当前位置：网站首页>Daily interview 1 question - basic interview question of blue team - emergency response (1) basic idea process of emergency response +windows intrusion screening idea

Daily interview 1 question - basic interview question of blue team - emergency response (1) basic idea process of emergency response +windows intrusion screening idea

2022-06-30 17:58:00 【qq_ fifty-one million five hundred and fifty thousand seven hun】

Basic idea and process of emergency response

To collect information ： Collect customer information and poisoning host information , Include samples
Judgment type ： Judge whether it is a security incident , What kind of security incident , blackmail 、 dig 、 Broken net 、DoS wait
Inhibition range ： Isolation victimizes ⾯ Don't continue to expand ⼤（ Do a good job of isolation ）
In depth analysis ： Log analysis 、 Process analysis 、 Start item analysis 、 Sample analysis is convenient for later traceability
Clean up and disposal ： Kill the process , Delete file , patch up , Delete abnormal system service , Clear the back door account to prevent the event from expanding , Resume production after treatment
Output report ： Organize and output complete security incident report

Windows Intrusion detection ideas

When hackers break into an enterprise 、 When the system crashes or other security events affect the normal operation of the business , We need to deal with it in the first time , So that the enterprise's network information system in the shortest possible time to resume normal work , Further find the source of the intrusion , Restore the intrusion process , At the same time, solutions and preventive measures are given , Recover or reduce economic losses for the enterprise .

Classification of common emergency response events ：

Web intrusion ： Website hang horse 、 Home page tampering 、Webshell

System intrusion ： Virus Trojan 、 Blackmail Software 、 Remote control back door

Network attack ：DDOS attack 、DNS hijacked 、ARP cheating

Intrusion detection ideas

Check system account security

1、 Check whether the server has a weak password , Whether the remote management port is open to the public network .

Check the method ： According to the actual situation, consult the relevant server administrator .

2、 Check the server for suspicious accounts 、 New account .

Check the method ： open cmd window , Input lusrmgr.msc command , See if there are any new / Suspicious accounts , If there is an administrator group （Administrators） New accounts in , if there be , Please disable or delete it immediately .

3、 Check whether there is a hidden account on the server 、 Clone accounts .

Check the method ：
a、 Open the registry , Check the corresponding key value of the administrator .
b、 Use D shield _web Killing tools , It integrates the function of detecting cloned accounts .

4、 Combined with the log , View administrator login time 、 Whether the user name is abnormal .
Check the method ：
a、Win+R Turn on run , Input "eventvwr.msc", Carriage return operation , open “ Event viewer ”.
b、 export Windows journal – Security , Using Microsoft's official tools Log Parser Analyze .

Insert picture description here

Check abnormal port process

1、 Check the port connection , Whether there is a remote connection 、 Suspicious connection .

Check the method ：
a、 Use netstat -ano Command to view the current network connection , Locate suspicious ESTABLISHED
b、 according to netstat Command located PID Number , Re pass tasklist Command to locate the process tasklist | findstr "PID"

Insert picture description here

2、 process

Check the method ：
a、 Start – function – Input msinfo32 command , In turn, click “ Software environment – Running task ” You can see the details of the process , For example, the process path 、 process ID、 File creation date and start time, etc .
b、 open D shield _web Killing tools , Process view , Focus on processes without signature information .
c、 Through Microsoft's official Process Explorer And other tools .
d、 View suspicious processes and their children . By looking at the following ：

Processes without signature verification information
There is no process to describe information
The owner of the process
Whether the path of the process is legal
CPU Or processes that take up too much memory for a long time

3、 Tips ：

a、 Check the port corresponding to PID：netstat -ano | findstr "port"

b、 Look at the process corresponding to PID： Task manager – see – Select column – PID perhaps tasklist | findstr "PID"

c、 View the program location corresponding to the process ：

Task manager – Select the corresponding process – Right click to open the file location

Run input wmic,cmd Interface input process

d、tasklist /svc process – PID – service

e、 see Windows The port corresponding to the service ：

%systemroot%/system32/drivers/etc/services（ commonly %systemroot% Namely C:\Windows route ）

1.3 Check the startup 、 Planning tasks 、 service

1、 Check whether the server has an abnormal boot entry .

Check the method ：
a、 logon server , single click 【 Start 】>【 All the procedures 】>【 start-up 】, By default, this directory is an empty directory , Confirm whether there are non business programs in this directory .
b、 Click Start Menu >【 function 】, Input msconfig, Check to see if there are startup items with named exceptions , If yes, uncheck the startup item with abnormal name , And go to the path shown in the command to delete the file .
c、 single click 【 Start 】>【 function 】, Input regedit, Open the registry , Check whether the boot entry is normal , Pay special attention to the following three registry keys ：
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
```
Check whether there are items with abnormal startup on the right side , If so, please delete , It is recommended to install anti-virus software to check and kill viruses , Remove residual viruses or trojans .
d、 Use security software to view startup items 、 Boot time management, etc .
e、 Group Policy , function gpedit.msc

Insert picture description here

2、 Check planned tasks

Check the method ：
a、 single click 【 Start 】>【 Set up 】>【 Control panel 】>【 Task plan 】, View scheduled task properties , You can find the Trojan file path .
b、 single click 【 Start 】>【 function 】; Input cmd, Then input at, Check the sessions or scheduled tasks between the computer and other computers on the network , if there be , Then confirm whether it is normal connection .

3、 Service self starting

Check the method ： single click 【 Start 】>【 function 】, Input services.msc, Pay attention to service status and startup type , Check for abnormal service .

1.4 Check system information

1、 Check the system version and patch information

Check the method ： single click 【 Start 】>【 function 】, Input systeminfo, Check system information .

2、 Find suspicious directories and files

Check the method ：
a、 View the user directory , The new account will generate a user directory in this directory , Check to see if there is a new user directory .
```
Window 2003 edition  C:\Documents and Settings
Window 2008R2 And later versions  C:\Users\
```
b、 single click 【 Start 】>【 function 】, Input %UserProfile%\Recent, Analysis recently opened to analyze suspicious files .
c、 In each directory of the server , It can be sorted according to the time of the file list in the folder , Look for suspicious files .
d、 The recycle bin 、 Browser download directory 、 Browser history
e、 If the modification time is before the creation time, it is a suspicious file

3、 Find and get WebShell、 Creation time of remote control Trojan horse , How to find files created in the same time frame ？

a、 utilize Registry Workshop Search function of registry editor , You can find the file last written to the time interval .
b、 Use the file search function of the computer , Specify the modification time to search .

1.5 Automated killing

Virus killing
- Check the method ： Download Security Software , Update the latest virus library , Do a full scan .
webshell Killing
- Check the method ： Select the specific site path to complete webshell Killing , Two are recommended WebShell Killing tools and killing at the same time , It can complement each other's rule base .

1.6 Log analysis

system log

Analysis method ：
a、 Premise ： Open audit strategy , If the system fails in the future 、 For security incidents, you can view the log file of the system , Troubleshooting , Tracking down the intruder's information, etc .
b、Win+R Turn on run , Input “eventvwr.msc”, Carriage return operation , open " Event viewer ".
C、 Export application log 、 Security log 、 system log , utilize Log Parser Analyze .

Web Access log

Analysis method ：
a、 Find the middleware web journal , Package it locally for analysis .
b、 Recommendation tool ：Windows Next , Recommend to use EmEditor Log analysis , Support for large text , Search efficiency is not bad .Linux Next , Use Shell Command combination query analysis .