WAIT, LAST_ACK, CLOSED.

User Information Gathering#

In Windows, enter net user in the cmd command line to confirm the current operating system's user information and check for any suspicious accounts.
You can also proceed to the next step by entering net user xx to confirm the Windows group information to which that xx belongs.
Windows comes with Resource Monitor, which can filter relevant information about the current processes. This step is particularly useful in cases of mining or when a compromised machine is used to launch DOS attacks.
Not available on Windows Server 2003.

Detailed Information Gathering#

Startup Information Collection#

This involves a tool called Autoruns. Since most malware does not have relevant descriptive information, you can exclude some simpler backdoor programs or malicious code by checking the Publisher and Description fields:
image.png
By selecting the Hide Microsoft and Windows Entries option in the Options menu, Autoruns can automatically filter out some safe startup items:
image.png

Behavior Information Collection#

Some viruses often seek access to sensitive files, the registry, and create modules, among other abnormal behaviors. Therefore, we can use auxiliary monitoring software to check the behavior of malicious programs.
Procmon will display the process's behavior towards files and the results in real-time, as shown in the image below:
image.png

This tool will clearly show what operations the process has performed on certain files. If you need to monitor or filter specific processes, you can press the shortcut key ctrl+L and enter the specified process name to filter the results:
image.png

Process Information Collection#

image.png
image.png

Network Behavior Collection#

TcpView can dynamically display the current network connection status, but this tool has a drawback: it cannot display UDP traffic.

User Information Collection#

Open the Start menu, run, and enter compmgmt.msc, then select "System Tools" - "Local Users and Groups" to view
all local user and group information (including hidden users with usernames ending in $, such as: admin$)
or use LP_Check to check for shadow accounts.
image.png
Generally, if a system account has been created and used for operations, even if the account is deleted using Computer Management or the net command, some account information will still remain in the system, which can be used to analyze the account's related behavior.
If the user account was deleted only through the net command or user management program, the user's directory will still remain in the system, and some files in the directory will record certain specific behaviors of the user for tracking purposes. These files are:
(taking the example of the system installed on drive C and the malicious username as cracker)
C: \Documents and Settings \cracker\Desktop
The user's desktop, which may contain some temporary or downloaded files
C: \Documents and Settings \cracker\Cookies
User's web access situation; the cookie file may record some sensitive information
C: \Documents and Settings \cracker\Recent
Files or folders recently accessed by the user
C: \Documents and Settings \cracker\Local Settings\History
User's internet browsing history
C: \Documents and Settings\cracker\Local Settings\Temp
Some program installations, decompressions, etc., may generate temporary files in this directory
C: \Documents and Settings \cracker\Local Settings\Temporary
Internet Files
Temporary files generated while browsing the internet, which not only store webpage content but may also store some downloaded files in temporary file format.
If the user has enabled security log auditing, if the account is deleted, the operations related to that account will leave a string of account SID values in the audit log.
image.png

Windows Log Analysis#

Windows log files are divided into three major sections:
Application logs
Security logs
System logs
Setup logs (added after Server 2003)
These logs were stored in the %systemroot%\system32\config directory in evt file format before Server 2003 (where %SystemRoot% is a system environment variable, defaulting to C: \WINDOWS). However, after Server 2003, the storage location is in
%systemroot%\System32\winevt\Logs directory
Click "Start → Settings → Control Panel → Administrative Tools → Event Viewer," and the left pane of the Event Viewer window lists the types of logs contained in the local machine, such as Application, Security, System, etc.
image.png
Notes:
The three core log files built into the system (System, Security, and Application) have a default size of 2048KB (20MB). When the recorded event data exceeds 20MB, the system will prioritize overwriting expired log records.
Other application and service logs have a default maximum size of 1024KB, and exceeding the maximum limit will also prioritize overwriting expired log records.
image.png
There are five types of events in Windows event logs, and all events must have one of the five event types, and only one can exist. The five event types are:
1. Information
Information events refer to successful operations of applications, drivers, or services.
2. Warning
Warning events refer to issues that are not direct or primary but may lead to future problems. For example, when disk space is low or a printer is not found, a "warning" event will be recorded.
3. Error
Error events refer to significant issues that users should be aware of. Error events usually indicate loss of functionality and data. For example, if a service cannot be loaded as part of system boot, it will generate an error event.
4. Success Audit
Successful audit of security access attempts, mainly referring to security logs, which record events such as user logins/logouts, object access, privilege usage, account management, policy changes, detailed tracking, directory service access, account logins, etc. For example, all successful logins to the system will be recorded as "Success Audit" events.
5. Failure Audit
Failed audit of security login attempts, for example, if a user attempts to access a network drive unsuccessfully, that attempt will be recorded as a failure audit event.

Application Logs#

Application logs contain events related to application software installed by the operating system. Events include errors, warnings, and any information that applications need to report. Application developers can decide which information to log. Developers can then use these logs to determine which programs are running incorrectly and the nature of the errors:
image.png

For instance, when using an MSI package to install software, if there is an MSI error, it will trigger the application log of MsiInstaller:
image.png

Security Logs#

Security logs contain events related to security, such as changes in user permissions, logins and logouts, file and folder access, printing, and other information. The following image shows a comparison table of related events.
image.png

image.png

From the logs, detailed login information can be seen: login time, user, source network address, etc. If there is a large number of login failures, and the login type is 3, it likely indicates that a user is attempting remote password cracking, which should be treated with caution.
image.png
Additionally, by default, Windows does not have extra system startup logs or related recording programs, so some services must be relied upon to determine the system's status, among which the event log service is the best reference mark. The startup and shutdown of the event log service indicate the startup and shutdown of the Windows system. The system log contains system processes, device disk activity, etc. Events record behaviors such as device drivers failing to start or stop, hardware failures, duplicate IP addresses, and the startup, stopping, and pausing of system processes.
If a large number of IP address conflict logs suddenly appear in the system, it may indicate the presence of ARP spoofing attacks.
image.png

System Logs#

image.png

Setup Logs#

This log records some patch installation logs. Some malicious users may use Windows Update to install patches after exploiting vulnerabilities to prevent other users from intruding. Thus, relevant logs will remain in the system:
image.png

Common Tools#

Huorong Sword#

Huorong Sword is quite useful, and many key points mentioned in previous content are covered by this tool. Here are some simple functions:
1. System process monitoring
2. Startup items
3. Network monitoring

PcHunter#

Pchunter is similar to Huorong Sword, but the UI is much less appealing:
The tool marks suspicious items in red, and it has good support for kernel hooks and application layer hooks, each having its strengths.

PowerTool#

Some viruses may check Huorong Sword and PC Hunter, so here I recommend a tool called PowerTool, which starts checking from the kernel and has similar functions to Huorong Sword and PC Hunter.
image.png

Virus Analysis#

PCHunter: http://www.xuetr.com
Huorong Sword: https://www.huorong.cn
Process Explorer: https://docs.microsoft.com/zh-cn/sysinternals/downloads/process-explorer
Process Hacker: https://processhacker.sourceforge.io/downloads.php
Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns OTL: (invalid link)
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
OTL: https://www.bleepingcomputer.com/download/otl/ (invalid link)
Kaspersky: http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/fullKVRT.exe
(Recommended: portable version, latest virus database)
Dr.Web: http://free.drweb.ru/download+cureit+free
(Recommended: fast scanning, can only be used for one week after one download, updates virus database)
Huorong Security Software: https://www.huorong.cn
360 Antivirus: http://sd.360.cn/download_center.html

Virus Dynamics#

CVERC - National Computer Virus Emergency Response Center: http://www.cverc.org.cn
Weibu Online Threat Intelligence Community: https://x.threatbook.cn
Huorong Security Forum: http://bbs.huorong.cn/forum-59-1.html
Aidu Ba Community: http://bbs.duba.net

Webshell Removal#

D Shield_Web Removal: http://www.d99net.net/index.asp
Hippo Webshell Removal: http://www.shellpub.com
Sangfor Webshell Backdoor Detection Tool: http://edr.sangfor.com.cn/backdoor_detection.html
Safe3: http://www.uusec.com/webshell.zip (invalid link)
https://sourceforge.net/projects/safe3wvs/

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.