HW notes (II)

HW Types of alarms found during

web attack ： Information disclosure , Weak password ,xss,sql, Upload files , File contains ,webshell, Command execution ,xxe
Threat Intelligence ： Trojan remote control , Mining Trojan , Blackmail virus , Botnet , Black market tools

sql Inject ,webshell How to determine the real attack

You can use payload Judge , Normal business requests sql The whole statement is long and no sensitive function is used ,sql Injected into the event request body payload It is usually short and there are sensitive functions in the statement such as sleep updatexml

Flow side / Main engine side How to determine false positives

The attack mainly comes from three directions , Network side , Host side and application side . The network side is traffic , Mainly check the alarm analysis of safety equipment , The host side sees what commands are executed , Or whether it is passed on , Application side view waf The firewall is good

Ideas for emergency response

First, check whether there is a false alarm , Isolate the host instead of false positives
To collect information ： Collect customer information and poisoning host information , Include samples
Judgment type ： Judge whether it is a security incident , What kind of security incident , blackmail , dig , Broken net ,ddos etc.
In depth analysis ： Log analysis , Process analysis , Start item analysis , Sample analysis
The log was deleted ： Is there a full flow device , parallel connection , see wireshake, logon server , See if there may be process log occupation , According to the process details , Find the soft connection , Then continue to view the recovery log
Clean up and disposal ： Kill the process directly , Delete file , patch up , XOR is to repair files
Output report

Network seven layer protocol or model

osi Model ： The physical layer , Data link layer , The network layer , Transport layer , The session layer , The presentation layer , application layer
tcp/ip（4 layer ）: Network connection layer , The network layer , Transport layer , application layer

Research on Trojan horse virus , The virus broke out , How to deal with it , For example, worms

1、 Ask about the scope of the attack
2、 Attack trace mining
3、 Sample analysis
4、 Check and eradicate backdoors and Trojan files
cpu Occupancy rate and log troubleshooting

log4j Loophole

log4j With the help of JNDI Plug in vulnerability , use JNDI As a springboard to perform rebound shell

After finding the ice scorpion , Upload webshell The way of action

It mainly depends on the version of ice scorpion ,2.0 and 3.0 The encryption method of is different , Generally, ice scorpions are common 3.0, After finding the ice scorpion , see session And check whether there is md5 Encrypt data

linux Emergency and windows Emergency thinking , Mainly about the troubleshooting ideas and orders

linux Investigation thought , Mainly the source code , Log analysis , Information system analysis , Use d Whether shield scanning has webshell There is , then diff Source information , Check the modified places , Logs are divided into network logs and system logs , Network logs are mainly used find command , The system log uses last command , There is also system information analysis , Generally, when customer service uploads scripts, they run with scripts , Some customer service do not upload scripts , Then use history command , Check out the sensitive Directory , View port information
windows Mainly concentrated in accounts , journal , Port query , and linux Be the same in essentials while differing in minor points

The deployment mode of the heavenly eye

Bypass deployment , Switch traction flow

Successful log analysis cases

Common logs , Whether it is network log or system log , It's all about numbers , If a large number of 404, Or there are a lot of 4625, They all represent some meanings , Find out what the intruder is doing , How did you get in , Determine by matching some eigenvalues , stay linux of use grep and egrep To filter , stay windows of use log parse.

How to trace the attacker , The portrait of the attacker

Get access to , Stealing data , Take advantage of ,ddos etc.
agent ip, Springboard machine ,C2 The server etc.
Harpoon mail fishing ,web penetration , Puddle attack , Source penetration , Social engineering, etc

ip location id Tracking website url

HTTP Of TCP The difference between

tcp On the fourth floor ,http On the seventh floor
http It's a simple request - Response protocol tcp It's a connection oriented , reliable , Transport layer communication protocol based on byte stream ,http Running on the tcp above

eye

&& Double write , character AND Use capital letters

Field is sip dip Express original ip, Purpose ip, Followed by a colon and a specific field

eye ： Based on network traffic and terminals EDR journal , Use Threat Intelligence , Rules engine , File virtual execution , Techniques like machine learning , Accurately discover the intrusion behaviors of known advanced network attacks and unknown new network attacks against hosts and servers in the network
NGSOC（ Security situational awareness and security operations ）： Based on big data platform , By collecting multiple , Heterogeneous massive logs , Using correlation analysis , machine learning , Threat Intelligence and other technologies , Help government and enterprise customer service to continuously monitor the network security situation , from “ Passive defense ” towards “ Active defense ” Advanced
Tianyan only analyzes the flow ,ngsoc Analysis is achieved testing Management Closed loop capability