2024HW藍隊對抗手冊

HW藍隊對抗手冊目錄TOC\o"1-3"\h\u229470x01前言 4302740x02準備工作 5211511)組織結(jié)構(gòu)圖 544892)全網(wǎng)拓撲圖 5227153)各系統(tǒng)邏輯結(jié)構(gòu)圖 5142074)各系統(tǒng)之間的調(diào)用關(guān)系 5321525)數(shù)據(jù)流關(guān)系 5178726)核心資產(chǎn)清單 562887)應(yīng)急響應(yīng)計劃 5279718)業(yè)務(wù)連續(xù)性計劃 5232369)災(zāi)難恢復(fù)計劃 561800x03簡單安全評估 513393端口掃描和漏洞檢測 628944主機發(fā)現(xiàn)（Ping） 67278端口掃描 630000服務(wù)版本檢測 66983掃描多個端口 65404UDP 611206TCP/UDP（-Pn跳過主機發(fā)現(xiàn)） 616890Nessus 631927OPENVAS 628836WINDOWS 65089網(wǎng)絡(luò)發(fā)現(xiàn) 710958DHCP 711018DNS 718050哈希值 87682NETBIOS 824183微軟基線安全分析器(MBSA) 914891LINUX 914850網(wǎng)絡(luò)發(fā)現(xiàn) 9792DHCPDHCP 92486DNS 923857哈希值 1017906NETBIOS 1022151安全加固 109964WINDOWS 1018238禁用/停止服務(wù) 1010744防火墻管理 103627DNSNetios 1130234應(yīng)用控制 115030IPSEC 1216937其他安全策略 1319354LINUX 1512555服務(wù)管理 1531060防火墻管理 1631958DNS 1619114IPSEC 1720432檢測（Visibility） 1919818網(wǎng)絡(luò)安全監(jiān)控 1925257數(shù)據(jù)包捕捉與分析 1964522.）TSHARK 20290373.）SNORT 2164404.）BroNSM 21258415.）EDITCAP 23317678.）NetworkMiner 2315570蜜罐技術(shù) 23181911.）端口蜜罐 23261715.3.2LINUX系統(tǒng)篇1.）端口蜜罐 2495992.)(PASSIVE)監(jiān)控DNS解析 2419981日志審計 2411078WINDOWS 2412578LINUX 268295響應(yīng)（取證） 279573.）網(wǎng)絡(luò)信息 28274524.）服務(wù)信息 29208405.）策略、補丁、環(huán)境變量信息 3054686.）自啟動信息 30165866.2）使用autoruns 3121917.）取日志文件 368378.）文件、目錄、共享信息 36195883.）網(wǎng)絡(luò)信息 38302918.)簡單基線檢查 4149099.)檢測rootkit 411151810.)FastirCollectorLinux，收集artefacts，包括：內(nèi)核版本、內(nèi)核模塊、網(wǎng)卡、系統(tǒng)版本、主機名、登錄、網(wǎng)絡(luò)連接、SSHknow_host、日志文件、進程數(shù)據(jù)、自啟動等信息 41432011.)SysdigandSysdigFalco行為監(jiān)控 4225365.4.2病毒樣本分析 4318105常用技巧和工具 455818技巧 4522734WINDOWS 4527642LINUX1.)SNORT 475936兵器譜 50216503.）REMNUX軟件逆向和病毒分析發(fā)行版 50224824.)OPENVAS 51293275.)SecurityOnion入侵檢測、網(wǎng)絡(luò)安全監(jiān)控、日志分析發(fā)行版 510x01前言紅藍對抗的思想最早可追溯到我國現(xiàn)存最早的一部兵書《孫子兵法》，在孫子·謀攻篇有這RedTeamsattackandBlueTeamsdefend,buttheprimarygoalissharedbetweenthem:improvethesecuritypostureoftheorganization.0x02準備工作)組織結(jié)構(gòu)圖)全網(wǎng)拓撲圖)各系統(tǒng)邏輯結(jié)構(gòu)圖)各系統(tǒng)之間的調(diào)用關(guān)系)數(shù)據(jù)流關(guān)系)核心資產(chǎn)清單)應(yīng)急響應(yīng)計劃)業(yè)務(wù)連續(xù)性計劃)災(zāi)難恢復(fù)計劃0x03簡單安全評估端口掃描和漏洞檢測主機發(fā)現(xiàn)（Ping）#nmap-sn-PEIP地址或地址段端口掃描#nmap–openIP地址或地址段服務(wù)版本檢測#nmap-sVIP地址或地址段掃描多個端口#nmap-p80,443IP地址或地址段UDP#nmap-sU-p53IP地址或地址段TCP/UDP（-Pn跳過主機發(fā)現(xiàn)）#nmap-v-Pn-SU-ST-pU:53,111,137,T:21-25,80,139,8080IP地址或地址段Nessus#nessus-q-x-Thtml服務(wù)器IP服務(wù)器端口管理員帳號密碼目標.txt輸出報告.htmlOPENVAS#apt-yinstallpcregrep#wgethttps://goo.gl/TYbLwE#chmod+xopenvas-automate.sh&&./openvas-automate.sh目標IPWINDOWS網(wǎng)絡(luò)發(fā)現(xiàn)基本網(wǎng)絡(luò)發(fā)現(xiàn)：#C:>netview/all#C:>netview主機名Ping探測：#C:>for/L%Iin(1,1,254)doping-w30-n1192.168.1.%I|find"回復(fù)">>輸出.txtDHCP啟用DHCP服務(wù)器日志功能：#C:>regaddHKLMSystemCurrentControlSetServicesDhcpServerParameters/vActivityLogFlag/tREG_DWORD/d1默認日志文件目錄：C:>%windir%System32DhcpDNS啟用DNS服務(wù)器日志功能：C:>DNSCmdDNS服務(wù)器名/config/logLevel0x8100F331#配置日志文件目錄:C:>DNSCmdDNS服務(wù)器名/config/LogFilePathC:dns.log#配置日志文件大小:C:>DNSCmdDNS服務(wù)器名/config/logfilemaxsize0xffffffff哈希值文件校驗和完整性驗證（FCIV）：Ref：\h/kb/841290#單個文件:C:>fciv.exe文件名#計算C盤所有文件并把結(jié)果保存到文件中:C:>fciv.exec:-r-sha1-xml結(jié)果.xml#列出所有hash值:C:>fciv.exe-list-sha1-xml結(jié)果.xml#certutil&PowerShell#certutil-hashfile文件名SHA1#PSC:>Get-FileHash文件名|Format-List#PSC:>Get-FileHash-algorithmmd5文件名NETBIOSnbtstat掃描#C:>nbtstat-A目標IP地址NetBIOS緩存#C:>nbtstat-c批量掃描#C:>for/L%Iin(1,1,254)donbtstat-An192.168.1.%I微軟基線安全分析器(MBSA)掃描單個IP#C:>mbsacli.exe/targetIP地址/nos+iis+sql+password掃描IP地址段#C:>mbsacli.exe/rIP地址段/nos+iis+sql+passwordLINUX網(wǎng)絡(luò)發(fā)現(xiàn)查看開放的SMB共享#smbclient-L目標主機名Ping探測#foripinip>/dev/null;[Misplaced&ipUP"||:;doneDHCPDHCP#cat/var/lib/dhcpd/dhcpd.leasesDebian/Ubuntu#grep-Ei'dhcp'/var/log/syslog.1DNSDNS日志#rndcquerylog&&tail-f/var/log/messages|grepnamed哈希值計算某目錄下所有可執(zhí)行文件的HASH值#find/sbin-typef-execmd5sum{}>>md5sums.txt;#md5deep-rs/sbin>md5sums.txtNETBIOSnbtstat掃描#nbtscan目標IP地址或IP地址段舉例：nbtscan-100安全加固WINDOWS禁用/停止服務(wù)#C:>scquery#C:>scconfig"服務(wù)名"start=disabled#C:>scstop"服務(wù)名"#C:>wmicservicewherename="服務(wù)名"callChangeStartmodeDisabled防火墻管理#列出所有規(guī)則:#C:>netshadvfirewallfirewallshowrulename=all#啟用或禁用防火墻:C:>netshadvfirewallsetcurrentprofilestateonC:>netshadvfirewallsetcurrentprofilefirewallpolicyblockinboundalways,allowoutboundC:>netshadvfirewallsetpublicprofilestateonC:>netshadvfirewallsetprivateprofilestateonC:>netshadvfirewallsetdomainprofilestateonC:>netshadvfirewallsetallprofilestateonC:>netshadvfirewallsetallprofilestateoff#配置舉例：netshadvfirewallfirewalladdrulename="開放TCP:80端口"dir=inaction=allowprotocol=TCPlocalport=80netshadvfirewallfirewalladdrulename="TCP:443dir=inaction=allowprotocol=TCPlocalport=443netshadvfirewallfirewalladdrulename="TCP:445dir=inaction=blockprotocol=TCPlocalport=445netshadvfirewallfirewalladdrulename="允許MyApp"dir=inaction=allowprogram="C:MyAppMyApp.exe"enable=yesDNSNetios#C:>ipconfig/flushdns#C:>nbtstat-R應(yīng)用控制#AppLocker配置#導(dǎo)入Applocker模塊PSC:>import-moduleApplocker#查看system32目錄下所有exe文件的Applocker信息PSC:>Get-ApplockerFileinformation-DirectoryC:WindowsSystem32-Recurse-FileTypeExe#增加一條針對system32目錄下所有的exe文件的允許規(guī)則PSC:>Get-ChilditemC:WindowsSystem32*,exe|Get-ApplockerFileinformation|New-ApplockerPolicy-RuleTypePublisher,Hash-UserEveryone-RuleNamePrefixSystem32IPSEC#使用預(yù)共享密鑰的方式新建一條IPSEC本地安全策略，應(yīng)用到所有連接和協(xié)議C:>netshipsecstaticaddfilterfilterlist=MyIPsecFiltersrcaddr=Anydstaddr=Anyprotocol=ANYC:>netshipsecstaticaddfilteractionname=MyIPsecActionaction=negotiateC:>netshipsecstaticaddpolicyname=MyIPsecPolicyassign=yesC:>netshipsecstaticaddrulename=MyIPsecRulepolicy=MyIPsecPolicyfilterlist=MyIPsecFilterfilteraction=MyIPsecActionconntype=allactivate=yespsk=密碼#新建一條允許訪問外網(wǎng)TCP80和443端口的IPSEC策略C:>netshipsecstaticaddfilteractionname=Allowaction=permitC:>netshipsecstaticaddfilterfilterlist=WebFiltersrcaddr=Anydstaddr=Anyprotocol=TCPdstport=80C:>netshipsecstaticaddfilterfilterlist=WebFiltersrcaddr=Anydstaddr=Anyprotocol=TCPdstport=443C:>netshipsecstaticaddrulename=WebAllowpolicy=MyIPsecPolicyfilterlist=WebFilterfilteraction=Allowconntype=allactivate=yespsk=密碼#查看和禁用某條IPSEC本地安全策略C:>netshipsecstaticshowpolicyname=MyIPsecPolicyC:>netshipsecstaticsetpolicyname=MyIPsecPolicyassign=no#新建一條IPSEC對應(yīng)的防火墻規(guī)則，源地址和目的地址為anyC:>netshadvfirewallconsecaddrulename="IPSEC"endpointl=anyendpoint2=anyaction=requireinrequireoutqmsecmethods=default#新建一條IPSEC對應(yīng)的防火墻規(guī)則，所有出站請求必須提供預(yù)共享密鑰C:>netshadvfirewallfirewalladdrulename="IPSEC_Out"dir=outaction=allowenable=yesprofile=anylocalip=anyremoteip=anyprotocol=anyinterfacetype=anysecurity=authenticate其他安全策略#禁用遠程桌面連接C:>regadd"HKLMSYSTEMCurrentControlSetControlTerminalServer"/f/vfDenyTSConnections/tREG_DWORD/d1#只發(fā)送NTLMv2響應(yīng)（防止“永恒之藍”漏洞攻擊）C:>regaddHKLMSYSTEMCurrentControlSetControlLsa/vlmcompatibilitylevel/tREG_DWORD/d5/f#禁用IPV6C:>regaddHKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters/vDisabledComponents/tREG_DWORD/d255/f#禁用sticky鍵C:>regadd"HKCUControlPanelAccessibilityStickyKeys"/vFlags/tREG_SZ/d506/f#禁用管理共享（Servers/Workstations）C:>regaddHKLMSYSTEMCurrentControlSetServicesLanmanServerParameters/f/vAutoShareServer/tREG_DWORD/d0C:>regaddHKLMSYSTEMCurrentControlSetServicesLanmanServerParameters/f/vAutoShareWks/tREG_DWORD/d0#禁用注冊表編輯器和CMD命令提示符C:>regaddHKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem/vDisableRegistryTools/tREG_DWORD/d1/fC:>regaddHKCUSoftwarePoliciesMicrosoftWindowsSystem/vDisableCMD/tREG_DWORD/d1/f#啟用UACC:>regaddHKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem/vEnableLUA/tREG_DWORD/d1/f#啟用防火墻日志C:>netshfirewallsetloggingdroppedpackets=enableC:>netshfirewallsetloggingconnections=enableLINUX服務(wù)管理#查看服務(wù)狀態(tài)service–status-allps-efORps-auxinitctllistsystemctllist-unit-files#啟動，停止和禁用服務(wù)#ForUpstartservices:/etc/init.d/apache2start|stop|statusserviceapache2start|stop|statusupdate-rc.dapache2disable#ForSystemdservices:systemctlstart|stop|statusntp.servicesystemctldisablesshd.service防火墻管理#iptables常用操作：iptables-save>filewall_rules.bak#導(dǎo)出當(dāng)前規(guī)則iptables-vnL–line#列出所有規(guī)則iptables-S#同上iptables-PINPUTDROP#默認策略，禁止所有連接iptables-AINPUT-s0-jDROP#禁止單個IPiptables-AINPUTs10,10.10.0/24-jDROP#禁止一個網(wǎng)段iptables-AINPUT-ptcp–dportssh-s0-jDROP#禁止某IP訪問本機SSH服務(wù)iptables-AINPUT-ptcp–dportssh-jDROP#禁止訪問本機SSH服務(wù)iptables-IINPUT5-mlimit–limit5/min-jLOG–log-prefix"iptablesdenied:"–log-level7#啟用日志iptables-F#清除所有已加載的工作DNS#Unix/Linux系統(tǒng)沒有系統(tǒng)級別DNS緩存IPSEC#在兩臺服務(wù)器之間建立IPSEC通道1.）添加防火墻規(guī)則允許IPSEC協(xié)議iptables-AINPUT-pesp-jACCEPTiptables-AINPUT-pah-jACCEPTiptables-AINPUT-pudp–dport500-jACCEPTiptables-AINPUT-pudp–dport4500-jACCEPT2.）安裝Racoonapt-yinstallracoon3.）編輯配置文件：/etc/ipsec-tools.confflush;spdflush;spdadd主機A的IP地址主機B的IP地址any-Poutipsecesp/transport//require;spdadd主機BIP地址主機AIP地址any-Pinipsecesp/transport//require;4.）編輯配置文件：/etc/racoon/racoon.conflognotify;pathpre_shared_key"/etc/racoon/psk.txt";pathcertificate"/etc/racoon/certs";remoteanonymous{exchange_modemain,aggressive;proposal{ aes_256; hash_algorithmsha256; authentication_methodpre_shared_key;dh_groupmodp1024;}generate_policyoff;}sainfoanonymous{pfs_group2;encryption_algorithmaes_256;authentication_algorithmhmac_sha256;compression_algorithmdeflate;}5.）添加預(yù)共享密鑰主機A：echo主機B123>>/etc/racoon/psk.txt主機B：echo主機A123>>/etc/racoon/psk.txt6.)重啟服務(wù)，檢查協(xié)商及配置策略servicesetkeyrestartsetkey-Dsetkey-DP檢測（Visibility）網(wǎng)絡(luò)安全監(jiān)控數(shù)據(jù)包捕捉與分析1.）TCPDUMPtcpdump-tttt-n-vv#打印時戳、不進行名稱解析及verbose方式顯示tcpdump-nn-c1000|awk'{print$3}'|cut-d.-f1-4|sort-n|uniq-c|sort-nr#捕捉1000個數(shù)據(jù)包，找出Toptalkerstcpdump-wtarget.pcap-ianydsttargetIPandport80#在所有接口上捕捉目標IP為：targetIP且端口為80的數(shù)據(jù)包并寫入target.pcap文件tcpdumphost&&host#捕捉兩個主機之間的數(shù)據(jù)包tcpdumpnotnet10.10&¬host#檢視非10.10網(wǎng)段及非主機的數(shù)據(jù)包tcpdumphost0&&(0or0)#檢視主機A和主機B或C的數(shù)據(jù)包tcpdump-ns0C100-w001.pcap100Mtcpdump-n-A-s0porthttporportftporportsmtporportimaporportpop3|egrep-is:|user:|username:|password:|login:|pass|user'–color=auto–line-buffered-B20#抓取明文密碼tcpdump-s1500-A'(tcp[((tcp[12:1]&0xf0)>>2)+5:1]=0x01)and(tcp[((tcp[12:1]&0xf0)>>2):1]=0x16)'#查找自簽名證書2.）TSHARKtshark-nr001.pcap-Y"ssl.handshake.ciphersuites"-Vx|grep"ServerName:"|sort|uniq-c|sort-r#提取證書ServerName字段tshark-D#列出所有接口tshark-ieth0-ieth1#監(jiān)聽多個接口tshark-nn-w001.pcap#禁用名稱解析并保存到文件tsharkarporicmp#捕捉arp或者icmptshark"host主機A&&host主機B"#捕捉兩個主機之間的數(shù)據(jù)包tshark-r001.pcap#對已保存的數(shù)據(jù)包進行分析tshark-n-eip.src-eip.dst-Tfields-Eseparator=,-2-Rip-r001.pcap#提取源/目的IP地址tshark-n-eip.src-edns,-Eseparator=';'-Tfieldsport53#提取DNS查詢的源IP及DNS查詢的域名tshark-2-Rhttp.request-Tfields-Eseparator=';'-ehttp.host-ehttp.request.uri-r001.pcap#提取HTTP請求中的host參數(shù)和請求uritshark-n-c150Iawk'{print$4}'Isort-n|uniq-c|sort-nr#提取toptalkerstshark-q-zio,phs-r001.pcap#協(xié)議統(tǒng)計tshark-n-c100-eip.src-Y"dns.flags.responseeq1"-Tfieldsport53#提取響應(yīng)的DNS服務(wù)器地址tshark-n-ehttp.request.uri-Yhttp.request-Tfields|grepexe#提取通過http下載exe可執(zhí)行文件的數(shù)據(jù)包3.）SNORTsnort-T-c/etc/snort/snort.conf#測試配置文件配置snort-dv-r001.log#分析數(shù)據(jù)包snort-dvr001.logicmp#取icmp數(shù)據(jù)包snort-Kascii-l001#抓包，ASCII格式顯示snort-q-Aconsole-ieth0-c/etc/snort/snort.conf#在終端打印snorteventsecho'logtcp/24any->522(msg:"sshaccess";sid:1618008;)'>001.rule&&snort-T-c001.rule#規(guī)則測試mkdirlogs&&snort-vd-c001.rule-r001.pcap-Aconsole-llogs#執(zhí)行規(guī)則4.）BroNSMapt-yinstallbrobro-auxpipinstallbro-pkgbro-pkginstallbro/hosom/file-extractionwgethttps://\h/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zipwgethttps://\h/static/exchange-2013/faf-exercise.pcapbro-r2018-01-12-NanoCore-RAT-traffic.pcap#從pcap文件中讀取數(shù)據(jù)并創(chuàng)建相關(guān)日志文件bro-rfaf-exercise.pcap/root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro&&ls-lhct./extract_files/#提取exe文件bro-rfaf-exercise.pcap/usr/share/bro/policy/frameworks/files/extract-all-files.bro#提取多個類型的文件bro-C-rfaf-exercise.pcap&&catssl.log|bro-cutserver_name,subject,issuer#提取證書中的server_name,issuer和subjects字段catconn.log|bro-cutid.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,conn_state#提取源IP，源端口，目的IP，目的端口，協(xié)議類型，tcp標記catdns.log|bro-cutquery|sort-u#提取DNS查詢namecathttp.log|bro-cutid.orig_h,id.orig_p,id.resp_h,id.resp_p,host,uri,referrer#提取源IP，源端口，目的IP，目的端口，host，uri，referrer字段cathttp.log|bro-cutuser_agent|sort-u#提取user_agent字段5.）EDITCAPeditcap-Fpcap-c1000orignal.pcapout_split.pcap#以1000為單位進行分割editcap-Fpcap-t+3600orignal.pcapout_split.pcap#以1小時為單位進行分割6.）MERGECAPmergecap-wmerged_cap.pcapcapl.pcapcap2.pcapcap3.pcap#合并多個文件7.）PacketTotalhttps://\h/app/analysis?id=c8c11b792272ac19a49299a3687466be&name=files8.）NetworkMiner\hhttp://netres.ec/?b=173588E蜜罐技術(shù)WINDOWS1.）端口蜜罐#原理：監(jiān)聽一些端口，客戶端成功建立TCP連接后，記錄訪問日志，然后添加防火墻規(guī)則封禁此IPPSC:>certutil.exe-urlcache-split-f/Pwdrkeg/honeyport/master/honeyport.ps1PSC:>.honeyport.ps1-Ports4444,22,21,23-WhiteList,-Block$true-VerbosePSC:>Get-EventLogHoneyPort#查看日志信息PSC:>stop-job-nameHoneyPort#停止任務(wù)PSC:>remove-job-nameHoneyPort#移除任務(wù)5.3.2LINUX系統(tǒng)篇1.）端口蜜罐#原理同上wget/gchetrick/honeyports/master/honeyports-0.5.pypythonhoneyports-0.5.py-p1234-h00-D2.)(PASSIVE)監(jiān)控DNS解析apt-yinstalldnstopdnstop-l3eth0dnstop-l3001.pcap|out.txt日志審計WINDOWS#增加日志文件大小進行日志審計C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication/vMaxSize/tREG_DWORD/d0x19000C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity/vMaxSize/tREG_DWORD/d0x64000C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem/vMaxSize/tREG_DWORD/d0x19000#查看Windows事件日志-安全日志的配置C:>wevtutilglSecurity#檢查審核策略auditpol/get/category:*#對所有項啟用成功和失敗的審核策略C:>auditpol/set/category:*/success:enable/failure:enable#查看已配置的事件日志的概要信息PSC:>Get-Eventlog-list#取最近5條應(yīng)用程序日志PSC:>Get-Eventlog-newest5-lognameapplication|Format-List#取EentID：4672的所有日志PSC:>Get-EventlogSecurity|?{$_.Eventid-eq4672}#登錄與注銷事件PSC:>Get-EventlogSecurity4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964-after((get-date).addDays(-1))#DPAPI行為，進程終止，RPC事件PSC:>Get-EventLogSecurity4692,4693,4694,4695,4689,5712-after((get-date).addDays(-1)#文件共享，文件系統(tǒng)，SAM，注冊表，證書時間PSC:Get-EventLogSecurity660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159-after((get-date).addDays(-1))#查看EentID：4672的詳細信息Get-EventlogSecurity|?{$_.Eventid-eq4672}|Format-ListLINUX#認證日志tail/var/log/auth.loggrep-i"fail"/var/log/auth.logtail/var/log/securegrep-i"fail"/var/log/securesamba，cron,sudo/var/log/sysloggrep-isamba/var/log/messagesgrep-icron/var/log/sysloggrep-isudo/var/log/auth.loggrep-isudo/var/log/secure#Apache404錯誤日志grep404apache.log|grep-v-E"favicon.ico|robots.txt"#監(jiān)控新文件，5分鐘刷新一次watch-n300-dls-lR/web_root響應(yīng)（取證）WINDOWS1.）系統(tǒng)信息C:>echo%DATE%%TIME%C:>hostnameC:>systeminfoC:>systeminfo|findstr/B/C:"OSName"/C:"OSVersion"C:>wmiccsproductgetnameC:>wmicbiosgetserialnumberC:>wmiccomputersystemlistbriefC:>psinfo-accepteula-s-h-d2.）用戶信息C:>whoamiC:>netusersC:>netlocalgroupadministratorsC:>netgroupadministratorsC:>wmicrdtogglelistC:>wmicuseraccountlistC:>wmicgrouplistC:>wmicnetlogingetname,lastlogon,badpasswordcountC:>wmicnetclientlistbriefC:>doskey/history>history.txt3.）網(wǎng)絡(luò)信息C:>netstat-eC:>netstatC:>netstat-nrC:>netstat-vbC:>nbtstat-sC:>routeprintC:>arp-aC:>ipconfig/displaydnsC:>netshwinhttpshowproxyC:>ipconfig/allcompartments/allC:>netshwlanshowinterfacesC:>netshwlanshowallC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternetSettingsConnectionsWinHttpSettings"C:>type%SYSTEMROOT%system32driversetchostsC:>wmicnicconfiggetdescriptions,IPaddress,MACaddressC:>wmicnetusegetname,username,connectiontype,localname4.）服務(wù)信息C:>atC:>tasklistC:>tasklist/svcC:>tasklist/SVC/fi"imagenameeqsvchost.exe"C:>tasklist/SVC/fi"imagenameeqsvchost.exe"C:>schtasksC:>netC:>scC:>wmicservicelistbrief|findstr"Running"C:>wmicservicelistconfigC:>wmicprocesslistbriefC:>wmicprocessliststatusC:>wmicprocesslistmemoryC:>wmicjoblistbriefPSC:>Get-Service|Where-Object{$_.Status-eq"running"}5.）策略、補丁、環(huán)境變量信息C:>setC:>gpresult/rC:>gpresult/z>output.txtC:>gpresult/Hreport.html/FC:>wmicqfe6.）自啟動信息C:>wmicstartuplistfullC:>wmicntdomainlistbrief6.1）檢查自啟動文件目錄C:>dir"%SystemDrive%ProgramDataMicrosoftWindowsStartMenuProgramsStartup"C:>dir"%SystemDrive%DocumentsandSettingsAllUsersStartMenuProgramsStartup"C:>dir%userprofile%StartMenuProgramsStartupC:>%ProgramFiles%StartupC:>dirC:WindowsStartMenuProgramsstartupC:>dir"C:Users%username%AppDataRoamingMicrosoftWindowsStartMenuProgramsStartup"C:>dir"C:ProgramDataMicrosoftWindowsStartMenuProgramsStartup"C:>dir"%APPDATA%MicrosoftWindowsStartMenuProgramsStartup"C:>dir"%ALLUSERSPROFILE%MicrosoftWindowsStartMenuProgramsStartup"C:>dir"%ALLUSERSPROFILE%StartMenuProgramsStartup"C:>typeC:Windowswinstart.batC:>type%windir%wininit.iniC:>type%windir%win.iniC:>typeC:Autoexec.bat"6.2）使用autorunsC:>autorunsc-accepteula-m6.3）自啟動注冊表位置HKEY_CLASSES_ROOT:C:>regqueryHKCRComfileShellOpenCommandC:>regqueryHKCRBatfileShellOpenCommandC:>regqueryHKCRhtafileShellOpenCommandC:>regqueryHKCRExefileShellOpenCommandC:>regqueryHKCRExefilesShellOpenCommandC:>regqueryHKCRpiffileshellopencommandHKEY_CURRENT_USERS:C:>regquery"HKCUControlPanelDesktop"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsLoad"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsScripts"C:>regquery"HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows"/frunC:>regquery"HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows"/floadC:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU"C:>regqueryU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedPidlMRU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSavePidlMRU"/sC:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFolders"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserShellFolders"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegEdit"/vLastKeyC:>regquery"HKCUSoftwareMicrosoftInternetExplorer"TypedURLsC:>regquery"HKCUSoftwarePoliciesMicrosoftWindowsControlPanelDesktop"HKEY_LOCAL_MACHINE:C:>regquery"HKLMSOFTWAREMicrosoftActiveSetupInstalledComponents"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerUserShellFolders"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerShellFolders"C:>regquery"HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellExecuteHooks"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunonce"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionWinlogonUserinit"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionshellServiceObjectDelayLoad"C:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionScheduleTaskCacheTasks"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"C:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"/fAppinit_DLLsC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon"/fShellC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon"/fUserinitC:>regquery"HKLMSOFTWAREPoliciesMicrosoftWindowsSysternScripts"C:>regquery"HKLMSOFTWAREClassesbatfileshellopencornrnand"C:>regquery"HKLMSOFTWAREClassescornfileshellopencornrnand"C:>regquery"HKLMSOFTWAREClassesexefileshellopencommand"C:>regquery"HKLMSOFTWAREClasseshtafileShellOpenCommand"C:>regquery"HKLMSOFTWAREClassespiffileshellopencommand"C:>regquery"HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects"/sC:>regquery"HKLMSYSTEMCurrentControlSetControlSessionManager"C:>regquery"HKLMSYSTEMCurrentControlSetControlSessionManagerKnownDLLs"C:>regquery"HKLMSYSTEMControlSet001ControlSessionManagerKnownDLLs"7.）取日志文件C:>wevtutileplSecurityC:bakSecurity-logs.evtxC:>wevtutileplSystemC:bakSystem-logs.evtxC:>wevtutileplApplicationC:bakApplication-logs.evtx8.）文件、目錄、共享信息C:>netuse目標IPC:>netshareC:>netsessionC:>wmicvolumelistbriefC:>wmiclogicaldiskgetdescription,filesystem,name,sizeC:>wmicsharegetname,path#查找多個類型的文件或某個文件C:>dir/A/S/T:A*.exe*.dll*.bat*.PS1*.zipC:>dir/A/S/T:Aevil.exe#查找2017/1/1之后創(chuàng)建的文件C:>forfiles/pC:/M*.exe/S/D+2017/1/1/C"cmd/cecho@fdate@ftime@path"C:>for%Gin(.exe,.dll,.bat,.ps)doforfiles-p"C:"-m*%G-s-d+2017/1/1-c"cmd/cecho@fdate@ftime@path"#查找文件大小>20MB的文件forfiles/S/M*/C"cmd/cif@fsizeGEQ2097152echo@path@fsize"#在AlternateDataStreams中查找文件C:>streams-s文件或目錄#檢查數(shù)字簽名，vt掃描C:>sigcheck-e-u-vr-sC:C:>listdlls.exe-u#掃描病毒C:>"C:ProgramFilesWindowsDefenderMpCmdRun.exe"-SignatureUpdateC:>"C:ProgramFilesWindowsDefenderMpCmdRun.exe"-Scan“LINUX1.）系統(tǒng)信息uname-auptimetimedatectlmount2.）用戶信息Wlastloglastfaillog-acat/etc/passwdcat/etc/shadowcat/etc/groupcat/etc/sudoers#查找UID為0的用戶awk-F:'($3=="0"){print}'/etc/passwdegrep':0+'/etc/passwdcat/root/.ssh/authorized_keyslsof-urootcat/root/.bash_history3.）網(wǎng)絡(luò)信息#查看網(wǎng)絡(luò)接口ifconfigORipal#查看監(jiān)聽端口netstattupnl#查看網(wǎng)絡(luò)連接netstat-tupnlanetstat-tupnlax#路由信息routeORnetstat-rORiprl#ARP表arp-ne#監(jiān)聽端口的進程lsof-i4.）服務(wù)信息#列出所有進程psauxORps-ef#已加載內(nèi)核模塊lsmod#打開的文件lsoflsof-clsof-pPIDlsof-nPi|cut-f1-d""|uniq|tail-n+2#監(jiān)控日志less+F/var/log/messagestail-F/var/log/messagesjournalctl-ussh.service-f#列出所有服務(wù)chkconfig–listsystemctllist-units5.）#檢查pam.d/etc/pam.d/common*#自啟動信息–計劃任務(wù)crontab-lcrontab-uroot-lcat/etc/crontabls/etc/cron,*6.）命令歷史cat/root/.*history7.）df-ahls-lhcta/etc/init.d/stat-xfilenamefilefilename#特殊屬性文件lsattr-R/|grep"-i-"#全局可寫文件find/-xdev-typed(-perm-0002-a!-perm-1000)-print#某時間點之后新建的文件find/-newermt2018-01-22q#打印文件的所有屬性信息find/labs-printf"%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%pn"#查看文件的元數(shù)據(jù)stat文件名8.)簡單基線檢查wget/pentestmonkey/unix-privesc-check/1_x/unix-privesc-check&&./unix-privesc-check>output.txt9.)檢測rootkitchkrootkitrkhunter–update&&rkhunter-checktiger&&less/var/log/tiger/security.report.*lynis&&lynisauditsystem&&more/var/logs/lynis.log10.)FastirCollectorLinux，收集artefacts，包括：內(nèi)核版本、內(nèi)核模塊、網(wǎng)卡、系統(tǒng)版本、主機名、登錄、網(wǎng)絡(luò)連接、SSHknow_host、日志文件、進程數(shù)據(jù)、自啟動等信息wget/SekoiaLab/Fastir_Collector_Linux/master/fastIR_collector_linux.pypythonfastIR_collector_linux.py–debug–output_diroutput11.)SysdigandSysdigFalco行為監(jiān)控#觀察root用戶查看過的目錄sysdig-p"%evt.arg.path""evt.type=chdirand=root"#觀察SSHD行為sysdig-A-cecho_fds=/dev/ptmxand=sshd#id為5459的登錄shell執(zhí)行過的所有命令sysdig-rtrace.scap.gz-cspy_usersproc.loginshellid=5459#安裝，啟動falcocurl-s//DRAIOS-GPG-KEY.public|apt-keyadd-curl-s-o/etc/apt/sources.list.d/draios.list\h/stable/deb/draios.listsudoaptupdateapt-yinstallmodprobesysdig-probeservicefalcostartfalco5.4.2病毒樣本分析#靜態(tài)分析#掛載Sysinternals工具集tools#檢查數(shù)字簽名C:>sigcheck.exe-u-eC:malwareC:>sigcheck.exe-vtmalware.exe#16機制和ASCII方式查看PE文件hexdump-C-n500malware.exeod-xmailware.exexxdmalware.exestrings-amalware.exe|more#內(nèi)存鏡像分析pythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64malfind-D/outputpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64malfind-pPID-D/outputpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64pslistpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64pstreepythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64dlllistpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64dlldump-D/output#HASH分析curl-v–requestPOST–urlhttps://\h/vtapi/v2/file/report'-dapikey=VTAPIKEY-d'resource=樣本文件hash'curl-v-F'file=malware.exe'-Fapikey=VTAPIKEY>http\hs://www.virustota\hl.co\hm/vtapi/v2/file/scanwhois-hhash,樣本文件hash#獲取磁盤和內(nèi)存鏡像#WINDOWSC:>psexec.exeIP-u<DOMAIN>administrator-p123-cmdd_l.3.exe–oC:memory.dmpC:>dc3dd.exeif=.c:of=d:diskiamge.ddhash=md5log=d:output.log#LINUXddif=/dev/fmemof=/tmp/mem_dump.dd#使用LiMEget/504ensicslabs/LiME/archive/master.zipunzipmaster.zipcdLiME-master/srcmakecplime-*.ko/media/USB/insmodlime-3.13.0-79-generic.ko"path=/media/USB/mem_dump.limeformat=raw"#從內(nèi)存中拷貝PE文件cp/proc/進程ID/exe/output#創(chuàng)建進程coredumpgcore進程IDstrings-agcore.*|moreddif=/dev/sdaof=/root/sda.ddddif=/dev/sda|sshroot@RemoteIP"ddof=/root/sda.dd"#通過netcat傳送接收鏡像文件bzip2-c/dev/sda|nc53nc-p53-l|bzip2-d|ddof=/root/sda.dd常用技巧和工具技巧WINDOWS#將命令結(jié)果通過管道輸出到粘帖板，然后將粘帖板的內(nèi)容重定向到文件C:>some_command.exe|clipPSC:>Get-Clipboard>clip