2024HW藍(lán)隊(duì)對(duì)抗手冊(cè)

HW藍(lán)隊(duì)對(duì)抗手冊(cè)目錄TOC\o"1-3"\h\u229470x01前言 4302740x02準(zhǔn)備工作 5211511)組織結(jié)構(gòu)圖 544892)全網(wǎng)拓?fù)鋱D 5227153)各系統(tǒng)邏輯結(jié)構(gòu)圖 5142074)各系統(tǒng)之間的調(diào)用關(guān)系 5321525)數(shù)據(jù)流關(guān)系 5178726)核心資產(chǎn)清單 562887)應(yīng)急響應(yīng)計(jì)劃 5279718)業(yè)務(wù)連續(xù)性計(jì)劃 5232369)災(zāi)難恢復(fù)計(jì)劃 561800x03簡(jiǎn)單安全評(píng)估 513393端口掃描和漏洞檢測(cè) 628944主機(jī)發(fā)現(xiàn)（Ping） 67278端口掃描 630000服務(wù)版本檢測(cè) 66983掃描多個(gè)端口 65404UDP 611206TCP/UDP（-Pn跳過(guò)主機(jī)發(fā)現(xiàn)） 616890Nessus 631927OPENVAS 628836WINDOWS 65089網(wǎng)絡(luò)發(fā)現(xiàn) 710958DHCP 711018DNS 718050哈希值 87682NETBIOS 824183微軟基線安全分析器(MBSA) 914891LINUX 914850網(wǎng)絡(luò)發(fā)現(xiàn) 9792DHCPDHCP 92486DNS 923857哈希值 1017906NETBIOS 1022151安全加固 109964WINDOWS 1018238禁用/停止服務(wù) 1010744防火墻管理 103627DNSNetios 1130234應(yīng)用控制 115030IPSEC 1216937其他安全策略 1319354LINUX 1512555服務(wù)管理 1531060防火墻管理 1631958DNS 1619114IPSEC 1720432檢測(cè)（Visibility） 1919818網(wǎng)絡(luò)安全監(jiān)控 1925257數(shù)據(jù)包捕捉與分析 1964522.）TSHARK 20290373.）SNORT 2164404.）BroNSM 21258415.）EDITCAP 23317678.）NetworkMiner 2315570蜜罐技術(shù) 23181911.）端口蜜罐 23261715.3.2LINUX系統(tǒng)篇1.）端口蜜罐 2495992.)(PASSIVE)監(jiān)控DNS解析 2419981日志審計(jì) 2411078WINDOWS 2412578LINUX 268295響應(yīng)（取證） 279573.）網(wǎng)絡(luò)信息 28274524.）服務(wù)信息 29208405.）策略、補(bǔ)丁、環(huán)境變量信息 3054686.）自啟動(dòng)信息 30165866.2）使用autoruns 3121917.）取日志文件 368378.）文件、目錄、共享信息 36195883.）網(wǎng)絡(luò)信息 38302918.)簡(jiǎn)單基線檢查 4149099.)檢測(cè)rootkit 411151810.)FastirCollectorLinux，收集artefacts，包括：內(nèi)核版本、內(nèi)核模塊、網(wǎng)卡、系統(tǒng)版本、主機(jī)名、登錄、網(wǎng)絡(luò)連接、SSHknow_host、日志文件、進(jìn)程數(shù)據(jù)、自啟動(dòng)等信息 41432011.)SysdigandSysdigFalco行為監(jiān)控 4225365.4.2病毒樣本分析 4318105常用技巧和工具 455818技巧 4522734WINDOWS 4527642LINUX1.)SNORT 475936兵器譜 50216503.）REMNUX軟件逆向和病毒分析發(fā)行版 50224824.)OPENVAS 51293275.)SecurityOnion入侵檢測(cè)、網(wǎng)絡(luò)安全監(jiān)控、日志分析發(fā)行版 510x01前言紅藍(lán)對(duì)抗的思想最早可追溯到我國(guó)現(xiàn)存最早的一部兵書《孫子兵法》，在孫子·謀攻篇有這RedTeamsattackandBlueTeamsdefend,buttheprimarygoalissharedbetweenthem:improvethesecuritypostureoftheorganization.0x02準(zhǔn)備工作)組織結(jié)構(gòu)圖)全網(wǎng)拓?fù)鋱D)各系統(tǒng)邏輯結(jié)構(gòu)圖)各系統(tǒng)之間的調(diào)用關(guān)系)數(shù)據(jù)流關(guān)系)核心資產(chǎn)清單)應(yīng)急響應(yīng)計(jì)劃)業(yè)務(wù)連續(xù)性計(jì)劃)災(zāi)難恢復(fù)計(jì)劃0x03簡(jiǎn)單安全評(píng)估端口掃描和漏洞檢測(cè)主機(jī)發(fā)現(xiàn)（Ping）#nmap-sn-PEIP地址或地址段端口掃描#nmap–openIP地址或地址段服務(wù)版本檢測(cè)#nmap-sVIP地址或地址段掃描多個(gè)端口#nmap-p80,443IP地址或地址段UDP#nmap-sU-p53IP地址或地址段TCP/UDP（-Pn跳過(guò)主機(jī)發(fā)現(xiàn)）#nmap-v-Pn-SU-ST-pU:53,111,137,T:21-25,80,139,8080IP地址或地址段Nessus#nessus-q-x-Thtml服務(wù)器IP服務(wù)器端口管理員帳號(hào)密碼目標(biāo).txt輸出報(bào)告.htmlOPENVAS#apt-yinstallpcregrep#wgethttps://goo.gl/TYbLwE#chmod+xopenvas-automate.sh&&./openvas-automate.sh目標(biāo)IPWINDOWS網(wǎng)絡(luò)發(fā)現(xiàn)基本網(wǎng)絡(luò)發(fā)現(xiàn)：#C:>netview/all#C:>netview主機(jī)名Ping探測(cè)：#C:>for/L%Iin(1,1,254)doping-w30-n1192.168.1.%I|find"回復(fù)">>輸出.txtDHCP啟用DHCP服務(wù)器日志功能：#C:>regaddHKLMSystemCurrentControlSetServicesDhcpServerParameters/vActivityLogFlag/tREG_DWORD/d1默認(rèn)日志文件目錄：C:>%windir%System32DhcpDNS啟用DNS服務(wù)器日志功能：C:>DNSCmdDNS服務(wù)器名/config/logLevel0x8100F331#配置日志文件目錄:C:>DNSCmdDNS服務(wù)器名/config/LogFilePathC:dns.log#配置日志文件大小:C:>DNSCmdDNS服務(wù)器名/config/logfilemaxsize0xffffffff哈希值文件校驗(yàn)和完整性驗(yàn)證（FCIV）：Ref：\h/kb/841290#單個(gè)文件:C:>fciv.exe文件名#計(jì)算C盤所有文件并把結(jié)果保存到文件中:C:>fciv.exec:-r-sha1-xml結(jié)果.xml#列出所有hash值:C:>fciv.exe-list-sha1-xml結(jié)果.xml#certutil&PowerShell#certutil-hashfile文件名SHA1#PSC:>Get-FileHash文件名|Format-List#PSC:>Get-FileHash-algorithmmd5文件名NETBIOSnbtstat掃描#C:>nbtstat-A目標(biāo)IP地址NetBIOS緩存#C:>nbtstat-c批量掃描#C:>for/L%Iin(1,1,254)donbtstat-An192.168.1.%I微軟基線安全分析器(MBSA)掃描單個(gè)IP#C:>mbsacli.exe/targetIP地址/nos+iis+sql+password掃描IP地址段#C:>mbsacli.exe/rIP地址段/nos+iis+sql+passwordLINUX網(wǎng)絡(luò)發(fā)現(xiàn)查看開(kāi)放的SMB共享#smbclient-L目標(biāo)主機(jī)名Ping探測(cè)#foripinip>/dev/null;[Misplaced&ipUP"||:;doneDHCPDHCP#cat/var/lib/dhcpd/dhcpd.leasesDebian/Ubuntu#grep-Ei'dhcp'/var/log/syslog.1DNSDNS日志#rndcquerylog&&tail-f/var/log/messages|grepnamed哈希值計(jì)算某目錄下所有可執(zhí)行文件的HASH值#find/sbin-typef-execmd5sum{}>>md5sums.txt;#md5deep-rs/sbin>md5sums.txtNETBIOSnbtstat掃描#nbtscan目標(biāo)IP地址或IP地址段舉例：nbtscan-100安全加固WINDOWS禁用/停止服務(wù)#C:>scquery#C:>scconfig"服務(wù)名"start=disabled#C:>scstop"服務(wù)名"#C:>wmicservicewherename="服務(wù)名"callChangeStartmodeDisabled防火墻管理#列出所有規(guī)則:#C:>netshadvfirewallfirewallshowrulename=all#啟用或禁用防火墻:C:>netshadvfirewallsetcurrentprofilestateonC:>netshadvfirewallsetcurrentprofilefirewallpolicyblockinboundalways,allowoutboundC:>netshadvfirewallsetpublicprofilestateonC:>netshadvfirewallsetprivateprofilestateonC:>netshadvfirewallsetdomainprofilestateonC:>netshadvfirewallsetallprofilestateonC:>netshadvfirewallsetallprofilestateoff#配置舉例：netshadvfirewallfirewalladdrulename="開(kāi)放TCP:80端口"dir=inaction=allowprotocol=TCPlocalport=80netshadvfirewallfirewalladdrulename="TCP:443dir=inaction=allowprotocol=TCPlocalport=443netshadvfirewallfirewalladdrulename="TCP:445dir=inaction=blockprotocol=TCPlocalport=445netshadvfirewallfirewalladdrulename="允許MyApp"dir=inaction=allowprogram="C:MyAppMyApp.exe"enable=yesDNSNetios#C:>ipconfig/flushdns#C:>nbtstat-R應(yīng)用控制#AppLocker配置#導(dǎo)入Applocker模塊PSC:>import-moduleApplocker#查看system32目錄下所有exe文件的Applocker信息PSC:>Get-ApplockerFileinformation-DirectoryC:WindowsSystem32-Recurse-FileTypeExe#增加一條針對(duì)system32目錄下所有的exe文件的允許規(guī)則PSC:>Get-ChilditemC:WindowsSystem32*,exe|Get-ApplockerFileinformation|New-ApplockerPolicy-RuleTypePublisher,Hash-UserEveryone-RuleNamePrefixSystem32IPSEC#使用預(yù)共享密鑰的方式新建一條IPSEC本地安全策略，應(yīng)用到所有連接和協(xié)議C:>netshipsecstaticaddfilterfilterlist=MyIPsecFiltersrcaddr=Anydstaddr=Anyprotocol=ANYC:>netshipsecstaticaddfilteractionname=MyIPsecActionaction=negotiateC:>netshipsecstaticaddpolicyname=MyIPsecPolicyassign=yesC:>netshipsecstaticaddrulename=MyIPsecRulepolicy=MyIPsecPolicyfilterlist=MyIPsecFilterfilteraction=MyIPsecActionconntype=allactivate=yespsk=密碼#新建一條允許訪問(wèn)外網(wǎng)TCP80和443端口的IPSEC策略C:>netshipsecstaticaddfilteractionname=Allowaction=permitC:>netshipsecstaticaddfilterfilterlist=WebFiltersrcaddr=Anydstaddr=Anyprotocol=TCPdstport=80C:>netshipsecstaticaddfilterfilterlist=WebFiltersrcaddr=Anydstaddr=Anyprotocol=TCPdstport=443C:>netshipsecstaticaddrulename=WebAllowpolicy=MyIPsecPolicyfilterlist=WebFilterfilteraction=Allowconntype=allactivate=yespsk=密碼#查看和禁用某條IPSEC本地安全策略C:>netshipsecstaticshowpolicyname=MyIPsecPolicyC:>netshipsecstaticsetpolicyname=MyIPsecPolicyassign=no#新建一條IPSEC對(duì)應(yīng)的防火墻規(guī)則，源地址和目的地址為anyC:>netshadvfirewallconsecaddrulename="IPSEC"endpointl=anyendpoint2=anyaction=requireinrequireoutqmsecmethods=default#新建一條IPSEC對(duì)應(yīng)的防火墻規(guī)則，所有出站請(qǐng)求必須提供預(yù)共享密鑰C:>netshadvfirewallfirewalladdrulename="IPSEC_Out"dir=outaction=allowenable=yesprofile=anylocalip=anyremoteip=anyprotocol=anyinterfacetype=anysecurity=authenticate其他安全策略#禁用遠(yuǎn)程桌面連接C:>regadd"HKLMSYSTEMCurrentControlSetControlTerminalServer"/f/vfDenyTSConnections/tREG_DWORD/d1#只發(fā)送NTLMv2響應(yīng)（防止“永恒之藍(lán)”漏洞攻擊）C:>regaddHKLMSYSTEMCurrentControlSetControlLsa/vlmcompatibilitylevel/tREG_DWORD/d5/f#禁用IPV6C:>regaddHKLMSYSTEMCurrentControlSetservicesTCPIP6Parameters/vDisabledComponents/tREG_DWORD/d255/f#禁用sticky鍵C:>regadd"HKCUControlPanelAccessibilityStickyKeys"/vFlags/tREG_SZ/d506/f#禁用管理共享（Servers/Workstations）C:>regaddHKLMSYSTEMCurrentControlSetServicesLanmanServerParameters/f/vAutoShareServer/tREG_DWORD/d0C:>regaddHKLMSYSTEMCurrentControlSetServicesLanmanServerParameters/f/vAutoShareWks/tREG_DWORD/d0#禁用注冊(cè)表編輯器和CMD命令提示符C:>regaddHKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem/vDisableRegistryTools/tREG_DWORD/d1/fC:>regaddHKCUSoftwarePoliciesMicrosoftWindowsSystem/vDisableCMD/tREG_DWORD/d1/f#啟用UACC:>regaddHKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem/vEnableLUA/tREG_DWORD/d1/f#啟用防火墻日志C:>netshfirewallsetloggingdroppedpackets=enableC:>netshfirewallsetloggingconnections=enableLINUX服務(wù)管理#查看服務(wù)狀態(tài)service–status-allps-efORps-auxinitctllistsystemctllist-unit-files#啟動(dòng)，停止和禁用服務(wù)#ForUpstartservices:/etc/init.d/apache2start|stop|statusserviceapache2start|stop|statusupdate-rc.dapache2disable#ForSystemdservices:systemctlstart|stop|statusntp.servicesystemctldisablesshd.service防火墻管理#iptables常用操作：iptables-save>filewall_rules.bak#導(dǎo)出當(dāng)前規(guī)則iptables-vnL–line#列出所有規(guī)則iptables-S#同上iptables-PINPUTDROP#默認(rèn)策略，禁止所有連接iptables-AINPUT-s0-jDROP#禁止單個(gè)IPiptables-AINPUTs10,10.10.0/24-jDROP#禁止一個(gè)網(wǎng)段iptables-AINPUT-ptcp–dportssh-s0-jDROP#禁止某IP訪問(wèn)本機(jī)SSH服務(wù)iptables-AINPUT-ptcp–dportssh-jDROP#禁止訪問(wèn)本機(jī)SSH服務(wù)iptables-IINPUT5-mlimit–limit5/min-jLOG–log-prefix"iptablesdenied:"–log-level7#啟用日志iptables-F#清除所有已加載的工作DNS#Unix/Linux系統(tǒng)沒(méi)有系統(tǒng)級(jí)別DNS緩存IPSEC#在兩臺(tái)服務(wù)器之間建立IPSEC通道1.）添加防火墻規(guī)則允許IPSEC協(xié)議iptables-AINPUT-pesp-jACCEPTiptables-AINPUT-pah-jACCEPTiptables-AINPUT-pudp–dport500-jACCEPTiptables-AINPUT-pudp–dport4500-jACCEPT2.）安裝Racoonapt-yinstallracoon3.）編輯配置文件：/etc/ipsec-tools.confflush;spdflush;spdadd主機(jī)A的IP地址主機(jī)B的IP地址any-Poutipsecesp/transport//require;spdadd主機(jī)BIP地址主機(jī)AIP地址any-Pinipsecesp/transport//require;4.）編輯配置文件：/etc/racoon/racoon.conflognotify;pathpre_shared_key"/etc/racoon/psk.txt";pathcertificate"/etc/racoon/certs";remoteanonymous{exchange_modemain,aggressive;proposal{ aes_256; hash_algorithmsha256; authentication_methodpre_shared_key;dh_groupmodp1024;}generate_policyoff;}sainfoanonymous{pfs_group2;encryption_algorithmaes_256;authentication_algorithmhmac_sha256;compression_algorithmdeflate;}5.）添加預(yù)共享密鑰主機(jī)A：echo主機(jī)B123>>/etc/racoon/psk.txt主機(jī)B：echo主機(jī)A123>>/etc/racoon/psk.txt6.)重啟服務(wù)，檢查協(xié)商及配置策略servicesetkeyrestartsetkey-Dsetkey-DP檢測(cè)（Visibility）網(wǎng)絡(luò)安全監(jiān)控?cái)?shù)據(jù)包捕捉與分析1.）TCPDUMPtcpdump-tttt-n-vv#打印時(shí)戳、不進(jìn)行名稱解析及verbose方式顯示tcpdump-nn-c1000|awk'{print$3}'|cut-d.-f1-4|sort-n|uniq-c|sort-nr#捕捉1000個(gè)數(shù)據(jù)包，找出Toptalkerstcpdump-wtarget.pcap-ianydsttargetIPandport80#在所有接口上捕捉目標(biāo)IP為：targetIP且端口為80的數(shù)據(jù)包并寫入target.pcap文件tcpdumphost&&host#捕捉兩個(gè)主機(jī)之間的數(shù)據(jù)包tcpdumpnotnet10.10&¬host#檢視非10.10網(wǎng)段及非主機(jī)的數(shù)據(jù)包tcpdumphost0&&(0or0)#檢視主機(jī)A和主機(jī)B或C的數(shù)據(jù)包tcpdump-ns0C100-w001.pcap100Mtcpdump-n-A-s0porthttporportftporportsmtporportimaporportpop3|egrep-is:|user:|username:|password:|login:|pass|user'–color=auto–line-buffered-B20#抓取明文密碼tcpdump-s1500-A'(tcp[((tcp[12:1]&0xf0)>>2)+5:1]=0x01)and(tcp[((tcp[12:1]&0xf0)>>2):1]=0x16)'#查找自簽名證書2.）TSHARKtshark-nr001.pcap-Y"ssl.handshake.ciphersuites"-Vx|grep"ServerName:"|sort|uniq-c|sort-r#提取證書ServerName字段tshark-D#列出所有接口tshark-ieth0-ieth1#監(jiān)聽(tīng)多個(gè)接口tshark-nn-w001.pcap#禁用名稱解析并保存到文件tsharkarporicmp#捕捉arp或者icmptshark"host主機(jī)A&&host主機(jī)B"#捕捉兩個(gè)主機(jī)之間的數(shù)據(jù)包tshark-r001.pcap#對(duì)已保存的數(shù)據(jù)包進(jìn)行分析tshark-n-eip.src-eip.dst-Tfields-Eseparator=,-2-Rip-r001.pcap#提取源/目的IP地址tshark-n-eip.src-edns,-Eseparator=';'-Tfieldsport53#提取DNS查詢的源IP及DNS查詢的域名tshark-2-Rhttp.request-Tfields-Eseparator=';'-ehttp.host-ehttp.request.uri-r001.pcap#提取HTTP請(qǐng)求中的host參數(shù)和請(qǐng)求uritshark-n-c150Iawk'{print$4}'Isort-n|uniq-c|sort-nr#提取toptalkerstshark-q-zio,phs-r001.pcap#協(xié)議統(tǒng)計(jì)tshark-n-c100-eip.src-Y"dns.flags.responseeq1"-Tfieldsport53#提取響應(yīng)的DNS服務(wù)器地址tshark-n-ehttp.request.uri-Yhttp.request-Tfields|grepexe#提取通過(guò)http下載exe可執(zhí)行文件的數(shù)據(jù)包3.）SNORTsnort-T-c/etc/snort/snort.conf#測(cè)試配置文件配置snort-dv-r001.log#分析數(shù)據(jù)包snort-dvr001.logicmp#取icmp數(shù)據(jù)包snort-Kascii-l001#抓包，ASCII格式顯示snort-q-Aconsole-ieth0-c/etc/snort/snort.conf#在終端打印snorteventsecho'logtcp/24any->522(msg:"sshaccess";sid:1618008;)'>001.rule&&snort-T-c001.rule#規(guī)則測(cè)試mkdirlogs&&snort-vd-c001.rule-r001.pcap-Aconsole-llogs#執(zhí)行規(guī)則4.）BroNSMapt-yinstallbrobro-auxpipinstallbro-pkgbro-pkginstallbro/hosom/file-extractionwgethttps://\h/2018/01/12/2018-01-12-NanoCore-RAT-traffic.pcap.zipwgethttps://\h/static/exchange-2013/faf-exercise.pcapbro-r2018-01-12-NanoCore-RAT-traffic.pcap#從pcap文件中讀取數(shù)據(jù)并創(chuàng)建相關(guān)日志文件bro-rfaf-exercise.pcap/root/.bro-pkg/scratch/file-extraction/scripts/plugins/extract-pe.bro&&ls-lhct./extract_files/#提取exe文件bro-rfaf-exercise.pcap/usr/share/bro/policy/frameworks/files/extract-all-files.bro#提取多個(gè)類型的文件bro-C-rfaf-exercise.pcap&&catssl.log|bro-cutserver_name,subject,issuer#提取證書中的server_name,issuer和subjects字段catconn.log|bro-cutid.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,conn_state#提取源IP，源端口，目的IP，目的端口，協(xié)議類型，tcp標(biāo)記catdns.log|bro-cutquery|sort-u#提取DNS查詢namecathttp.log|bro-cutid.orig_h,id.orig_p,id.resp_h,id.resp_p,host,uri,referrer#提取源IP，源端口，目的IP，目的端口，host，uri，referrer字段cathttp.log|bro-cutuser_agent|sort-u#提取user_agent字段5.）EDITCAPeditcap-Fpcap-c1000orignal.pcapout_split.pcap#以1000為單位進(jìn)行分割editcap-Fpcap-t+3600orignal.pcapout_split.pcap#以1小時(shí)為單位進(jìn)行分割6.）MERGECAPmergecap-wmerged_cap.pcapcapl.pcapcap2.pcapcap3.pcap#合并多個(gè)文件7.）PacketTotalhttps://\h/app/analysis?id=c8c11b792272ac19a49299a3687466be&name=files8.）NetworkMiner\hhttp://netres.ec/?b=173588E蜜罐技術(shù)WINDOWS1.）端口蜜罐#原理：監(jiān)聽(tīng)一些端口，客戶端成功建立TCP連接后，記錄訪問(wèn)日志，然后添加防火墻規(guī)則封禁此IPPSC:>certutil.exe-urlcache-split-f/Pwdrkeg/honeyport/master/honeyport.ps1PSC:>.honeyport.ps1-Ports4444,22,21,23-WhiteList,-Block$true-VerbosePSC:>Get-EventLogHoneyPort#查看日志信息PSC:>stop-job-nameHoneyPort#停止任務(wù)PSC:>remove-job-nameHoneyPort#移除任務(wù)5.3.2LINUX系統(tǒng)篇1.）端口蜜罐#原理同上wget/gchetrick/honeyports/master/honeyports-0.5.pypythonhoneyports-0.5.py-p1234-h00-D2.)(PASSIVE)監(jiān)控DNS解析apt-yinstalldnstopdnstop-l3eth0dnstop-l3001.pcap|out.txt日志審計(jì)WINDOWS#增加日志文件大小進(jìn)行日志審計(jì)C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventlogApplication/vMaxSize/tREG_DWORD/d0x19000C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventlogSecurity/vMaxSize/tREG_DWORD/d0x64000C:>regaddHKLMSoftwarePoliciesMicrosoftWindowsEventLogSystem/vMaxSize/tREG_DWORD/d0x19000#查看Windows事件日志-安全日志的配置C:>wevtutilglSecurity#檢查審核策略auditpol/get/category:*#對(duì)所有項(xiàng)啟用成功和失敗的審核策略C:>auditpol/set/category:*/success:enable/failure:enable#查看已配置的事件日志的概要信息PSC:>Get-Eventlog-list#取最近5條應(yīng)用程序日志PSC:>Get-Eventlog-newest5-lognameapplication|Format-List#取EentID：4672的所有日志PSC:>Get-EventlogSecurity|?{$_.Eventid-eq4672}#登錄與注銷事件PSC:>Get-EventlogSecurity4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964-after((get-date).addDays(-1))#DPAPI行為，進(jìn)程終止，RPC事件PSC:>Get-EventLogSecurity4692,4693,4694,4695,4689,5712-after((get-date).addDays(-1)#文件共享，文件系統(tǒng)，SAM，注冊(cè)表，證書時(shí)間PSC:Get-EventLogSecurity660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159-after((get-date).addDays(-1))#查看EentID：4672的詳細(xì)信息Get-EventlogSecurity|?{$_.Eventid-eq4672}|Format-ListLINUX#認(rèn)證日志tail/var/log/auth.loggrep-i"fail"/var/log/auth.logtail/var/log/securegrep-i"fail"/var/log/securesamba，cron,sudo/var/log/sysloggrep-isamba/var/log/messagesgrep-icron/var/log/sysloggrep-isudo/var/log/auth.loggrep-isudo/var/log/secure#Apache404錯(cuò)誤日志grep404apache.log|grep-v-E"favicon.ico|robots.txt"#監(jiān)控新文件，5分鐘刷新一次watch-n300-dls-lR/web_root響應(yīng)（取證）WINDOWS1.）系統(tǒng)信息C:>echo%DATE%%TIME%C:>hostnameC:>systeminfoC:>systeminfo|findstr/B/C:"OSName"/C:"OSVersion"C:>wmiccsproductgetnameC:>wmicbiosgetserialnumberC:>wmiccomputersystemlistbriefC:>psinfo-accepteula-s-h-d2.）用戶信息C:>whoamiC:>netusersC:>netlocalgroupadministratorsC:>netgroupadministratorsC:>wmicrdtogglelistC:>wmicuseraccountlistC:>wmicgrouplistC:>wmicnetlogingetname,lastlogon,badpasswordcountC:>wmicnetclientlistbriefC:>doskey/history>history.txt3.）網(wǎng)絡(luò)信息C:>netstat-eC:>netstatC:>netstat-nrC:>netstat-vbC:>nbtstat-sC:>routeprintC:>arp-aC:>ipconfig/displaydnsC:>netshwinhttpshowproxyC:>ipconfig/allcompartments/allC:>netshwlanshowinterfacesC:>netshwlanshowallC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternetSettingsConnectionsWinHttpSettings"C:>type%SYSTEMROOT%system32driversetchostsC:>wmicnicconfiggetdescriptions,IPaddress,MACaddressC:>wmicnetusegetname,username,connectiontype,localname4.）服務(wù)信息C:>atC:>tasklistC:>tasklist/svcC:>tasklist/SVC/fi"imagenameeqsvchost.exe"C:>tasklist/SVC/fi"imagenameeqsvchost.exe"C:>schtasksC:>netC:>scC:>wmicservicelistbrief|findstr"Running"C:>wmicservicelistconfigC:>wmicprocesslistbriefC:>wmicprocessliststatusC:>wmicprocesslistmemoryC:>wmicjoblistbriefPSC:>Get-Service|Where-Object{$_.Status-eq"running"}5.）策略、補(bǔ)丁、環(huán)境變量信息C:>setC:>gpresult/rC:>gpresult/z>output.txtC:>gpresult/Hreport.html/FC:>wmicqfe6.）自啟動(dòng)信息C:>wmicstartuplistfullC:>wmicntdomainlistbrief6.1）檢查自啟動(dòng)文件目錄C:>dir"%SystemDrive%ProgramDataMicrosoftWindowsStartMenuProgramsStartup"C:>dir"%SystemDrive%DocumentsandSettingsAllUsersStartMenuProgramsStartup"C:>dir%userprofile%StartMenuProgramsStartupC:>%ProgramFiles%StartupC:>dirC:WindowsStartMenuProgramsstartupC:>dir"C:Users%username%AppDataRoamingMicrosoftWindowsStartMenuProgramsStartup"C:>dir"C:ProgramDataMicrosoftWindowsStartMenuProgramsStartup"C:>dir"%APPDATA%MicrosoftWindowsStartMenuProgramsStartup"C:>dir"%ALLUSERSPROFILE%MicrosoftWindowsStartMenuProgramsStartup"C:>dir"%ALLUSERSPROFILE%StartMenuProgramsStartup"C:>typeC:Windowswinstart.batC:>type%windir%wininit.iniC:>type%windir%win.iniC:>typeC:Autoexec.bat"6.2）使用autorunsC:>autorunsc-accepteula-m6.3）自啟動(dòng)注冊(cè)表位置HKEY_CLASSES_ROOT:C:>regqueryHKCRComfileShellOpenCommandC:>regqueryHKCRBatfileShellOpenCommandC:>regqueryHKCRhtafileShellOpenCommandC:>regqueryHKCRExefileShellOpenCommandC:>regqueryHKCRExefilesShellOpenCommandC:>regqueryHKCRpiffileshellopencommandHKEY_CURRENT_USERS:C:>regquery"HKCUControlPanelDesktop"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunonce"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsLoad"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionWindowsScripts"C:>regquery"HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows"/frunC:>regquery"HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows"/floadC:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU"C:>regqueryU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedPidlMRU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComD1g32OpenSavePidlMRU"/sC:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFolders"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserShellFolders"C:>regquery"HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegEdit"/vLastKeyC:>regquery"HKCUSoftwareMicrosoftInternetExplorer"TypedURLsC:>regquery"HKCUSoftwarePoliciesMicrosoftWindowsControlPanelDesktop"HKEY_LOCAL_MACHINE:C:>regquery"HKLMSOFTWAREMicrosoftActiveSetupInstalledComponents"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerUserShellFolders"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerShellFolders"C:>regquery"HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerShellExecuteHooks"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunonce"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionWinlogonUserinit"C:>regquery"HKLMSOFTWAREMicrosoftWindowsCurrentVersionshellServiceObjectDelayLoad"C:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionScheduleTaskCacheTasks"/sC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"C:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWindows"/fAppinit_DLLsC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon"/fShellC:>regquery"HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon"/fUserinitC:>regquery"HKLMSOFTWAREPoliciesMicrosoftWindowsSysternScripts"C:>regquery"HKLMSOFTWAREClassesbatfileshellopencornrnand"C:>regquery"HKLMSOFTWAREClassescornfileshellopencornrnand"C:>regquery"HKLMSOFTWAREClassesexefileshellopencommand"C:>regquery"HKLMSOFTWAREClasseshtafileShellOpenCommand"C:>regquery"HKLMSOFTWAREClassespiffileshellopencommand"C:>regquery"HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionExplorerBrowserHelperObjects"/sC:>regquery"HKLMSYSTEMCurrentControlSetControlSessionManager"C:>regquery"HKLMSYSTEMCurrentControlSetControlSessionManagerKnownDLLs"C:>regquery"HKLMSYSTEMControlSet001ControlSessionManagerKnownDLLs"7.）取日志文件C:>wevtutileplSecurityC:bakSecurity-logs.evtxC:>wevtutileplSystemC:bakSystem-logs.evtxC:>wevtutileplApplicationC:bakApplication-logs.evtx8.）文件、目錄、共享信息C:>netuse目標(biāo)IPC:>netshareC:>netsessionC:>wmicvolumelistbriefC:>wmiclogicaldiskgetdescription,filesystem,name,sizeC:>wmicsharegetname,path#查找多個(gè)類型的文件或某個(gè)文件C:>dir/A/S/T:A*.exe*.dll*.bat*.PS1*.zipC:>dir/A/S/T:Aevil.exe#查找2017/1/1之后創(chuàng)建的文件C:>forfiles/pC:/M*.exe/S/D+2017/1/1/C"cmd/cecho@fdate@ftime@path"C:>for%Gin(.exe,.dll,.bat,.ps)doforfiles-p"C:"-m*%G-s-d+2017/1/1-c"cmd/cecho@fdate@ftime@path"#查找文件大小>20MB的文件forfiles/S/M*/C"cmd/cif@fsizeGEQ2097152echo@path@fsize"#在AlternateDataStreams中查找文件C:>streams-s文件或目錄#檢查數(shù)字簽名，vt掃描C:>sigcheck-e-u-vr-sC:C:>listdlls.exe-u#掃描病毒C:>"C:ProgramFilesWindowsDefenderMpCmdRun.exe"-SignatureUpdateC:>"C:ProgramFilesWindowsDefenderMpCmdRun.exe"-Scan“LINUX1.）系統(tǒng)信息uname-auptimetimedatectlmount2.）用戶信息Wlastloglastfaillog-acat/etc/passwdcat/etc/shadowcat/etc/groupcat/etc/sudoers#查找UID為0的用戶awk-F:'($3=="0"){print}'/etc/passwdegrep':0+'/etc/passwdcat/root/.ssh/authorized_keyslsof-urootcat/root/.bash_history3.）網(wǎng)絡(luò)信息#查看網(wǎng)絡(luò)接口ifconfigORipal#查看監(jiān)聽(tīng)端口netstattupnl#查看網(wǎng)絡(luò)連接netstat-tupnlanetstat-tupnlax#路由信息routeORnetstat-rORiprl#ARP表arp-ne#監(jiān)聽(tīng)端口的進(jìn)程lsof-i4.）服務(wù)信息#列出所有進(jìn)程psauxORps-ef#已加載內(nèi)核模塊lsmod#打開(kāi)的文件lsoflsof-clsof-pPIDlsof-nPi|cut-f1-d""|uniq|tail-n+2#監(jiān)控日志less+F/var/log/messagestail-F/var/log/messagesjournalctl-ussh.service-f#列出所有服務(wù)chkconfig–listsystemctllist-units5.）#檢查pam.d/etc/pam.d/common*#自啟動(dòng)信息–計(jì)劃任務(wù)crontab-lcrontab-uroot-lcat/etc/crontabls/etc/cron,*6.）命令歷史cat/root/.*history7.）df-ahls-lhcta/etc/init.d/stat-xfilenamefilefilename#特殊屬性文件lsattr-R/|grep"-i-"#全局可寫文件find/-xdev-typed(-perm-0002-a!-perm-1000)-print#某時(shí)間點(diǎn)之后新建的文件find/-newermt2018-01-22q#打印文件的所有屬性信息find/labs-printf"%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%pn"#查看文件的元數(shù)據(jù)stat文件名8.)簡(jiǎn)單基線檢查wget/pentestmonkey/unix-privesc-check/1_x/unix-privesc-check&&./unix-privesc-check>output.txt9.)檢測(cè)rootkitchkrootkitrkhunter–update&&rkhunter-checktiger&&less/var/log/tiger/security.report.*lynis&&lynisauditsystem&&more/var/logs/lynis.log10.)FastirCollectorLinux，收集artefacts，包括：內(nèi)核版本、內(nèi)核模塊、網(wǎng)卡、系統(tǒng)版本、主機(jī)名、登錄、網(wǎng)絡(luò)連接、SSHknow_host、日志文件、進(jìn)程數(shù)據(jù)、自啟動(dòng)等信息wget/SekoiaLab/Fastir_Collector_Linux/master/fastIR_collector_linux.pypythonfastIR_collector_linux.py–debug–output_diroutput11.)SysdigandSysdigFalco行為監(jiān)控#觀察root用戶查看過(guò)的目錄sysdig-p"%evt.arg.path""evt.type=chdirand=root"#觀察SSHD行為sysdig-A-cecho_fds=/dev/ptmxand=sshd#id為5459的登錄shell執(zhí)行過(guò)的所有命令sysdig-rtrace.scap.gz-cspy_usersproc.loginshellid=5459#安裝，啟動(dòng)falcocurl-s//DRAIOS-GPG-KEY.public|apt-keyadd-curl-s-o/etc/apt/sources.list.d/draios.list\h/stable/deb/draios.listsudoaptupdateapt-yinstallmodprobesysdig-probeservicefalcostartfalco5.4.2病毒樣本分析#靜態(tài)分析#掛載Sysinternals工具集tools#檢查數(shù)字簽名C:>sigcheck.exe-u-eC:malwareC:>sigcheck.exe-vtmalware.exe#16機(jī)制和ASCII方式查看PE文件hexdump-C-n500malware.exeod-xmailware.exexxdmalware.exestrings-amalware.exe|more#內(nèi)存鏡像分析pythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64malfind-D/outputpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64malfind-pPID-D/outputpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64pslistpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64pstreepythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64dlllistpythonvol.py-fmalware_memory_dump.raw-profile=Win7SPFix64dlldump-D/output#HASH分析curl-v–requestPOST–urlhttps://\h/vtapi/v2/file/report'-dapikey=VTAPIKEY-d'resource=樣本文件hash'curl-v-F'file=malware.exe'-Fapikey=VTAPIKEY>http\hs://www.virustota\hl.co\hm/vtapi/v2/file/scanwhois-hhash,樣本文件hash#獲取磁盤和內(nèi)存鏡像#WINDOWSC:>psexec.exeIP-u<DOMAIN>administrator-p123-cmdd_l.3.exe–oC:memory.dmpC:>dc3dd.exeif=.c:of=d:diskiamge.ddhash=md5log=d:output.log#LINUXddif=/dev/fmemof=/tmp/mem_dump.dd#使用LiMEget/504ensicslabs/LiME/archive/master.zipunzipmaster.zipcdLiME-master/srcmakecplime-*.ko/media/USB/insmodlime-3.13.0-79-generic.ko"path=/media/USB/mem_dump.limeformat=raw"#從內(nèi)存中拷貝PE文件cp/proc/進(jìn)程ID/exe/output#創(chuàng)建進(jìn)程coredumpgcore進(jìn)程IDstrings-agcore.*|moreddif=/dev/sdaof=/root/sda.ddddif=/dev/sda|sshroot@RemoteIP"ddof=/root/sda.dd"#通過(guò)netcat傳送接收鏡像文件bzip2-c/dev/sda|nc53nc-p53-l|bzip2-d|ddof=/root/sda.dd常用技巧和工具技巧WINDOWS#將命令結(jié)果通過(guò)管道輸出到粘帖板，然后將粘帖板的內(nèi)容重定向到文件C:>some_command.exe|clipPSC:>Get-Clipboard>clip