- Emergency response context
-
* horse detection and killing
- 1. View abnormal connections
- 2. According to the port number to view the corresponding process file
- 3. Troubleshooting abnormal services
- 4. Discover startup items
- Start the kill.
-
intrusion detection
- 1. Account Exhaustion
- 2. View Services
- 3. View startup items
- 4. View scheduled tasks
- 5. Network situation
- 6. Process troubleshooting
- Reboot and troubleshoot again.
Emergency response context
Calendar a just joined the company today, get the company's computer is ready to download some of the next work to use the office software, he went to a certain degree on the direct search, due to the new job, the excitement of him and did not look carefully to see if it is an official download, download is also ignoring the risk of double-click to install, but he found thatAfter the installation is complete, the installation package automatically disappears and there is no corresponding program to start on the computerHe realized at this time may be in the virus * horse, shouted to the security personnel Zhu Mou to help him troubleshooting.
Bamboo understood the situation and began the following emergency operation.
* horse detection and killing
1. View abnormal connections
#findstr "ESTABLISHED" for ip&&port of established connection
netstat -ano | findstr "ESTABLISHED"
Normal real background need to take the ip to check whether the attribution belongs to the company or not, but here I build my own environment to ignore.
2. According to the port number to view the corresponding process file
Started looking for the process file, here directly with windows lookup did not find, only found a similar, then basically sure to do afile hiding
, it's just a matter of getting on the tools at this point.
This was supposed to be the place to usexuetr
But xuetr doesn't work in my Win7, so I'd better get on it if it does.xuetr
, this tool is still pretty dang good, but I can't seem to find it online now, it's gone.
We can use thePChunter
This tool can see the hidden files, but also help you check the process, PChunter used more, or quite cattle, but behind the check the process of these I will use more other tools to assist, because recently in the understanding of learning other tools.PChunter
Tool Sharing Address:/s/1_OMmoe5aFGDu3--q0u94pw?pwd=w3rb
Upon opening PChunter you will actually find that he has process modules that are not officially signed, again confirming his suspicious nature.
Then you can locate the file
Then come to the location in the picture below, where you can see the file
Instead of deleting it here, let's right-click and copy it out first.Holding samples
。
Throw it on the sandbox and run it, and you can be sure it's a * backdoor.
wildcards:
1. The * backdoor and its file path have been identified.
3. Troubleshooting abnormal services
Next I'll use theProcess Hacker
and Microsoft's ownProcess Explorer
。Process Hacker
Tool Sharing Address:
/s/13GFrYFlNSfy48CEepPHkuA?pwd=mm7gProcess Explorer
Tool sharing address (Microsoft's can also be downloaded from the official website):
/s/1hipHkotl7-B-N9XfmRhmnQ?pwd=hb2s
show (a ticket)Process Hacker
You can see that there is a sub-process IE opened under this file, now it's clear, just kill this one.But for your convenience you can find all the relevant files by following this process。
It is possible to prioritize the exclusion of signature-checked
After discovering that it is still this suspicious process, we canceled the exclusion of signed processes so that we could see more and could see ourProcess Hacker
I found the same program file, canceled to take out the signature checksum, viewed all you can see the same sec520 below there is a sub-process ie.
Then right click on this parent process sec520 and see that there is a service, then jump to the service to see the
I can't believe it's actually windows, so I can't judge it at random here
We right-click to view the properties
The opening lightning strike, straight away I saw the flaws, if the * horse had changed the description I wouldn't have been able to tell the difference in a second.。
wildcards:
1. The * backdoor and its file path have been identified.
2. The process exists in the corresponding service, service name windows
4. Discover startup items
To validate our judgment even further, I'll use again theProcess Explorer
artifact
Here the view opens up to make it easy to see more information, here are the columns of options I have open, customize them to suit your needs.
Then you can see that the verification signature still corresponds to the previous program file with an exception.
Then we found the rightmost see also exists since the startup item, there is also given the corresponding registry location (the tool gives the beginning of HKEY, but in fact it is the following registry location):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
There is another tool you can use if you are afraid of not deleting it completely:Autoruns
Tool Share Link:
/s/1LWodcbICx0PQNrkpiagQMw?pwd=4xw0
You may have to wait a little while to open this tool, he needs scanning time.
You will see that there are indeed autostart items.
wildcards:
1. Processes, * backdoors and their file paths have been identified.
2. The process exists in the corresponding service, service name windows
3. Existence of self-startup items
Start the kill.
1. Delete processes and files can be directly PChunter one step to get it done, pay attention here because we are sure that this is not the system comes with in order to delete, some of him is dependent on the system exe file, so delete to be used with caution.
(If you wish to delete manually) first stop the process manually in order to delete the file, the command is as follows
taskkill /PID 2276 /F
Next, delete the file, using PChunter to remove the
2. Deletion of services
premise sth.Process Hacker
Having located the service, and surely being able to perform the deletion, theProcess Hacker
It will be deleted more thoroughly.
If you don't give a tool then just search for services on windows and find the corresponding exception service and delete it.
3. Remove startup items
Here I found after deleting the service that the startup item had also been deleted, it seems that theProcess Hacker
It's still quite dangling, below is the previous screenshot, if you find any more unusual startup items you'll need to remove them.
Then troubleshooting to see if there were any more abnormal connections, I found that they had been taken out and were not continuing to establish connections
intrusion detection
This step is to make up for in the * horse checking did not take into account, because the emergency is certainly more urgent, the first to solve the head problem, and then here next to deal with the backdoor. \
1. Account Exhaustion
Use the command to view (the command is not visible if the account is hidden)
net user
You can right-click Computer Management to troubleshoot abnormal users
Check for common user and user group anomalies
(i.e., exceptions for whether a regular user has joined an administrator group or something like that)
Everything's fine here.
Troubleshooting for cloned accounts, manually viewed
Win+r type regedit to open the registry, then find the following location:\
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
If SAM won't open right click on him and set administrator rights to full control
The type values in the Names account correspond to the account data above.
fuck account
administrator account
Then compare the data and find that it is the same, then there is a cloned account
More real situation is that the hacker will forge an account that you can easily confuse, usually not name like fuck this kind of name, then we know it is a clone account, and the operation and maintenance to communicate with the direct deletion can be.
If you delete it directly inside the registry, don't use the system command to delete it directly, it may damage the good account that was cloned, I stepped on this pitfall.
Find the fuck account and the corresponding data in the registry and right click to delete them.
You can also use the D-Shield tool to see if a cloned account existsD Shield
Tool sharing link (you can also go to the official website to download it):
/s/13hCSYpV5Mn_1JMzy4nSkSQ?pwd=kott
Cloned account found in D-shield, right click to delete it
Again deleting directly in the registry is best if D Shield can't delete it.
Then by the way to check whether the remote desktop connection is open, communicate with colleagues should not be open, just turn off.
2. View Services
The service then uses PChunter to look at it, focusing on the lack of vendor signatures for the
Since our previous backdoor service was a Windows name, look again to see if it was restarted again or not deleted cleanly.
Here's what you need to know.System services are related to the following registry items:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
Let's go and check if these three have a windows backdoor associated with them, because before the backdoor service name was windows, but it was actually a gray pigeon backdoor.
After checking them all out, I found that they were indeed deleted cleanly and no backdoor services existed
PS: Note to self.
Not recommendedPChunter
cap (a poem)Antoruns
to delete, delete not clean, the actual test found that the two seem to be only the main data in the registry will be deleted, leaving a few other directory entries have residual.
for exampleautoruns
The remaining three directory entries are not deleted cleanly, perhaps autoruns can only delete boot-related, can only continue to manually delete the residual items.
3. View startup items
Startup items can be looked at with Autoruns and PChunter, focusing on the ones without vendor signatures
System folder to view startup items
Also locate the folder and use PChunter to see if there are any hidden files.
Found no hidden files, startup items normal
in one's turnwin+r
importationIf you want to check the group policy, here you can also see if there are any startup scripts
You can also continue to troubleshoot the corresponding startup entries in the registry
4. View scheduled tasks
win+r
importationI'll open the scheduled tasks. Everything's fine.
5. Network situation
Check network and port status, everything is fine
netstat -ano
6. Process troubleshooting
You can do a secondary check with tools like PChunter, focusing on the word sec520, mainly to see if it's running again.
Check the pid's corresponding program and the corresponding service name, everything is fine!
tasklist /svc
Reboot and troubleshoot again.
Reboot to check again.
The rest is to check whether the process file is regenerated again, whether the service is still there, whether the corresponding registry is still left or regenerated again, that is to say, all the anomalies that you encountered in the previous checking and killing process should be checked again.The process is omitted here only to check if there is an external connection again.
At this point a hacker not too far away noticed that his gray pigeon had let go and checked to see that indeed there was no online machine.
All clear, call it a day.