Location>code7788 >text

Windows Emergency Response - Gray Pigeon Remote Control * Horse

Popularity:350 ℃/2024-10-01 04:49:10

catalogs
  • Emergency response context
  • * horse detection and killing
    • 1. View abnormal connections
    • 2. According to the port number to view the corresponding process file
    • 3. Troubleshooting abnormal services
    • 4. Discover startup items
    • Start the kill.
  • intrusion detection
    • 1. Account Exhaustion
    • 2. View Services
    • 3. View startup items
    • 4. View scheduled tasks
    • 5. Network situation
    • 6. Process troubleshooting
    • Reboot and troubleshoot again.

Emergency response context

Calendar a just joined the company today, get the company's computer is ready to download some of the next work to use the office software, he went to a certain degree on the direct search, due to the new job, the excitement of him and did not look carefully to see if it is an official download, download is also ignoring the risk of double-click to install, but he found thatAfter the installation is complete, the installation package automatically disappears and there is no corresponding program to start on the computerHe realized at this time may be in the virus * horse, shouted to the security personnel Zhu Mou to help him troubleshooting.
Bamboo understood the situation and began the following emergency operation.

* horse detection and killing

1. View abnormal connections

#findstr "ESTABLISHED" for ip&&port of established connection
netstat -ano | findstr "ESTABLISHED"

在这里插入图片描述
Normal real background need to take the ip to check whether the attribution belongs to the company or not, but here I build my own environment to ignore.

2. According to the port number to view the corresponding process file

在这里插入图片描述

Started looking for the process file, here directly with windows lookup did not find, only found a similar, then basically sure to do afile hiding, it's just a matter of getting on the tools at this point.
在这里插入图片描述
This was supposed to be the place to usexuetrBut xuetr doesn't work in my Win7, so I'd better get on it if it does.xuetr, this tool is still pretty dang good, but I can't seem to find it online now, it's gone.
We can use thePChunterThis tool can see the hidden files, but also help you check the process, PChunter used more, or quite cattle, but behind the check the process of these I will use more other tools to assist, because recently in the understanding of learning other tools.
PChunterTool Sharing Address:/s/1_OMmoe5aFGDu3--q0u94pw?pwd=w3rb
Upon opening PChunter you will actually find that he has process modules that are not officially signed, again confirming his suspicious nature.
在这里插入图片描述
在这里插入图片描述

Then you can locate the file
在这里插入图片描述
Then come to the location in the picture below, where you can see the file
在这里插入图片描述
Instead of deleting it here, let's right-click and copy it out first.Holding samples
在这里插入图片描述
Throw it on the sandbox and run it, and you can be sure it's a * backdoor.
在这里插入图片描述

wildcards
1. The * backdoor and its file path have been identified.

3. Troubleshooting abnormal services

Next I'll use theProcess Hackerand Microsoft's ownProcess Explorer
Process HackerTool Sharing Address:
/s/13GFrYFlNSfy48CEepPHkuA?pwd=mm7g
Process ExplorerTool sharing address (Microsoft's can also be downloaded from the official website):
/s/1hipHkotl7-B-N9XfmRhmnQ?pwd=hb2s
在这里插入图片描述
在这里插入图片描述
show (a ticket)Process HackerYou can see that there is a sub-process IE opened under this file, now it's clear, just kill this one.But for your convenience you can find all the relevant files by following this process

It is possible to prioritize the exclusion of signature-checked
在这里插入图片描述
在这里插入图片描述

After discovering that it is still this suspicious process, we canceled the exclusion of signed processes so that we could see more and could see ourProcess HackerI found the same program file, canceled to take out the signature checksum, viewed all you can see the same sec520 below there is a sub-process ie.
在这里插入图片描述
Then right click on this parent process sec520 and see that there is a service, then jump to the service to see the
在这里插入图片描述
I can't believe it's actually windows, so I can't judge it at random here
在这里插入图片描述
We right-click to view the properties
在这里插入图片描述
The opening lightning strike, straight away I saw the flaws, if the * horse had changed the description I wouldn't have been able to tell the difference in a second.
在这里插入图片描述

wildcards
1. The * backdoor and its file path have been identified.
2. The process exists in the corresponding service, service name windows

4. Discover startup items

To validate our judgment even further, I'll use again theProcess Explorerartifact
Here the view opens up to make it easy to see more information, here are the columns of options I have open, customize them to suit your needs.
在这里插入图片描述
Then you can see that the verification signature still corresponds to the previous program file with an exception.
在这里插入图片描述
Then we found the rightmost see also exists since the startup item, there is also given the corresponding registry location (the tool gives the beginning of HKEY, but in fact it is the following registry location):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
在这里插入图片描述
There is another tool you can use if you are afraid of not deleting it completely:
AutorunsTool Share Link:
/s/1LWodcbICx0PQNrkpiagQMw?pwd=4xw0
You may have to wait a little while to open this tool, he needs scanning time.
You will see that there are indeed autostart items.
在这里插入图片描述

wildcards
1. Processes, * backdoors and their file paths have been identified.
2. The process exists in the corresponding service, service name windows
3. Existence of self-startup items

Start the kill.

1. Delete processes and files can be directly PChunter one step to get it done, pay attention here because we are sure that this is not the system comes with in order to delete, some of him is dependent on the system exe file, so delete to be used with caution.
在这里插入图片描述

(If you wish to delete manually) first stop the process manually in order to delete the file, the command is as follows

taskkill /PID 2276 /F

Next, delete the file, using PChunter to remove the
在这里插入图片描述

2. Deletion of services
premise sth.Process HackerHaving located the service, and surely being able to perform the deletion, theProcess HackerIt will be deleted more thoroughly.
在这里插入图片描述
If you don't give a tool then just search for services on windows and find the corresponding exception service and delete it.

3. Remove startup items
Here I found after deleting the service that the startup item had also been deleted, it seems that theProcess HackerIt's still quite dangling, below is the previous screenshot, if you find any more unusual startup items you'll need to remove them.
在这里插入图片描述
Then troubleshooting to see if there were any more abnormal connections, I found that they had been taken out and were not continuing to establish connections
在这里插入图片描述

intrusion detection

This step is to make up for in the * horse checking did not take into account, because the emergency is certainly more urgent, the first to solve the head problem, and then here next to deal with the backdoor. \

1. Account Exhaustion

Use the command to view (the command is not visible if the account is hidden)

net user

You can right-click Computer Management to troubleshoot abnormal users
在这里插入图片描述
Check for common user and user group anomalies
(i.e., exceptions for whether a regular user has joined an administrator group or something like that)
Everything's fine here.
在这里插入图片描述
Troubleshooting for cloned accounts, manually viewed
Win+r type regedit to open the registry, then find the following location:\

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

If SAM won't open right click on him and set administrator rights to full control
在这里插入图片描述
The type values in the Names account correspond to the account data above.
fuck account
在这里插入图片描述
administrator account
在这里插入图片描述
Then compare the data and find that it is the same, then there is a cloned account
在这里插入图片描述
在这里插入图片描述
More real situation is that the hacker will forge an account that you can easily confuse, usually not name like fuck this kind of name, then we know it is a clone account, and the operation and maintenance to communicate with the direct deletion can be.
If you delete it directly inside the registry, don't use the system command to delete it directly, it may damage the good account that was cloned, I stepped on this pitfall.
Find the fuck account and the corresponding data in the registry and right click to delete them.
在这里插入图片描述

You can also use the D-Shield tool to see if a cloned account exists
D ShieldTool sharing link (you can also go to the official website to download it):
/s/13hCSYpV5Mn_1JMzy4nSkSQ?pwd=kott
Cloned account found in D-shield, right click to delete it
在这里插入图片描述

Again deleting directly in the registry is best if D Shield can't delete it.

Then by the way to check whether the remote desktop connection is open, communicate with colleagues should not be open, just turn off.
在这里插入图片描述

2. View Services

The service then uses PChunter to look at it, focusing on the lack of vendor signatures for the
在这里插入图片描述
Since our previous backdoor service was a Windows name, look again to see if it was restarted again or not deleted cleanly.
Here's what you need to know.System services are related to the following registry items

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services

Let's go and check if these three have a windows backdoor associated with them, because before the backdoor service name was windows, but it was actually a gray pigeon backdoor.
After checking them all out, I found that they were indeed deleted cleanly and no backdoor services existed
在这里插入图片描述


PS: Note to self.
Not recommendedPChuntercap (a poem)Antorunsto delete, delete not clean, the actual test found that the two seem to be only the main data in the registry will be deleted, leaving a few other directory entries have residual.
for exampleautorunsThe remaining three directory entries are not deleted cleanly, perhaps autoruns can only delete boot-related, can only continue to manually delete the residual items.
在这里插入图片描述

3. View startup items

Startup items can be looked at with Autoruns and PChunter, focusing on the ones without vendor signatures
在这里插入图片描述
System folder to view startup items
在这里插入图片描述
Also locate the folder and use PChunter to see if there are any hidden files.
在这里插入图片描述
Found no hidden files, startup items normal
在这里插入图片描述
in one's turnwin+rimportationIf you want to check the group policy, here you can also see if there are any startup scripts
在这里插入图片描述

You can also continue to troubleshoot the corresponding startup entries in the registry
在这里插入图片描述

4. View scheduled tasks

win+rimportationI'll open the scheduled tasks. Everything's fine.
在这里插入图片描述

5. Network situation

Check network and port status, everything is fine

netstat -ano

在这里插入图片描述


6. Process troubleshooting

You can do a secondary check with tools like PChunter, focusing on the word sec520, mainly to see if it's running again.
Check the pid's corresponding program and the corresponding service name, everything is fine!

tasklist /svc

在这里插入图片描述


Reboot and troubleshoot again.

Reboot to check again.
在这里插入图片描述
The rest is to check whether the process file is regenerated again, whether the service is still there, whether the corresponding registry is still left or regenerated again, that is to say, all the anomalies that you encountered in the previous checking and killing process should be checked again.
The process is omitted here only to check if there is an external connection again.


At this point a hacker not too far away noticed that his gray pigeon had let go and checked to see that indeed there was no online machine.
在这里插入图片描述


All clear, call it a day.