Resumption of attack and defense drill

Recently, I participated in a two-week offensive and defensive drill , It is also the first time to participate in offensive and defensive activities , It feels quite different from usual .
When I first arrived at the scene, I said that I mainly did the work of the blue team , But Party A's assets are not clear , So I asked Party A for a balance sheet at the first time , And understand the distribution of assets in the network area , But how many assets are there , Maybe Party A can't figure it out .
replay ：
1, Understand the release of assets and network topology
I feel this is a very important point , It can be determined that the attacker hit that position , If assets are uncertain , I don't even know about the stolen house .
2, When analyzing threat logs, read more with cookie,session,token,refer Information about
Generally, when the attack team can't score , I will get my account and password by fishing , So as to enter the backstage , At this time, our threat detection system may not find . however , Generally, the attack team will find the upload point after entering the backstage , See if you can upload it webshell, Or launch other attacks , At this time, there is a record . By combining the request header cookie,session,token,refer Information to determine whether the attacker has entered the background and the specific time point , In order to trace the application log .
In addition to the basis ip Inquire about , It can also be based on UA Inquire about , Or look for the tool logo
3, Don't panic when there is a vulnerability alarm
Generally, when a vulnerability alarm occurs, it is not necessarily an attack , It may also be the normal request of business personnel . such as , Developers' development behavior is not standardized , Request that the headband be partially sql sentence , This may be reported sql Inject successful vulnerability . Whether it is an attack depends on the context of the log , such as ： When there is a directory list vulnerability , We can query attacks IP Logging of , If there are a lot of sensitive file requests after the directory list , Then it may be data removal , At this time, we need to start the troubleshooting and disposal process .
4, The traceability process pays more attention to command execution , Attack messages such as code execution
Generally, such messages will have rebound IP Address or domain name . About IP You can go to fofa Search such websites , Some will have to IP The corresponding domain name . Domain name can check the record information ,whois Check whether there is personal information . At the same time, this information can also be thrown into the threat intelligence collection website , See if there is any other information . Email counter check ,GitHub Inquire about ,ip Longitude and latitude positioning , Website forgot password function , Register function, locate account number, etc , All these things can be used .