Introduction to blue team: efficiency tools

0X00 Preface
hello！ Hello everyone , The attack and defense drill is in progress , Everyone is still very excited , But there is also some anxiety （ Afraid of being pierced ）. I believe everyone is familiar with the equipment and process of attack and defense , But about the tools and scripts used in the article , Where to download （ After all, I know everything about fishing during the attack and defense ）！ therefore , The author collected information based on wechat official account , After induction, it is more according to my own understanding and experience , Sort out ！（ Most of them are open source tools , Have the ability to tear the source code by hand , Unable to put sandbox Or by md5 Hash for verification ）

If there are friends who don't know , It doesn't matter , Let me briefly introduce the origin of attack and defense drill ： This concept is from 2016 Year begins , At that time, under the promotion of relevant national network security regulators , More and more attention has been paid to network security exercises , So as to divide the red team 、 Blue team 、 Purple team ; The red team is the attacker 、 The blue team acted as the defender , The purple team acted as the referee . Carry out actual network attack and defense practice under certain rules , That is what we call attack and defense drill .

0X01 Preliminary drill
The attack and defense drill is not a direct network attack and defense confrontation （ Usually , The red team , The attacker should have authorization ）, So at some time , Our blue team will carry out the drill in advance ; Check conventional vulnerabilities and recent high-risk vulnerabilities ！ After that, the host with vulnerabilities should be strengthened （ The routine points of the drill are as follows ）：

Prevent being collected ： subdomain , File directory , Port information ; Weak password （ But you can try a strong password ！）

Convergence attack surface ： screening C paragraph , Shut down unnecessary services , Intranet test environment , Personal blog on Intranet …

Build a defense system in depth ： Layers of firewalls , Isolation zone ,IDS,IPS, Honeypot , eye （ Qianxin ）, Leichi （ Changting ）…
Honeypot （ Foreword for defense in depth construction ）
It has two forms ： One is to insert specific js file , The js The file is cached in the attacker's browser cookies To the major social systems jsonp Interface to get the attacker's ID And mobile phone number . The other is to display the need to download a plug-in on a disguised website , This plug-in is generally a reverse Trojan , Query sensitive files after controlling the attacker's host 、 Browser access records and other personal sensitive information to target attackers .

Flow detection system （ One of the dependencies of research and judgment ）
On an increasingly large scale , In the private network environment with increasingly complex structure , Business work is often achieved through application systems . But there are many kinds of jobs , This leads to the diversity of application systems . The content of many users accessing the application system needs to be audited , Facilitate business behavior analysis ; When a leak occurs , These data can also be used to trace the source afterwards . If you can't record these behaviors of users , It will make the whole network under incomplete supervision , Unable to grasp user access in time , It is easy to cause greater information security risks and adverse consequences .

therefore , In order to improve the security of the network environment , Strengthen the security management of information , It is necessary to propose a method of using network packet feature analysis technology to recognize and extract the specified sensitive feature content , Complete the application system request 、 Monitoring of response feature content , Enhance the intelligent monitoring of security administrators' access to sensitive content of some important application systems , Prevent the disclosure of important information .

0X02 Safety disposal group
We know , The safety disposal group corresponds to the emergency response problem ; meet an emergency Fix vulnerability , strengthening Fix vulnerability ; So the masters who hold this position , Some are busy , When something goes wrong , It's the signal for the masters to come on . Usually, the personnel of the disposal team should communicate more with the relevant operation and maintenance personnel of Party A's enterprise , So we need a master with strong communication skills ！

Here I will list some of you " for having heard it many times " The technique of ： meet JAVA Memory horse , One click restart to repair it ; Memory never dies , It can only compete conditionally ; If there is no file ,dump Memory find function ！

Some emergency scripting tools
WindowsVulnScan（Windows System vulnerability patch detection ）：GitHub Project address

DuckMemoryScan（CS Check and kill without documents ）：GitHub Project address

Hippo killing （Webshell Killing ）： File project address

D Shield killing （Webshell Killing ）： File project address

0X03 Security monitoring group
The focus is on the equipment ！ primary , Intermediate is to see whether the equipment has a warning （ Advanced is not clear ）, The monitoring group is responsible for reporting high-risk alarms on the monitoring platform in real time , So there can be no slack ; At the same time, we should keep close contact with the research and judgment team ！

It is possible to monitor the daily work of the Group ：

because ms-170 Eternal Blue , Cause the computer to （Windows） Blue screen ！

Monitor whether the host has downloaded sensitive files or tools （ such as ：dll Inject 、 White and black 、 Remote connection ）

utilize an instrument , Export memory horse , No file landing free memory ; Then submit it to the research and judgment for analysis

0X04 Safety research and judgment team
This job , Often with the safety monitoring post , Cooperate with each other ！ The master of the research and judgment team must always prepare the report template （ Someone will send this to the destination ）, No matter whether the high-risk alarm event belongs to false alarm behavior or not, the results of this alarm event should be fed back to the monitoring group and the command center . however , After all, the machine false alarm rate of major manufacturers , It's really high ！ How to find out in tens of thousands of false positives , The attack of the target ！ There are a few points , It needs the attention of the Masters ！

Study and judge experience
Sensitive operation

Sensitive command

Sensitive time point

logging

Device tips

Traffic information

Safety warning

The physical device reports an error

Weak password experience
Blasting attack warning needs to be extra cautious , May be “ In progress ”.

According to the quantity and whether the business is open to the outside world , Judge the number of errors （ If the intranet is not open but there are a lot of warnings, it is a feature ）

According to the time point （ There are also people logging in frequently in the middle of the night , In the morning, there are administrators operating computers ） The probability is very small

According to the field of the return value （Burpsuite Use , We can know , If login is successful , The length of returned characters is different ）

Judge the returned request value （ Not an option , It may return if it is unsuccessful 200） It can only be a weak feature ！

Intranet experience
attack IP It could be an intranet IP（ The probability is remote control ） features ： Scan detection behavior 、 Blasting behavior 、 Command execution and other missing scanning behaviors , At this time, consider the host , Flow detection

Through further research and judgment, determine whether the behavior has attack characteristics （eg： It may be through weak password 、SQL Inject 、RCE Caused by entering the intranet ）

After the inspection , Reinforce the target , And check the hardware equipment and the surrounding area host , Write a report

Talk about the experience of alarm troubleshooting
Pass the safety test ： Check whether there is a backdoor 、 Code behavior 、 The act of executing a command

Practice and judge that the master confirms the existence through the flow detection system , Aggression

Emergency and reinforcement accountability guide attacks into honeypots and fix vulnerabilities , Write a report

Online toolset
Micro step online cloud sandbox ：https://s.threatbook.cn/

Tencent Hubble ：https://habo.qq.com/Virustotal

Eye of fire ：https://fireeye.ijinshan.com

Magic Shield Security Analysis ：https://www.maldun.com/analysis/

0X05 Security traceability Group && Safety reaction group
These two groups are divided into two directions , Cooperate with each other , And independent of each other ！ Belong to strong ability , A master with rich experience in obtaining evidence ！

The first one is ：IP（ Cloud functions ,DNS In front of , Third-party platform , Blockchain Technology ）===> Threat Intelligence ;whomai Inquire about

The second kind ： More evidence payload Code to query ！（ Code style. ,github project , Compilation residue ）

If I found IP For attack IP after , You can try this IP Go back to the attacker , The following methods are usually used in the specific implementation process ： Anti search domain name ; Email counter check domain name ; Inquire about whois Registration information ; Check the filed domain name information 、 Check the mailbox 、 Reverse check registrant … …

Locate the attacker ip after , You can use the social work Library 、 Social software 、 Fingerprint database and other methods capture the attacker's personal social account and capture more accurate sensitive information , as follows ：

Use email to retrieve , Set goals

Wechat and Alipay transfer , Piece together names

Use the mobile phone number of office software to check the company name

Account number for cash reversal 、 Special strings, etc , Search by the same name

REG007 Via email 、 Mobile number check registration application 、 Website

Counter intelligence
Get information according to the attacker's weapon vulnerability （sqlmap stay linux In the environment bug…）

After discovering the attack , Guide the tool into " Honeypot "

Anti fishing

Threat Intelligence
Micro step online ：https://x.threatbook.cn/

Chianxin Threat Intelligence ：https://ti.qianxin.com/

360 Threat intelligence center ：https://ti.360.cn/#/homepage

Qiming star Threat Intelligence ：https://www.venuseye.com.cn/

The threat analysis center of green alliance ：https://poma.nsfocus.com/ The threat analysis center of green alliance

Douxiang technology Threat Intelligence ：https://mac-cloud.riskivy.com

Finally, I wish you all , The red team must enter the intranet , The blue team will have no false alarm ！