preface

Incident Response Service (IRS) is when an enterprise system encounters a security event such as virus transmission, network attack, or hacker invasion, which results in information Service interruption, system breakdown, network breakdown, data loss, and enterprise reputation damage, and has a direct or indirect negative impact on the organization and Service operation. It is urgent to deal with it as soon as possible, so that the network information system of the enterprise can resume normal work in the shortest time. Meanwhile, the cause of the intrusion is analyzed, the process of the intrusion is restored, the business loss is assessed, the source of hacker evidence is traced, and solutions and preventive measures are put forward to reduce the related losses caused by hackers. This paper mainly discusses the troubleshooting ideas after Windows is invaded.

Windows intrusion detection tool: Tinder sword

2021 Latest collation network security penetration testing/security learning (full set of video, big factory surface classics, boutique manual, essential kit) a > poke me take < a

0x01 Analyzing the Intrusion Process

Attackers invade The Windows system from weak passwords, system vulnerabilities and service vulnerabilities to obtain a common system permission, and then through the right to create boot items, modify the registry, implant viruses and Trojan horses and a series of operations, so as to maintain the control of the target host. There and also at the same time operating system abnormalities, including network account, ports, and the process, start, services, tasks, and file system operations staff can according to the above abnormal situation to know where the attacker from invasion, the attacker in what way the invasion, and the attacker did after the invasion of the answers to several questions, So as to provide specific suggestions for system reinforcement and security protection.

Brute force cracking: For systems such as RDP, SSH, and Telnet, and for services such as mysql and FTP, you can use the super weak password tool and hydra to blow up

Vulnerability exploitation: Attacks through system and service vulnerabilities, such as Eternal Blue, Redis unauthorized access, etc

Traffic attacks: DOS attacks are carried out on the target machine, causing the server to break down

Trojan horse control: it is mainly divided into Webshell and PC Trojan horse. Webshell exists in website applications, while PC Trojan horse is implanted into the system. The goal is to maintain persistent control over the operating system

Virus infection: mainly divided into mining virus, worm virus, ransomware, etc., implanted virus often affects the normal operation of the infected computer, or is controlled without knowing it, the normal operation of the computer only stealing data, or is used for other purposes such as non-spontaneous guidance of users

0x02 Intrusion Detection Method

Check the system account security

Attackers will start with user passwords in Windows system. First, they will blast the passwords of default accounts such as Administrator and Guest through RDP service. If there is no result from blasting, the passwords will be fixed and user accounts will be exploded. If you’re lucky, you can log in directly to your administrator account. After obtaining system permissions, maintaining permissions is an essential step. Creating a new management account is a good way to facilitate later login and viewing. Of course, in order to increase concealment, the account can be a shadow account. According to these aspects, when checking system accounts, you can focus on weak passwords, suspicious accounts and shadow accounts.

(1) Check the weak password of the server

Inspection Method:

Try blasting with a weak password or consult your administrator directly

(2) Check suspicious accounts and new accounts

Inspection Method:

Open the CMD window and enter lusrmgr. MSC. 2. Check whether any suspicious accounts exist, especially new accounts in the Administrators group

(3) Check hidden accounts

Check Method 1:

Open the registry and view the key value of the administrator. 1. Run the registry on the desktop (you can use the shortcut key win+R) and enter regedit to open the registry editor. Open the rights management window. 3. Select the current user (usually administrator), set the rights to Full control, and then confirm and close the registry editor. Can select HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users 5, all Users can see the instance name under the Names, such as a local Account of no Account, is the hidden Account, on the premise of confirmation for the Users of the system, can delete this user

Check Method 2:

D Shield web search tool is used for detection, which integrates the detection function of cloned accounts and hidden accounts

(4) Check whether the user is abnormal based on the logs

Check Method 1:

Run the eventVvr. MSC command on the desktop. 2. Run the time viewer to analyze user login logs

Check Method 2:

Use LogFusion to view logs

2. Check abnormal ports and processes

Port as the window of computer internal and external data interaction, in the eyes of the attacker is also as a nation, after the invasion system, an attacker can open their own port on the computer to access the murdered host or embedded viruses used in mining, etc., familiar with computer friend should know the commonly used port are few, Therefore, check the suspected port to determine whether the host has a back door or is implanted with a mining virus. Then check the program corresponding to the suspicious process according to the PID of the port to determine whether it is a malicious program.

(I) Check suspicious ports

Check Method 1:

1. Run the netstat command to view the current network connection and locate the suspicious ESTABLISHED connection

netstat -ano

2. Use taskList to locate processes based on PID numbers

Tasklist | findstr searches "PID"

Check Method 2:

You can view ports using the D-shield web search tool

(2) Check suspicious processes

Check Method 1:

2. Click “Software Environment — Running task” one by one to view the detailed information of the process, such as process path, process ID, file creation date and startup time, etc.

Check Method 2:

Open the process of the D-shield web search tool to check the process without signature information

Inspection Method 3:

Use tools such as Process Explorer provided by Microsoft

View the suspicious process and its children. You can focus on the following:

Process with no signature verification information 2. Process with no description 3. Process owner 4

Check startup items, scheduled tasks, and services

Startup items, scheduled tasks, and services are common means for attackers to maintain rights. After the intrusion of Windows computers, attackers can modify the registry, replace the sticky key program at the start of the system to obtain permission, but also can set scheduled tasks under the administrator authority, because the scheduled task backdoor is divided into administrator authority and ordinary user authority. The administrator can set more scheduled tasks, such as running after restart. You can also create a backdoor service through Meterpreter.

(1) Check abnormal startup items

Check Method 1:

Click “Start” > “All Programs” > “Start”. By default, this directory is empty. Check whether there are any non-business programs in this directory.

Check Method 2:

Open and run it on the desktop (you can use the shortcut key win+R) and enter msconfig to check whether there is a startup project with abnormal name. If yes, uncheck the startup project with abnormal name and delete the file in the path displayed in the command.

Inspection Method 3:

Run on the desktop (win+R can be used), enter regedit to open the registry, and check whether the startup items are normal. Pay special attention to the following three registry items:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce

Copy the code

Check whether any abnormal startup items exist on the right. If yes, delete them. You are advised to install antivirus software to remove remaining viruses or Trojans.

Inspection Method 4:

Use security software to view startup items and manage startup time.

Inspection Method 5:

Run the command on the desktop (win+R) and enter gpedit. MSC to view group policies

(2) Investigation of planned tasks

Check Method 1:

1. Open and run on the desktop (you can use the shortcut key Win +R) and enter Control to open the control panel. 2.

Check Method 2:

2. Check the session or scheduled task between the computer and other computers on the network, if any, then confirm whether it is normal connection. Scheduled task is invoked using at command in the operating system of windows7 and earlier versions. Use the schtasks command on operating systems starting with windows8.

In Windows Server 2016, run schschTasks

Run the AT command in Windows 7

Inspection Method 3:

Use security software to view scheduled tasks.

(3) The investigation service starts automatically

Inspection Method:

Run the service on the desktop (win+R) and enter services. MSC. 2. Note the service status and startup type and check whether abnormal services exist

4. Check the system information

The result is often fatal if there is a flaw in the system itself, if the computer has eternal Blue and no protection measures are taken. Then the attacker can directly obtain the system permission of the target Windows system through MSF vulnerability exploit program. At the same time, the attacker will often leave some clues after entering the system, such as the uploaded files are not cleared, browser browsing records are not deleted, downloaded files are not deleted, etc.. When checking system information, it is necessary to focus on system vulnerabilities and files used by attackers.

(1) View the system version and patch information

Inspection Method:

Run systemInfo on the desktop (win+R). 2. View the system information and patch status

3. Import the content into the text and analyze the vulnerability utilization of the system patch using Windows-exploit-suggester

python windows-exploit-suggester.py --database 2021-08-26-mssb.xls --systeminfo systeminfo.txt

Copy the code

(2) Check suspicious directories and files

Check Method 1:

Check whether a user directory is created

Windows 2003 version: C:\Documents and Settings Windows 2003 version: C:\Users\Copy the code

Check Method 2:

Enter %UserProfile%\Recent on the desktop (win+R). 2. Analyze the suspicious files opened recently

Inspection Method 3:

Click File Explorer to search each folder in the server. 2. Sort the folder files by time to search for suspicious files. Focus on whether sethc.exe in Windows \ System32 is replaced with CMD

Inspection Method 4:

Check the recycle bin, browser download directory, and history records

(three) view hidden files

Check Method 1:

Open and run on the desktop (you can use the shortcut key Win +R), enter Control, and enter the control Panel. 2. Find the file Explorer option, click to view it, uncheck “Hide protected operating system files”, and select the option under hidden files and folders to show hidden files, folders and drives

Check Method 2:

If the operating system version is high enough, set it directly in Explorer

Inspection Method 3:

View files with fileseek

5. Log analysis

You can view system logs and Web logs to verify the intrusion process and discover other intrusion behaviors. However, it can only be obtained if logging is enabled. This will be covered in a later log analysis article

(I) System logs

Analysis method:

2. Find the event viewer and view Windows logs (including applications, security, Setup, system, and events).

(2) Web logs

Analysis method:

1. Find middleware, application, and WAF logs (including but not limited to IIS, Nginx, pagods, and websites). 2

Six, tools to check and kill

Webshell and viruses are the great enemies of Windows system. They can maintain the attacker’s system permissions, steal data, infect other hosts, encrypt files and so on, causing great harm to the operating system. D Shield and Tinder software are recommended (the more the better, of course). A full scan is performed for viruses, while a Web directory scan is performed for Webshell.

0 x03 summary

When we do emergency response, we still need to think more from the attacker’s point of view, know yourself and know the enemy to win a hundred battles, then the intrusion investigation of Windows system is introduced here, welcome you to leave a message in the comment area.