夜的静
trx
Published on 2024-11-08 / 41 Visits
0

应急响应

入侵排查思路:

svhost和rundll32都可以注入dll木马

检查系统账号

dir C:\User

检查异常端口、进程

hibit

检查启动项、计划任务、服务

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

schtasks /query

Get-WinEvent -FilterHashtable @{LogName='Security'; ProviderName='Microsoft-Windows-Security-Auditing'; ID=4625} | Format-Table TimeCreated, ProviderName, Id, LevelDisplayName, Message -AutoSize 

# 查询登陆失败用户
Get-WinEvent -FilterHashtable @{LogName='Security'; ProviderName='Microsoft-Windows-Security-Auditing'; ID=4625} |
ForEach-Object {
    $properties = $_.Properties
    $accountName = if ($properties[8]) { $properties[8].Value } else { $null }
    $logonType = if ($properties[11]) { $properties[11].Value } else { $null }
    $workstationName = if ($properties[19]) { $properties[19].Value } else { $null }
    
    # 处理 SourceIp
    $sourceIp = $null
    if ($properties[23]) {
        $ipAddressString = $properties[23].Value
        if ($ipAddressString -match 'IpAddress=(\d+\.\d+\.\d+\.\d+)') {
            $sourceIp = $Matches[1]
        }
    }

    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProviderName = $_.Provider.Name
        EventId = $_.Id
        LevelDisplayName = $_.Level.DisplayName
        AccountName = $accountName
        LogonType = $logonType
        WorkstationName = $workstationName
        SourceIp = $sourceIp
        Message = $_.Message
    }
} |
Format-Table TimeCreated, ProviderName, EventId, LevelDisplayName, AccountName, LogonType, WorkstationName, SourceIp, Message -AutoSize

# 查询登陆成功用户
Get-WinEvent -FilterHashtable @{LogName='Security'; ProviderName='Microsoft-Windows-Security-Auditing'; ID=4624} |
ForEach-Object {
    $properties = $_.Properties
    $accountName = if ($properties[5]) { $properties[5].Value } else { $null }
    $logonType = if ($properties[8]) { $properties[8].Value } else { $null }
    $workstationName = if ($properties[11]) { $properties[11].Value } else { $null }
    
    # 处理 SourceIp
    $sourceIp = $null
    if ($properties[19]) {
        $ipAddressString = $properties[19].Value
        if ($ipAddressString -match 'IpAddress=(\d+\.\d+\.\d+\.\d+)') {
            $sourceIp = $Matches[1]
        }
    }

    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProviderName = $_.Provider.Name
        EventId = $_.Id
        LevelDisplayName = $_.Level.DisplayName
        AccountName = $accountName
        LogonType = $logonType
        WorkstationName = $workstationName
        SourceIp = $sourceIp
        Message = $_.Message
    }
} |
Format-Table TimeCreated, ProviderName, EventId, LevelDisplayName, AccountName, LogonType, WorkstationName, SourceIp, Message -AutoSize

1、查询服务器时候有无弱口令,服务器开放端口netstat -ano

2、tasklist /SVC | findstr PID查询进程和dll文件

3、wmic process get Caption,Commandline,Processid获取详细命令

4、dir /s C:\aaa* 搜索文件

5、taskkill /pid PID /T /F 强制杀掉进程

go学习记录
oracle相关