什么是DFIR?
数字取证和事件响应(Digital Forensics and Incident Response, DFIR)是一个多学科专业,专注于识别、调查和补救网络安全事件的专业领域。简而言之,DFIR 是一种混合技术,涉及各种各样的技,例如包括收集、保存和分析取证证据等等,以描绘事件的完整、详细过程。
技术能力
文件系统取证
当人们想到DFIR中的DF时,大多数人会想到文件系统取证,文件系统取证是数字犯罪取证调查领域重要技术之一。
内存取证
磁盘取证是一种成熟的能力,许多组织已经非常擅长分析系统是否存在漏洞。因此,攻击者转向(更倾向)使用无文件类型(即内存)的技术。像内存驻留恶意软件这样的东西无法在磁盘上检测到,所以DFIR不得不转而分析内存本身。
网络取证
在恶意软件分析和内存和磁盘取证之间,我们已经分析了主机,但几乎所有事件都涉及大量的网络活动。像在钓鱼电子邮件或在挂马的网站浏览中中招,恶意软件信标连回去,然后偷偷泄露出数据。。,所以,这些都需要了解如何分析网络捕获。
恶意软件分析
可能你会说 what?什么玩意,我还需要学这东西?。。好吧,也许大多数都不同意我的观点。so what!其实,我不认为每个 DFIR 都需要很精通汇编,是个逆向工程大手子。逆向工程很难,这是最难掌握的技能之一,而且并不总是100%必要的(尽管通常非常有用)。但是,从恶意软件收集数据的能力,是非常必要的,如果你有个想做高水平技术人员的心,所以这也是每个DFIR都应该具备的一套技能。
日志分析
日志分析实际上是我们谈论最少,但可能最终却做得最多的技术技能。SIEM让我们不需要这样做,但是大多数更好的 DFIR 仍然花费大量时间来研究日志。
情报分析
情报分析涉及从多个来源收集有关潜在敌人的数据和信息,以预测他们的行为以及他们可能构成的任何可能威胁。
红队学习
了解你的敌人做了什么以及他们是如何做的,即使是笼统理解一下,也是非常有用的。多花时间了解下攻击技术实现上什么是容易的,什么是困难的,什么是不可能的,这很关键。
自动化能力
“一名优秀的黑客肯定是一个优秀的程序员,但是一个优秀的程序员不一定是黑客”。这是在安全行业广泛流传着的一句话,是的,这个行业需要更多的各种安全人员成为更好的开发人员。技术变化很快
我相信的关键之一是需要更多的各种安全人员成为更好的开发人员。技术变化很快,防御行动迅速,如果你还在等待公司或开源项目来构建所需要的工具,那么你将永远落后。一个好的安全人员是有能力创建自己的工具的,即使它只是基本的脚本。能够编写代码决定你的行业高度!
积累经验
成为一名出色的 DFIR 最重要的部分之一就是经验。学习很棒,阅读和学习可以教很多东西,但没有什么比实际行动教会的更多。有些东西可以在家里坐在电脑学会,但是有些事情,一定规模的事情,只能在现实世界中完成,所以找个好班上去处理实际事件去吧。
六边形战士?
上面的列表涵盖了 DFIR 拥有的广泛技能。那么每个人都是所有这些技能的大师吗?完全不是(好吧,我认识有些人可能是这样的,但这完全是不正常的)。大多数 DFIR 专注于几个方面,而对其他方面知之甚少。
所以绝大多数 DFIR并不是全面六边形战士,而是 T 型人,他们在特定领域拥有深厚的技能,而在其他领域的技能比较有限。使 DFIR 与许多其他职业不同的一件事是大多数 DFIR 是所有行业类型的杰作。没有人可以成为所有领域的专家,但你应该拥有全面的实力。
我不擅长恶意软件分析,但我可以做一点。同时,我比大多数人更擅长网络取证。—这将让你从人群中脱颖而出
这就是所有吗?NO。随着技术的进步,优秀的DFIR分析师还需要许多其他方面和技能。网络安全整个领域都是不断学习和不断成长的。
事件响应和安全运营基础
我们需要了解必要的术语和基础知识,以便对“事件响应”以及执行事件响应的不同步骤有一个合理的理解
我们将探讨以下几点:
攻击向量分析
事件响应基础
事件响应标准和指南
事件响应流程
事件响应团队
安全运营中心
攻击向量分析
攻击向量是一种攻击者用来利用漏洞的路径或手段,换句话说,用于攻击资产的方法称为威胁向量或攻击向量。可以分析攻击向量。通过研究受攻击面,比如应用程序的入口点、api、文件、数据库、用户接口等等。当面对大量的记录时,可以划分不同的类别的模型
事件响应基础
事件响应定义如下:“事件响应是解决和管理安全漏洞或网络攻击(也称为IT事件、计算机事件或安全事件)后果的一种有组织的方法。我们的目标是以一种限制损害、减少恢复时间和成本的方式处理这种情况。”
但什么是信息安全事件?
事件是系统或网络中任何可观察到的事件。事件包括连接到文件共享的用户、接收网页请求的服务器、发送电子邮件的用户以及阻止连接尝试的防火墙。事件是具有负面后果的事件,例如系统崩溃、数据包泛滥、未经授权使用系统权限、未经授权访问敏感数据以及执行破坏数据的恶意软件。在事件响应操作期间,需要收集大量组件资源。例如:
IP 地址
域名
URL
系统调用
进程
服务和端口
文件哈希
事件响应流程
与任何方法操作一样,事件响应需要经过一系列明确定义的步骤:
基本步骤
应急响应操作可分为以下几个步骤:收集信息 -> 判断类型 -> 深入分析 -> 清理处置 -> 产出报告。
收集信息:收集客户、业务方反馈的信息,各类安全设备/系统的安全告警
判断类型:结合已有信息,判断是否为安全事件,确认后启动应急响应标准流程。以及初步何种安全事件(勒索、挖矿、断网、DoS等),根据安全事件类型来调用相关资源和工具启动调查。
深入分析:通过以下几个方面的初步分析,复原攻击路径、攻击手法,找出确定的样本和网络外联信息,便于下一步的清理处置(注意,为即使止损,分析阶段与清理处置过程可以并行)
日志分析
进程分析
启动项分析
样本分析
清理处置:进行入侵的深入分析、固定证据后。清理相关进程、文件;阻断网络连接;恢复启动项、业务服务;对软件系统进行升级或补丁修复
产出报告:整理并输出完整的安全事件报告
PDCERF模型
PDCERF 方法论是一种防范使用的方法,其将应急响应分成六个阶段,分别是准备阶段(Preparation)、检测阶段(Detection)、抑制阶段(Containment)、根除阶段(Eradication)、恢复阶段(Reconvery)、总结阶段(Follow-up)。[2]
图:PDCERF流程图
-
准备阶段:
准备阶段以预防为主。
主要工作涉及识别机构、企业的风险,建立安全政策,建立协作体系和应急制度
按照安全政策配置安全设备和软件,为应急响应与恢复准备主机
依照网络安全措施,进行一些准备工作,例如,扫描、风险分析、打补丁等
如有条件且得到许可,可建立监控设施,建立数据汇总分析体系,制定能够实现应急响应目标的策略和规程,建立信息沟通渠道,建立能够集合起来处理突发事件的体系
-
检测阶段:
检测阶段主要检测事件是已经发生的还是正在进行中的,以及事件产生的原因
确定事件性质和影响的严重程度,以及预计采用什么样的专用资源来修复
选择检测工具,分析异常现象,提高系统或网络行为的监控级别,估计安全事件的范围
通过汇总,查看是否发生了全网的大规模事件,从而确定应急等级及其对应的应急方案
抑制阶段:抑制阶段的主要任务是限制攻击 / 破坏波及的范围,同时也是在降低潜在的损失。所有的抑制活动都是建立在能正确检测事件的基础上的,抑制活动必须结合检测阶段发现的安全事件的现象、性质、范围等属性,制定并实施正确的抑制策略。
根除阶段:根除阶段的主要任务是通过事件分析找出根源并彻底根除,以避免攻击者再次使用相同的手段攻击系统,引发安全事件。并加强宣传,公布危害性和解决办法,呼吁用户解决终端问题。加强监测工作,发现和清理行业与重点部门问题。
-
恢复阶段:
恢复阶段的主要任务是把被破坏的信息彻底还原到正常运作状态。
确定使系统恢复正常的需求内容和时间表,从可信的备份介质中恢复用户数据,打开系统和应用服务,恢复系统网络连接,验证恢复系统,观察其他的扫描,探测可能表示入侵者再次侵袭的信号
一般来说,要想成功地恢复被破坏的系统,需要干净的备份系统,编制并维护系统恢复的操作手册,而且在系统重装后需要对系统进行全面的安全加固
总结阶段:总结阶段的主要任务是回顾并整合应急响应过程的相关信息,进行事后分析总结和修订安全计划、政策、程序,并进行训练,以防止入侵的再次发生。基于入侵的严重性和影响,确定是否进行新的风险分析,给系统和网络资产制作一个新的目录清单。这一阶段的工作对于准备阶段工作的开展起到重要的支持作用。
DFIR 命令备忘单
与远程机器交互
启用 Powershell 远程访问:
wmic /node:[IP] process call create "powershell enable-psremoting -force"
Powershell :
Enter-PSSession -ComputerName [IP]
PSExec:
PsExec: psexec \\IP -c cmd.exe
使用 PsExec 启用 PS 远程访问
psexec.exe \\TARGET -s powershell Enable-PSRemoting -Force;
为 IR 设置日志记录
Start-Transcript -Path "C:\[location]\investigation-1.log" -NoClobber
建立远程会话
$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop
进入或退出远程会话
Enter-PSSession -Session $s1
Exit-PSSEssion
发出远程命令/shell
Invoke-Command -ScriptBlock {whoami} -Session $s1
Invoke-Command -file file.ps1 -Session $s1
检索/下载文件
Copy-Item -Path "[RemoteHostFilePath]" -Destination "[LocalDestination]" -FromSession $s1
凭证和曝光
在调查受影响的资产时,重要的是要知道哪些远程方法会在受感染的端点上留下你的凭证,哪些方法不会。
Windows 系统枚举
系统和用户信息
组件信息
reg save HKLM\SAM [LOCATION]\SAM
reg save HKLM\SYSTEM [LOCATION]\SYSTEM
reg save HKLM\SECURITY [LOCATION]\SECURITY
reg save HKLM\SOFTWARE [LOCATION]\SOFTWARE
系统信息
get-computerinfo
echo %DATE% %TIME%
date /t
time /t
reg query "HKLM\System\CurrentControlSet\Control\TimeZoneInformation"
systeminfo
wmic computersystem list full
wmic /node:localhost product list full /format:csv
wmic softwarefeature get name,version /format:csv
wmic softwareelement get name,version /format:csv
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /s
echo %PATH%
(gci env:path|Select -exp Value).split(';')
SET
wmic bootconfig get /all /format:List
wmic computersystem get name, domain, manufacturer, model, numberofprocessors,primaryownername,username,roles,totalphysicalmemory /format:list
wmic timezone get Caption, Bias, DaylightBias, DaylightName, StandardName
wmic recoveros get /all /format:List
wmic os get /all /format:list
wmic partition get /all /format:list
wmic logicaldisk get /all /format:list
wmic diskdrive get /all /format:list
fsutil fsinfo drives
psinfo -accepteula -s -h -d
主板型号和硬件信息
wmic baseboard get product,manufacturer
wmic desktopmonitor get /all /format:list
wmic baseboard get /all /format:list
wmic bios get /all /format:list
wmic cpu get /all /format:list
已安装的补丁
wmic qfe
已安装的软件
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
wmic product get name,version /format:csv
wmic product get /ALL
dism /online /get-packages
get-WmiObject -Class Win32_Product
get-package
用户和管理员信息
whoami
whoami /user
net users
net localgroup administrators
net group /domain [groupname]
net user /domain [username]
wmic sysaccount
wmic useraccount get name,SID
wmic useraccount list
用户帐户和登录信息
Get-WmiObject Win32_UserProfile
登录信息
wmic netlogin list /format:List
Get-WmiObject Win32_LoggedOnUser
Get-WmiObject win32_logonsession
query user
qwinsta
klist sessions
klist -li
NT 域/网络客户端信息
wmic ntdomain get /all /format:List
wmic netclient get /all /format:List
nltest /trusted_domains
组信息
net localgroup
accesschk64 -a *
主机文件和服务(端口映射)
type %SystemRoot%\System32\drivers\etc\hosts
type %SystemRoot%\System32\drivers\etc\services
命令历史
doskey /history
检查组策略
gpresult /Z /SCOPE COMPUTER
gpresult /Z /SCOPE USER
gpresult /R /SCOPE COMPUTER
gpresult /R /SCOPE USER
gpresult /r /z
ls C:\Users\[username]\AppData\Local\GroupPolicy\DataStore
ls C:\Windows\system32\GroupPolicy\DataStore
获取端口的模式设置
mode
服务信息
Get-WmiObject win32_service | select Name, DisplayName, State, PathName
Get-Service
查看命名管道
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
get-childitem \\.\pipe\
dir \\.\pipe\\
文件信息
获取计算机上所有文件
tree C:\ /F > output.txt
dir C:\ /A:H /-C /Q /R /S /X
共享信息
Get-WmiObject Win32_Share
net share
wmic share list brief
wmic netuse get Caption, DisplayType, LocalName, Name, ProviderName, Status
分页信息
wmic pagefile
Cookies
C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\Low
最近使用的文档
$SID = "S-1-5-21-1111111111-11111111111-1111111-11111"; $output = @(); Get-Item -Path "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" | Select-Object -ExpandProperty property | ForEach-Object {$i = [System.Text.Encoding]::Unicode.GetString((gp "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Name $_).$_); $i = $i -replace '[^a-zA-Z0-9 \.\-_\\/()~ ]', '\^'; $output += $i.split('\^')[0]}; $output | Sort-Object -Unique
C:\Users\[username]\AppData\Local\Microsoft\Windows\FileHistory\Data
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
最近执行的程序
预读取文件夹,存放系统已经访问过的文件的读取信息,扩展名为pf,可加快系统启动进程:%SystemRoot%\Prefetch\
amcache.hve是windows创建的记录可执行文件信息的注册表仓库: %SystemRoot%\AppCompat\Programs\
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store"
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"
显示已知文件扩展名和隐藏文件(不包括操作系统隐藏文件)
reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "1" /f
reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "0" /f
Stop-Process -processname explorer
大于 10mb 的文件
FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
大于 10mb 的临时文件
FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
备用数据流
列出当前目录中的备用数据流并查看它们
gi * -s *
gc [FILENAME] -s [ADSNAME]
列出 AppData 中文本文件中的备用数据流
Get-ChildItem -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue|gi -s *|Select Stream -ea SilentlyContinue| Where-Object {$_.Stream -ine ":`$DATA"}
使用备用数据流查找下载位置
get-item * -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
get-item C:\Users\Username\Downloads\* -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
$a=(gci -rec -path C:\users\user\downloads -ea 0 | gi -s Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
$a=(get-item * -stream Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
gci -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue |gi -s *| Where-Object {$_.Stream -ine ":`$DATA"}|cat
防火墙和 AV
防火墙信息
netsh Firewall show state
netsh advfirewall firewall show rule name=all dir=in type=dynamic
netsh advfirewall firewall show rule name=all dir=out type=dynamic
netsh advfirewall firewall show rule name=all dir=in type=static
netsh advfirewall firewall show rule name=all dir=out type=static
netsh firewall show config
advfirewall firewall show rule name=all verbose
防火墙的变化
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';} | FL TimeCreated, Message
启动项/自动运行
启动进程信息
wmic startup list full
wmic startup list brief
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL
按路径/文件名的启动进程信息
$Malware = "appdata";
$Processes = gps |?{$_.Path -match $Malware -or $_.Name -match $Malware} | FL Name,Path,Id;
$Tasks = schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match $Malware}| FL "Taskname","Task To Run","Run As User";
$Services = gwmi win32_service | ? {$_.PathName -match $Malware}| FL Name,PathName;
$ServiceDLL = reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL" | findstr "$Malware";
$RunKey1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$RunKey2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$UserProfiles = (gwmi Win32_UserProfile | ? { $_.SID -notmatch 'S-1-5-(18|19|20).*' }); $paths = $UserProfiles.localpath; $sids = $UserProfiles.sid; for ($counter=0; $counter -lt $UserProfiles.length; $counter++){$path = $UserProfiles[$counter].localpath; $sid = $UserProfiles[$counter].sid; reg load hku\$sid $path\ntuser.dat};
$RunKey3 = Get-ItemProperty -Path Registry::HKU\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* | ?{$_ -match $Malware};
$Startup = Select-String -Path 'C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' -Pattern $Malware | Select Path;
$Startup2 = Select-String -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*' -Pattern $Malware | Select Path;
if ($Processes) {echo "Process Found!";$Processes} else {echo "No Running Processes Found."};
if ($Tasks) {echo "Tasks Found!";$Tasks} else {echo "No Tasks Found."};
if ($Services) {echo "Services Found!";$Services} else {echo "No Services Found."};
if ($ServiceDLL) {echo "ServiceDLL Found!";$ServiceDll} else {echo "No Service Dlls Found."};
if ($RunKey1) {echo "Wow6432Node Run Key Found!";$RunKey1} else {echo "No Local Machine Wow6432Node Run Key Found."};
if ($RunKey2) {echo "Local Machine Run Key Found!";$RunKey2} else {echo "No Local Machine Run Key Found."};
if ($RunKey3) {echo "User Run Key Found!";$RunKey3} else {echo "No User Run Key Found."};
if ($Startup) {echo "AppData Startup Link Found!";$Startup} else {echo "No AppData Startups Found."};
if ($Startup2) {echo "ProgramData Startup Link Found!";$Startup2} else {echo "No ProgramData Startups Found."};
计划任务/作业信息
at (For older OS)
schtasks
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr "Task To Run:"
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"
schtasks /query /fo LIST /v | Select-String "exe" -Context 2,27
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "EXENAME"} | FL Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)}|Select-String Command|FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}|Select-String Command|FL Line,Filename
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match "MALICIOUS"}| FL "Taskname","Task To Run"
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{$_.Taskname -ne "TaskName"} | FL "Taskname","Task To Run"
wmic job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
Powershell:
Get-ScheduledTask
gci -path C:\windows\system32\tasks -recurse | Select-String Command | FL Filename, Line
gci -path C:\windows\system32\tasks -recurse | Select-String "",Argument | FT Filename,Command,Line
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUSNAME"} | FL Filename, Line
(gci -path C:\windows\system32\tasks -recurse | Select-String "" | select -exp Line).replace(" ","").trim(" ").replace("`"","").trim();
文件哈希和所有计划任务的位置
$a=((gci C:\windows\system32\tasks -rec | Select-String "" | select -exp Line).replace("","").trim(" ").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
从 System32 目录:
$a=((gci tasks -rec | Select-String "" | select -exp Line).replace("","").trim(" ").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
UAC Bypass Fodhelper
reg query HKCU\Software\Classes\ms-settings\shell\open\command
reg query HKU\{SID}\Software\Classes\ms-settings\shell\open\command
快速查找持久化向量(AutoRuns)
autorunsc.exe -accepteula -a * -c -h -v -m > autoruns.csv
autorunsc.exe -accepteula -a * -c -h -v -m -z 'E:\Windows' > autoruns.csv
持久性和自动加载/运行注册键
用户注册表 (NTUSER.DAT HIVE) - 通常位于:
C:\Users\[username]
在 Powershell 中将“reg query”替换为“Get-ItemProperty -Path HK :”
例如:Get-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f run
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f load
reg query "HKCU\Environment" /v UserInitMprLogonScript
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RESTART_STICKY_NOTES
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Scripts"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RecentDocs"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\AcroDC"
reg query "HKCU\SOFTWARE\Itime"
reg query "HKCU\SOFTWARE\info"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\User Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Command Processor"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKCU\SOFTWARE\Microsoft\Windows\currentversion\run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKCU\SOFTWARE\Microsoft\IEAK\GroupPolicy\PendingGPOs" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
Local Machine (SOFTWARE HIVE)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\policies\explorer\run"
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\run"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
reg query "HKLM\SOFTWARE\Classes" | findstr "file"
reg query "HKLM\SOFTWARE\Classes" /f "file"
reg query HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} /s
reg query HKCR\AppID\ /s | findstr "exe"
Local Machine (SYSTEM HIVE)
reg query "HKLM\SYSTEM\CurrentControlSet\Services\[Random_name]\imagePath"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ /s /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.sys"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
Get-Service -Name "*MALICIOUSSERVICE*"
gwmi win32_service | ? {$_.PathName -match "MALICIOUSSERVICE"}|FL Name,PathName
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" | FL DisplayName,ImagePath,ObjectName
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-AuthenticodeSignature
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-FileHash
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
注册表
Powershell:查询注册表项
Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1
查看Hivelist
gp REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\hivelist | Select *USER*
定位所有用户注册表项
$UserProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where {$_.PSChildName -match "S-1-5-21-(\d+-?){4}$" } | Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\ntuser.dat"}}
从ntuser.dat 文件加载所有用户的注册表项
Foreach ($UserProfile in $UserProfiles) {If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {reg load HKU\$($UserProfile.SID) $($UserProfile.UserHive) | echo "Successfully loaded: $($UserProfile.UserHive)"}}
查询所有用户运行密钥
Foreach ($UserProfile in $UserProfiles) {reg query HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run};
WMI namespace枚举
Function Get-WmiNamespace ($Path = 'root')
{
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
{
$FullPath = $Path + "/" + $Namespace.Name
Write-Output $FullPath
Get-WmiNamespace -Path $FullPath
}
}
Get-WMINamespace -Recurse
网络连接
Network connections
ipconfig /all
netstat –anob
netstat -ano
Tcpvcon -a
路由表和 ARP 缓存
route print
arp -a
Get-NetNeighbor
使用 dns 缓存获取运行可执行文件的哈希和已建立的网络连接
Get-NetTCPConnection -State Established | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry}}|sort|gu -AS|FT
获取运行可执行文件的哈希和监听网络连接
Get-NetTCPConnection -State LISTEN | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
获取运行可执行文件的哈希和可能的隧道网络连接
Get-NetTCPConnection -State ESTABLISHED |? LocalAddress -Like "::1" | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State Established |? LocalAddress -Like "127.0.0.1"| Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State LISTEN |? LocalAddress -Like "127.0.0.1" | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
获取隧道身份验证的工作站名称
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='::';} | FL TimeCreated,Message
DNS解析器的内容
ipconfig /displaydns
Get-DnsClientCache | FT -AutoSize
当前连接的接入点名称 (WiFi)
reg query HKLM\system\CurrentControlSet\Services\Dnscache\Parameters\DnsActiveIfs\ /s
netsh wlan show interfaces
先前连接的接入点名称 (WiFi)
netsh wlan show profile
当前周围的接入点名称 (WiFi)
netsh wlan show network mode=bssid
扩展网络适配器配置信息
reg query HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\ /s
reg query HKLM\system\CurrentControlSet\Services\Tcpip6\Parameters\ /s
RDP
RDP 缓存图像
这可用于显示用户在使用 Windows RDP 在服务器上操作时可以看到的一些图像片段。缓存文件位于:%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\
这些可以使用BMC- Tools解析
bmc-tools.py -s ./ -d ./output
bmc-tools.py -s ./ -d ./output -o -b
RDP(终端服务)活动
reg query 'HKU\{SID}\Software\Microsoft\Terminal Server Client' /s
RDP(终端服务)配置
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /s
检查终端服务是否启用
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
检查每个用户的会话是否已被修改
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser
检查端口号是否被修改
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
DLL 信息
从 WDAC 审计事件中提取模块(DLL、SYS 和 EXE)信息
# Extract relevant properties from 3076 events
# Modified by Jai Minton @CyberRaiju, based from original work by Matt Graeber @mattifestation
# On an enterprise system enable it by creating a module load audit policy: https://twitter.com/mattifestation/status/1366435525272481799
# ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
# Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b
# If you don't have one available you can use a pre-converted one found [here](https://github.com/JPMinty/Misc-Tools/blob/main/Windows-Defender-Application-Control-WDAC/SIPolicy.p7b)
# More information:
# https://gist.githubusercontent.com/mattifestation/de140831d47e15370ba35c1877f39082/raw/8db18ab36723cc9eaf9770c2cadafe46460ff80e/3076EventExtractor.ps1
# https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11
# https://github.com/mattifestation/WDACTools
$SigningLevelMapping = @{
[Byte] 0 = 'Unchecked'
[Byte] 1 = 'Unsigned'
[Byte] 2 = 'Enterprise'
[Byte] 3 = 'Custom1'
[Byte] 4 = 'Authenticode'
[Byte] 5 = 'Custom2'
[Byte] 6 = 'Store'
[Byte] 7 = 'Antimalware'
[Byte] 8 = 'Microsoft'
[Byte] 9 = 'Custom4'
[Byte] 0xA = 'Custom5'
[Byte] 0xB = 'DynamicCodegen'
[Byte] 0xC = 'Windows'
[Byte] 0xD = 'WindowsProtectedProcessLight'
[Byte] 0xE = 'WindowsTcb'
[Byte] 0xF = 'Custom6'
}
$CIEvents = Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3076} | ForEach-Object {
$ScenarioValue = $_.Properties[16].Value.ToString()
$Scenario = $ScenarioValue
switch ($Scenario) {
'0' { $Scenario = 'Kernel-Mode' }
'1' { $Scenario = 'User-Mode' }
}
[PSCustomObject] @{
TimeCreated = $_.TimeCreated
MachineName = $_.MachineName
UserId = $_.UserId
FileName = $_.Properties[1].Value
ProcessName = $_.Properties[3].Value
CertificateSHA1AuthentiCodeHash = [BitConverter]::ToString($_.Properties[8].Value).Replace('-', '')
CertificateSHA256AuthentiCodeHash = [BitConverter]::ToString($_.Properties[10].Value).Replace('-', '')
ModuleSHA1Hash = [BitConverter]::ToString($_.Properties[12].Value).Replace('-', '')
ModuleSHA256Hash = [BitConverter]::ToString($_.Properties[14].Value).Replace('-', '')
OriginalFileName = $_.Properties[24].Value
InternalName = $_.Properties[26].Value
FileDescription = $_.Properties[28].Value
ProductName = $_.Properties[30].Value
FileVersion = $_.Properties[31].Value
SISigningScenario = $Scenario
RequestedSigningLevel = $SigningLevelMapping[$_.Properties[4].Value]
ValidatedSigningLevel = $SigningLevelMapping[$_.Properties[5].Value]
PolicyHash = [BitConverter]::ToString($_.Properties[22].Value).Replace('-', '')
}
}
$CIEvents
获取 DLL 信息
listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]
获取进程加载的无符号DLL信息
listdlls -u
获取进程正在使用的 DLL
listdlls -v processname -accepteula
listdlls -v -d dllname.dll -accepteula
listdlls -v PID -accepteula
DNS
从最近解析的域中获取 TXT 记录
foreach ($domains in Get-DnsClientCache){Resolve-DnsName $domains.Entry -Type "TXT"|Select Strings|? Strings -NotLike ""};
活动目录
活动目录调查
dsquery computer
dsquery user
dsquery contact
dsquery domainroot -inactive 4
dsquery group
dsquery ou
dsquery site
dsquery server
dsquery quota
dsquery *
- dsquery * -limit 999999999
netdom query fsmo
netdom query trust
netdom query pdc
netdom query DC
netdom query server
netdom query workstation
netdom query OU
NT 目录服务目录信息树文件 (ntds.dit)
包含所有架构、域、配置信息(例如用户、IP、计算机、域信任等)的 Active Directory 数据库文件
%SystemRoot%\NTDS\ntds.dit
%SystemRoot%\System32\ntds.dit
仅在将某些操作系统升级为 DC 时创建的文件,很少使用
Edb.log
10MB 事务日志,用于在将临时数据发送到 ntds.dit 数据库之前存储它
%SystemRoot%\NTDS\Edb.log
Edbxxxxx.log
如果主 edb.log 文件大于 10MB 而未刷新到 ntds.dit,则附加事务日志文件。
%SystemRoot%\NTDS\edbxxxxx.log
Edb.chk
用于确定有多少事务日志已发送到 ntdis.dit 数据库
%SystemRoot%\NTDS\edb.chk
Resx.log/Resx.jrs
保留日志文件以防硬盘被填满,此时将使用这些文件(理想情况下,它们永远不应该被使用)。
%SystemRoot%\NTDS\res1.log
%SystemRoot%\NTDS\res2.log
Temp.edb
在进行中的事务期间存储信息的临时文件。
%SystemRoot%\NTDS\temp.edb
Schema.ini
创建域控制器时初始化 ntds.dit 文件,然后不再使用。
%SystemRoot%\NTDS\schema.ini
ntds.dit 调查
ntdsutil
ntdsutil "activate instance ntds" ifm "create full C:\Audit" quit quit
vssadmin
vssadmin create shadow /for=C:
mkdir C:\Audit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\ntds\ntds.dit C:\Audit\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\System32\config\SYSTEM C:\Audit\SYSTEM
vssadmin delete shadows /shadow=[ShadowCopyID]
Windows 进程信息
进程信息
tasklist -v
wmic process list full /format:csv
wmic process get name,parentprocessid,processid /format:csv
wmic process get ExecutablePath,processid /format:csv
wmic process get name,ExecutablePath,processid,parentprocessid /format:csv | findstr /I "appdata"
wmic process where processid=[PID] get parentprocessid
wmic process where processid=[PID] get commandline
wmic process where "commandline is not null and commandline!=''" get name,commandline /format:csv
gwmi win32_process -Filter "name like 'powershell.exe'" | select name,processId,commandline|FL
gwmi win32_process | select name,processId,path,commandline|FL
gwmi win32_process |FL ProcessID,ParentProcessID,CommandLine,@{e={$_.GetOwner().User}}
gwmi win32_process | Sort-Object -Property ProcessID | FL ProcessID,Path,CommandLine,ParentProcessID,@{n="User";e={$_.GetOwner().User}},@{n="ParentProcessPath";e={gps -Id $_.ParentProcessID|Select -exp Path}}
pslist
检查正在运行的进程
Invoke-Command -ScriptBlock {Get-Process} -Session $s1
比较新的进程/服务
Get-Process | Export-Clixml -Path C:\Users\User\Desktop\process.xml
Get-Service | Export-Clixml -Path C:\Users\User\Desktop\service.xml
$edproc = Import-Clixml -Path C:\Users\User\Desktop\process.xml
$edproc1 = Import-Clixml -Path C:\Users\User\Desktop\process1.xml
$edservice = Import-Clixml -Path C:\Users\User\Desktop\service.xml
$edservice1 = Import-Clixml -Path C:\Users\User\Desktop\service1.xml
Compare-Object $edproc $edproc1 -Property processname
Compare-Object $edservice $edservice1 -Property servicename
当前进程执行或从临时目录加载模块
(gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|unique
当前进程执行或从临时目录加载的模块 + 哈希
$A=((gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
$A=((gps).Path|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
进程句柄
定位进程句柄(例如进程打开的文件)
handle64.exe -p [PID/name] -nobanner
handle64.exe -a -p [PID/name] -nobanner
handle64.exe -a -l -p [PID/name] -nobanner
handle64.exe -a -l -u -p keepass -nobanner
关闭进程句柄
handle64.exe -c [hexhandleref] -p [PID] -nobanner
handle64.exe -c [hexhandleref] -y -p [PID] -nobanner
进程和其组件的哈希
获取所有正在运行的可执行文件的哈希
FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt
powershell
(gps|gi -ea SilentlyContinue|filehash).hash|sort -u
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | Format-List}
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
获取进程当前加载的 DLL 的哈希值
$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
(gps).Modules.FileName | sort -uniq | foreach {filehash $_ -ea 0}
获取二进制文件版本与操作系统版本不匹配的进程
gps -FileVersionInfo -ea 0|? {$_.ProductVersion -notmatch $([System.Environment]::OSVersion.Version|Select -exp Build)}
获取进程二进制文件外部名称
gps -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name,*version
获取正在运行 DLL 的进程
$A=(gps|select -ExpandProperty modules -ea SilentlyContinue | where {$_.ModuleName -Like 'sechost.dll' -or $_.ModuleName -Like 'ntdll.dll'} | sort -u);if($A[0].Size -ge -1) {foreach ($Module in $A){tasklist /m $Module.ModuleName}};
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
获取进程当前加载的未签名或无效 DLL 的哈希
$A=$(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue){Get-AuthenticodeSignature $dll.FileName |Where-Object Status -NE "Valid"|Select Path});$B=$(foreach ($dll in $A){Get-FileHash $dll.Path| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$B
获取进程当前加载的未签名 DLL 列表
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature|Where-Object Status -NE "Valid"
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature | ? Status -NE "Valid" | FL Path
进程扫描
扫描为“appdata”创建日志的进程
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4688';}| ? {$_.Message -match 'appdata'}|FL TimeCreated, Message
Windows DFIR 检查
恶意软件活动
检查禁用的任务管理器
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Mimikatz/凭证提取检测
修改这些注册表可能表明攻击者试图在环境中执行Mimikatz
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS.
- Mimikatz can remove these flags using a custom driver called mimidriver.
- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.
Yara规则
/*Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
rule mimikatz
{
meta:
description = "mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Benjamin DELPY (gentilkiwi)"
strings:
$exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd }
$exe_x86_2 = { 8b 4d e? 8b 45 f4 89 75 e? 89 01 85 ff 74 }
$exe_x64_1 = { 33 ff 4? 89 37 4? 8b f3 45 85 c? 74}
$exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 }
$dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }
$dll_2 = { c7 0? 10 02 00 00 ?? 89 4? }
$sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 }
$sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 }
condition:
(all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*))
}
rule mimikatz_lsass_mdmp
{
meta:
description = "LSASS minidump file for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$lsass = "System32\\lsass.exe" wide nocase
condition:
(uint32(0) == 0x504d444d) and $lsass
}
rule mimikatz_kirbi_ticket
{
meta:
description = "KiRBi ticket for mimikatz"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition:
$asn1 at 0
}
rule wce
{
meta:
description = "wce"
author = "Benjamin DELPY (gentilkiwi)"
tool_author = "Hernan Ochoa (hernano)"
strings:
$hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 }
$hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 }
$hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 }
condition:
any of them
}
rule lsadump
{
meta:
description = "LSA dump programe (bootkey/syskey) - pwdump and others"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$str_sam_inc = "\\Domains\\Account" ascii nocase
$str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase
$hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 }
$str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 }
$hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00}
condition:
($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey
}
rule power_pe_injection
{
meta:
description = "PowerShell with PE Reflective Injection"
author = "Benjamin DELPY (gentilkiwi)"
strings:
$str_loadlib = "0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9"
condition:
$str_loadlib
}
某些技术可能涉及加载 lsasrv.dll 或 wdigest.dll 以提取凭据
tasklist /m wdigest.dll
tasklist /m lsasrv.dll
可能能够检测到对以下注册表项的更改,这些注册表项可用于加载任意 DLL 并提取凭据
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS /v LsaDbExtPt
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
攻击者还可能篡改系统保存的缓存登录数(默认为10)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
NetNTLM 降级攻击检测
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictSendingNTLMTraffic
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v NTLMMinClientSec
Putty检测
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
Trickbot
gci -path C:\Users\*\AppData\Roaming\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Windows\System32\config\systemprofile\appdata\roaming -recurse -force -include *.exe
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | findstr "programdata"
schtasks /query /fo LIST /v | findstr "public"
tasklist /svc | findstr "svchost"
通过VirusTotal检查正在运行的恶意软件可执行程序
将VTAPIKey设置为VirusTotal API密钥
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"}}
该查询使用15秒超时以确保每分钟只提交4个查询
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
此查询使用 15 秒超时来确保一分钟仅提交 4 个查询,并且仅查询唯一hash
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique -AsString; foreach ($process in $A) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =($process); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
注册表
检查注册表中的IE增强安全修改
gci 'REGISTRY::HKU\*\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
gci 'REGISTRY::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
检查注册表禁用 UAC(1=UAC 已禁用)
gci REGISTRY::HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
gci REGISTRY::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
检查Software键的恶意条目
gci registry::HKLM\Software\*
gci registry::HKU\*\Software\*
扫描指定文本的注册表项
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | where {$_.Name -match 'notepad' -or $_.Name -match 'sql'}
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | get-itemproperty | where {$_ -match 'notepad' -or $_ -match 'sql'}
reg query HKLM\SOFTWARE /s /f ".exe"
reg query HKLM\SYSTEM /s /f ".exe"
reg query HKLM\SECURITY /s /f ".exe"
reg query HKLM /s /f ".exe"
可疑文件
查找没有扩展名的文件
Get-ChildItem -Path C:\Users\[user]\AppData -Recurse -Exclude *.* -File -Force -ea SilentlyContinue
感兴趣的持久性文件位置
%localappdata%\\ .<4-9 file ext>
%localappdata%\\ .lnk
%localappdata%\\ .bat
%appdata%\\ .<4-9 file ext>
%appdata%\\ .lnk
%appdata%\\ .bat
%appdata%\\ .bat
%SystemRoot%\
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*"
%SystemRoot%\System32\\
%SystemRoot%\System32\tasks\
%SystemRoot%\\
C:\Users\[user]\appdata\roaming\[random]
C:\Users\[user]\appdata\roaming\[random]
C:\Users\Public\*
扫描这些目录以查找感兴趣的项目,例如不寻常的 exe、dll、bat、lnk 等文件:
dir /s /b %localappdata%\*.exe | findstr /e .exe
dir /s /b %appdata%\*.exe | findstr /e .exe
dir /s /b %localappdata%\*.dll | findstr /e .dll
dir /s /b %appdata%\*.dll | findstr /e .dll
dir /s /b %localappdata%\*.bat | findstr /e .bat
dir /s /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .exe
dir /s /b "C:\Users\Public\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .dll
dir /s /b "C:\Users\Public\" | findstr /e .bat
ls "C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | findstr /e .lnk
定位具有特定字符串的LNK文件
Select-String -Path 'C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk' -Pattern "powershell" | Select Path
确定文件时间
主文件表
主文件表是一个非常重要的工件;但是,这只能通过低级别磁盘读取来读取或获得。这包含文件系统上每个文件或目录的一个条目,包括关于这些文件的元数据,并可能提供已删除文件的证据(标记为“free”的MFT条目)。
在主文件表(位于 Win 根目录)中有 2 个元素,$STANDARD_INFORMATION 和 $FILE_NAME,它们都具有正在创建、修改、访问和写入的文件的值。
这些被称为MACB时间(修改、访问、更改、生成)。可以从恶意进程修改$STANDARD_INFORMATION元素,但是$FILE_NAME元素保持不变,如果没有一些额外的技巧就不能修改。
这些差异通常表明Timestomping使用$FILE_NAME条目作为真相的来源。这可以通过获取MFT(例如使用一个工具,如Rawcopy)来确定,并比较文件上的时间戳(例如使用一个工具,如MFTExplorer)。
RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin
检查系统目录中没有作为操作系统发行版的一部分进行签名的可执行程序
gci C:\windows\*\*.exe -File -force |get-authenticodesignature|?{$_.IsOSBinary -notmatch 'True'}
reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}
reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}
检查所有Appdata文件中未签名或无效的可执行文件
Get-ChildItem -Recurse $env:APPDATA\..\*.exe -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature $_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path
在本地系统用户配置文件和文件中检查可执行文件
Get-ChildItem C:\Windows\*\config\systemprofile -recurse -force -ea 0 -include *.exe, *.dll *.lnk
在 Path 目录 ($env:Path) 中查找可执行文件和脚本
Get-Command * -Type Application | FT -AutoSize
Get-Command -Name * | FL FileVersionInfo
根据日期查找创建/写入的文件
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Date -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.LastWriteTime -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Hour -gt 2 -and $_.CreationTime.Hour -lt 15}
专门设置为以管理员身份运行的程序
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN
Windows 索引服务
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.edb
DNS 日志
扫描DNS日志
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3010';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';} | FL TimeCreated,Message
扫描DNS日志,输出唯一的DNS查询
$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$query=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryName'} | Select -exp InnerText;
$result=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryResults'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty Query "$query" -PassThru `
| Add-Member NoteProperty QueryResults "$result" -PassThru | Out-Null
$output += $data;
}
$output = $output | sort Query | unique -AsString;
$output
WMI
检测用于持久性的WMI 订阅
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
调查 WMI 使用情况
strings -q C:\windows\system32\wbem\repository\objects.data
WIndows Defender
检查 Windows Defender 阻止/隔离日志
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Defender/Operational'; Data='Severe'} | FL TimeCreated,Messag
ACLs and ACE
检查和设置访问控制列表
Get-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'|FL
Get-Acl -Path [FileWithRequiredAccess] | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
检查服务的安全描述符定义语言 (SDDL) 和访问控制条目 (ACE)
sc sdshow
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*DC"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WD"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WO"}
日志检查
检查审计政策
auditpol /get /category:*
检查 Windows 安全日志绕过
reg query HKLM\System\CurrentControlSet\Control\MiniNt
漏洞检查
验证 EternalBlue 补丁 (MS17-010) 是否已安装
get-item C:\Windows\system32\drivers\srv.sys | FL VersionInfo
get-hotfix -id KB<111111>
横向移动检查
网络共享横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4776';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4768';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\C$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5145';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
PsExec 横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\ADMIN$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045'; Data='PSEXESVC'} | FL TimeCreated,Message
reg query HKLM\SYSTEM\CurrentControlSet\Services\PSEXESVC
reg query HKLM\SYSTEM\CurrentControlSet\Services\
ls C:\Windows\Prefetch\psexesvc.exe*.pf
计划任务横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4698';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4702';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4699';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4700';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4701';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='106';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='141';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='200';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='201';} | FL TimeCreated,Message
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s /v Actions
Get-ChildItem -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\' | Get-ItemProperty | FL Path, Actions
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
gci -path C:\Windows\System32\Tasks\ -recurse -File
服务横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7034';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7035';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7036';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7040';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
reg query 'HKLM\SYSTEM\CurrentControlSet\Services\'
WMI/WMIC 横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5857';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5860';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5861';} | FL TimeCreated,Message
C:\Windows\System32\wbem\Repository
ls C:\Windows\Prefetch\wmiprvse.exe*.pf
ls C:\Windows\Prefetch\mofcomp.exe*.pf
PowerShell 横向移动检测
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4103';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4104';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='53504';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='400';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='403';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='91';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='168';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\wsmprovhost.exe*.pf
Windows 事件日志
Powershell 日志
Get-WinEvent -LogName "Windows Powershell"
可用的事件日志
Get-EventLog -list
Get-WinEvent -Listlog * | Select RecordCount,LogName
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
wmic nteventlog list brief
每个应用程序源的事件日志
Get-EventLog Application | Select -Unique Source
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message
按级别源记录的事件日志
危急日志
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}
错误日志
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}
警告日志
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}
信息日志
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}
用于离线分析的事件日志
事件日志:%SystemRoot%\System32\winevt\Logs
wevtutil epl System [Location]\System.evtx
wevtutil epl Security [Location]\Security.evtx
wevtutil epl Application [Location]\Application.evtx
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx
esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx
复制所有事件日志:
XCOPY C:\Windows\System32\winevt\Logs [Location] /i
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i
用户访问记录(UAL)KStrike分析
KStrike.py SYSTEMNAME\Current.mdb > Current_mdb.txt
mdb 文件位于以下位置:
%SystemRoot%\Windows\System32\Logfiles\SUM
使用DeepblueCLI快速扫描事件日志
.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL
Windows 事件跟踪 (ETW)
列出正在运行的跟踪会话
logman query -ets
列出跟踪会话订阅的提供程序
logman query "EventLog-System" -ets
列出所有 ETW 提供者
logman query providers
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
查询提供程序
logman query providers -pid {PID}
可用的查询提供程序
logman query providers
logman query providers Microsoft-Windows-WinHttp
启动跟踪会话
logman create trace-ets
logman query-ets
使用想要的提供程序更新跟踪
logman update -p Microsoft-Windows-WinHttp 0x100000000 -ets
删除订阅和提供者
logman update trace--p Microsoft-Windows-WinHttp 0x100000000 -ets
logman stop-ets
事件日志/跟踪篡改检测
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
sc.exe query eventlog
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*
时间线 Windows 事件日志
查看Windows事件日志的一种简单方法是使用EvtxExplorer将它们转储为规范化的csv格式。
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv
然后可以使用时间线资源管理器Plaso分析 CSV 以查看相关信息并按 MAP 分组。
常见的 IIS 日志通常可以在以下位置找到:
%SystemDrive%\inetpub\logs\LogFiles
%SystemRoot%\System32\LogFiles\W3SVC1
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1
- 注意:将1替换为您的IIS网站ID的数字
%SystemDrive%\Windows\System32\LogFiles\HTTPERR
常见的 Apache 日志通常可以在以下位置找到:
/var/log
/var/log/httpd/access.log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd-access.log
其他日志可以在下面找到,通常使用事件跟踪日志 (ETL) 格式:
C:\Windows\System32\LogFiles
C:\Windows\Panther
ETL 格式可以使用 Windows 中包含的 tracerpt 进行解析
tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
软件特定日志通常以可读格式存储在以下任何位置
%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)
也可以在下面找到有用的内存崩溃转储:
C:\Users\[username]\AppData\Local\CrashDumps
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\
Windows 修复命令
设置所有成功/失败事件的日志记录
auditpol /set /category:* /success:enable /failure:enable
启用进程创建的日志记录
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
通过WDAC代码完整性来记录非非windows模块的加载
ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
Kill “Unstoppable” Service/Process
reg add HKLM\SYSTEM\CurrentControlSet\Services\{SERVICENAME}\XblAuthManager\Parameters /V start /T reg_dword /D 4 /f
sc.exe sdset {SERVICENAME} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Get-Service -Name {SERVICENAME} | Set-Service -Status Paused
sc.exe config {SERVICENAME} start= disabled
Get-Service -Name {SERVICENAME} | Set-Service -Status Stopped
tasklist /FI "IMAGENAME eq {SERVICEEXENAME}"
taskkill /F /t /IM "{SERVICEEXENAME}"
Kill 恶意process
wmic process where name="malware.exe" call terminate
wmic process where processid=[PID] delete
taskkill /IM malware.exe
taskkill /PID [PID] /T
通过注入线程在进程中找到可能存在的Shellcode(Get-InjectedThread.ps1)
Import-Module .\Get-InjectedThread.ps1
Get-InjectedThread
以十六进制形式获取进程中可能存在的 Shellcode
(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''
删除“everyone”的 ACE 条目
icacls "C:\{DESIREDFOLDERPATH}" /remove everyone /T
禁用不需要的windows二进制文件(通过 Base64 编码和删除)
certutil -encode C:\windows\system32\mshta.exe C:\windows\system32\mshta.disabled
Get-Acl -Path C:\windows\system32\mshta.exe | Set-Acl -Path C:\windows\system32\mshta.disabled
takeown /f C:\windows\system32\mshta.exe
icacls C:\windows\system32\mshta.exe /grant administrators:F
rm C:\windows\system32\mshta.exe
启用 Windows 二进制文件
certutil -decode C:\windows\system32\mshta.disabled C:\windows\system32\mshta.exe
Get-Acl -Path C:\windows\system32\mshta.disabled | Set-Acl -Path C:\windows\system32\mshta.exe
takeown /f C:\windows\system32\mshta.disabled
icacls C:\windows\system32\mshta.disabled /grant administrators:F
rm C:\windows\system32\mshta.disabled
使多个文件可见,并删除' superhidden '
gci C:\{DESIREDFOLDERPATH} -force -recurse -ea 0 | foreach {$_.attributes = 'Normal'};
attrib -s -h C:\{DESIREDFOLDERPATH}\*.*
启用日期访问时间戳
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
删除 BITSAdmin 持久性
bitsadmin /reset /allusers
import-module bitstransfer
Get-BitsTransfer -AllUsers | Remove-BitsTransfer
删除 Windows Defender 排除的文件
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"
使某些应用程序和文件扩展名关联
FTYPE Custom=Notepad.exe "%1"
ASSOC .wsf=Custom
禁用命令提示符
reg add "HKCU\SOFTWARE\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 0 /f
修复恶意文件
rmdir %localappdata%\maliciousdirectory\ /s
del /F %localappdata%\maliciousdirectory\malware.exe
powershell:
Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item
修复持久性的 WMI 订阅
定位和移除 CommandLineEventConsumer
Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name like '%%[Name]%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "CommandLineTemplate like '%%powershell%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%%[Name]%%'" | Remove-WmiObject
恶意计划任务
schtasks /Delete /TN [taskname] /F
Powershell:
Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]
卸载所有用户注册表项
Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)};
修复自动加载/运行注册键
reg delete [keyname] /v [ValueName] /f
reg delete [keyname] /f
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f}
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f}
powershell:
Remove-ItemProperty -Path "[Path]" -Name "[name]"
阻止可执行文件运行
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v malware.exe /t REG_SZ /d "malware.exe" /f
IR 事件日志备忘单
安全日志信息
wevtutil qe security /f:text
eventquery.vbs /L security
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20 | findstr "Account Name:"
psloglist -s -x security
事件id:4720(已创建帐户)
事件id:4722(启用帐户)
事件id:4724(密码重置)
事件id:4723(用户更改密码)
事件id:4736(帐户已删除)
事件id:4781(账户重命名)
事件id:4738(用户帐户更改)
事件id:4688(已创建新进程)
事件id:4732(帐户添加到组)
事件id:4733(从组中删除帐户)
事件id:1102(审核日志已清除)
事件id:4614(安全系统扩展)
事件id:4672(分配给新登录的特殊权限)
事件id:4624(账号登录成功)
事件id:4698(计划任务创建)
事件id:4702(计划任务已修改)
事件id:4699(已删除计划任务)
事件id:4701(计划任务已禁用)
事件id:4700(已启用计划任务)
事件id:4697(服务安装)
事件id:4625(账号登录失败)
事件id:4776(域控制器尝试验证帐户的凭据)
事件id:4634(账户成功注销)
事件id:4740(用户帐户被锁定)
事件id:4767(用户帐户已解锁)
事件id:4778(远程桌面会话重新连接)
事件id:4779(远程桌面会话断开)
事件id:4625(用户帐户登录失败)
事件id:4648(尝试使用显式凭据登录)
事件id:4768(请求了 Kerberos 身份验证票证 (TGT))
0x6(用户名不存在)- 用户名错误或尚未复制到 DC
0xC(开始时间晚于结束时间 - 受限工作站)
0x12(帐户锁定、禁用、过期、限制或撤销等)
事件id:4769(请求了 Kerberos 服务票证)
事件id:4770(更新了 Kerberos 服务票证)
事件id:4771(Kerberos 预认证失败)
0x10 - 正在尝试智能卡登录,但找不到正确的证书。
0x17 - 用户密码已过期。
0x18 - 提供了错误的密码。
事件id:大于 4720 且小于 4764(帐户/组修改)
登录类型信息
类型:0(仅用于系统帐户身份验证)
类型:2(交互式登录)
用户在键盘上。
类型:3(网络身份验证/SMB 身份验证登录)
通过网络进行身份验证。注意:如果启用了网络级身份验证,RDP 可能属于此范围。
类型:4(批量登录)
通常来自计划任务。
类型:5(服务登录)
通常来自服务。
类型:7(解锁登录)
用户在午餐后在键盘上解锁它。
类型:8(网络明文登录)
基本上登录类型 3,但信用是明确的。
类型:9(新凭据登录)
经常使用带有 '/netonly' 参数的 'RunAs'。
类型:10(终端/RDP 登录类型)
通过终端服务/RDP 登录。
类型:11(缓存交互)
无法连接到域时登录(本地缓存凭据)。
类型:12(缓存远程交互)
与远程交互相同。这用于内部审计。
类型:13(缓存解锁登录)
与解锁登录相同,但缓存凭据除外。
特殊登录事件(4672)
系统日志信息
wevtutil qe system /f:text
eventquery.vbs /L system
系统:7030(基本服务操作)
系统:7040(服务的启动类型由禁用更改为自动启动)
系统:7045(已安装服务)
系统:1056(DHCP 服务器奇数)
系统:10000(COM 功能)
系统:20001(设备驱动安装)
系统:20002(远程访问)
系统:20003(服务安装)
sysmon
Sysmon:1(进程创建)
Sysmon:2(文件创建时间)
Sysmon:3(检测到网络连接)
Sysmon:4(Sysmon 服务状态已更改)
Sysmon:5(进程终止)
Sysmon:6(已加载驱动程序)
Sysmon:9(已加载图像)
Sysmon:10(进程访问)
Sysmon:11(已创建文件)
Sysmon:12(添加或删除注册表对象)
Sysmon:13(注册表值集)
Sysmon:14(注册表对象重命名)
Sysmon:15(创建文件流)
Sysmon:16(Sysmon 配置已更改)
Sysmon:17(已创建命名管道)
Sysmon:18(已连接命名管道)
Sysmon:19(WMI 过滤器)
Sysmon:20(WMI 消费者)
Sysmon:21(WMI 消费者过滤器)
Sysmon:22(DNS查询)
Sysmon:23(文件删除)
Sysmon:24(剪贴板已更改)
Linux DFIR 命令
转储内存
dd if=/dev/kmem of=/root/kmem
dd if=/dev/mem of=/root/mem
LiME
sudo insmod ./lime.ko "path=./Linmen.mem format=raw"
LinPMem
./linpmem -o memory.aff4
./linpmem memory.aff4 -e PhysicalMemory -o memory.raw
拍照
fdisk -l
dd if=/dev/sda1 of=/[outputlocation]
FastIR
python ./fastIR_collector_linux.py
LinEnum
./linenum.sh
./linenum.sh -t
系统信息
date
uname –a
hostname
cat /proc/version
lsmod
账户信息
cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
cat /etc/sudoers.d/*
cut -d: -f1 /etc/passwd
getent passwd | cut -d: -f1
compgen -u
当前用户
whoami
who
最后登录的用户
last
lastb
cat /var/log/auth.log
初始化文件
cat /etc/bash.bashrc
cat ~/.bash_profile
cat ~/.bashrc
环境和启动计划
cat /etc/profile
ls /etc/profile.d/
cat /etc/profile.d/*
计划任务
ls /etc/cron.*
ls /etc/cron.*/*
cat /etc/cron.*/*
cat /etc/crontab
SSH 密钥和授权用户
cat /etc/ssh/sshd_config
ls /home/*/.ssh/*
cat /home/*/.ssh/id_rsa.pub
cat /home/*/.ssh/authorized_keys
Sudoers 文件(谁可以以其他用户身份运行命令
cat /etc/sudoers
配置信息
ls /etc/*.d
cat /etc/*.d/*
网络连接/socket状态
netstat
netstat -apetul
netstat -plan
netstat -plant
ss
ss -l
ss -ta
ss -tp
防火墙信息
ls /etc/iptables
cat /etc/iptables/*.v4
cat /etc/iptables/*.v6
iptables -L
网络配置
ifconfig -a
浏览器插件信息
ls -la ~/.mozilla/plugins
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/
内核模块和扩展
ls -la /lib/modules/*/kernel/*
进程信息
ps -s
ps -l
ps -o
ps -t
ps -m
ps -a
top
以关键字递归搜索文件
grep -H -i -r "password" /
进程树
ps -auxwf
打开文件和空间使用情况
lsof
du
可插拔式认证模块 (PAM)
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
磁盘/分区信息
fdisk -l
捕获进程的网络流量
strace -f -e trace=network -s 10000;
strace -f -e trace=network -s 10000 -p;
详细的进程信息
ls -al /proc/[PID]
恢复当前正在运行的已删除二进制文件
cp /proc/[PID]/exe /[destination]/[binaryname]
捕获二进制数据以供审查
cp /proc/[PID]/ /[destination]/[PID]/
二进制哈希信息
sha1sum /[destination]/[binaryname]
md5sum /[destination]/[binaryname]
进程命令行参数信息
cat /proc/[PID]/cmdline
cat /proc/[PID]/comm
进程环境变量
strings /proc/[PID]/environ
cat /proc/[PID]/environ
进程文件描述符/映射
ls -al /proc/[PID]/fd
cat /proc/[PID]/maps
进程堆栈/状态信息
cat /proc/[PID]/stack
cat /proc/[PID]/status
已删除的仍在运行的二进制文件
ls -alr /proc/*/exe 2> /dev/null | grep deleted
进程工作目录
ls -alr /proc/*/cwd
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
ls -alr /proc/*/cwd 2> /dev/null | grep dev
ls -alr /proc/*/cwd 2> /dev/null | grep var
ls -alr /proc/*/cwd 2> /dev/null | grep home
隐藏的目录和文件
find / -type d -name ".*"
不可变的文件和目录(通常是可疑的)
lsattr / -R 2> /dev/null | grep "\----i"
SUID/SGID 和 Sticky Bit 特殊权限
find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
没有用户/组名的文件和目录
find / \( -nouser -o -nogroup \) -exec ls -lg {} \;
当前目录中的文件类型
file * -p
文件系统上的可执行文件
find / -type f -exec file -p '{}' \; | grep ELF
文件系统上的隐藏可执行文件
find / -name ".*" -exec file -p '{}' \; | grep ELF
过去一天内修改的文件
find / -mtime -1
应当持续关注的点
/etc/rc.local
/etc/initd
/etc/rc*.d
/etc/modules
/etc/cron*
/var/spool/cron/*
/usr/lib/cron/
/usr/lib/cron/tabs
审核日志
ls -al /var/log/*
ls -al /var/log/*tmp
utmpdump /var/log/btmp
utmpdump /var/run/utmp
utmpdump /var/log/wtmp
已安装的软件包
ls /usr/bin/
ls /usr/local/bin/
MacOS DFIR 命令
转储内存
OSXPMem
MacPmem
sudo kextload MacPmem.kext
sudo dd if=/dev/pmem of=memorydump.raw
系统信息
date
sw_vers
uname –a
hostname
cat /System/Library/CoreServices/SystemVersion.plist
cat /private/var/log/daily.out
cat /Library/preferences/.Globalpreferences.plist
网络连接
netstat –an
netstat –anf
lsof -i
路由表
netstat –rn
网络信息
arp –an
ndp -an
ifconfig
打开文件
lsof
文件系统使用情况
sudo fs_usage
sudo fs_usage [process]
sudo fs_usage -f network
sudo fs_usage pid [PID]
Bash命令历史
cat ~/.bash_history
history
登录用户
who -a
w
last
运行进程
ps aux
系统分析器
system_profiler -xml -detaillevel full > systemprofiler.spx
XPC 服务
ls Applications/.app/Contents/XPCServices/
cat Applications/.app/Contents/XPCServices/*.xpc/Contents/Info.plist
ls ~/System/Library/XPCServices/
Launch Agents & Launch Daemons
ls /Library/LaunchAgents/
ls /System/Library/LaunchAgents/
ls /System/Library/LaunchDaemons/
ls /Library/LaunchDaemons/
ls /users/*/Library/LaunchAgents/
ls /users/*/Library/LaunchDaemons/
登录项
cat ~/Library/Preferences/com.apple.loginitems.plist
ls.app/Contents/Library/LoginItems/
Disable Persistent Launch Daemon
sudo launchctl unload -w /Library/LaunchDaemons/.plist
sudo launchctl stop /Library/LaunchDaemons/.plist
网页浏览偏好
cat ~/Library/Preferences/com.apple.Safari.plist
ls ~/Library/Application Support/Google/Chrome/Default/Preferences
ls ~/Library/Application Support/Firefox/Profiles/********.default/prefs.js
Safari Internet History
cat ~/Library/Safari/Downloads.plist
cat ~/Library/Safari/History.plist
cat ~/Library/Safari/LastSession.plist
ls ~/Library/Caches/com.apple.Safari/Webpage Previews/
sqlite3 ~/Library/Caches/com.apple.Safari/Cache.db
Chrome Internet History
ls ~/Library/Application Support/Google/Chrome/Default/History
ls ~/Library/Caches/Google/Chrome/Default/Cache/
ls ~/Library/Caches/Google/Chrome/Default/Media Cache/
Firefox Internet History
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/places.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/downloads.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/formhistory.sqlite
ls ~/Library/Caches/Firefox/Profiles/********.default/Cache
Apple Email
cat ~/Library/Mail/V2/MailData/Accounts.plist
ls ~/Library/Mail/V2/
ls ~/Library/Mail Downloads/
ls ~/Downloads
cat ~/Library/Mail/V2/MailData/OpenAttachments.plist
临时目录和缓存
ls /tmp
ls /var/tmp
ls /Users//Library/Caches/Java/tmp
ls /Users//Library/Caches/Java/cache
/Applications/Utilities/Java Preferences.app
系统审计日志
ls /private/var/log/asl/
ls /private/var/audit/
cat /private/var/log/appfirewall.log
ls ~/Library/Logs
ls /Library/Application Support/
ls /Applications/
ls /Library/Logs/
日志分析
bzcat system.log.1.bz2
system.log.0.bz2 >> system_all.log
cat system.log >> system_all.log
syslog -f
syslog –T utc –F raw –d /asl
syslog -d /asl
praudit –xn /var/audit/*
sudo log collect
log show
log stream
文件隔离
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents.V2
ls ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
用户帐户/密码Shadows
ls /private/var/db/dslocal/nodes/Default/users/
ls /private/var/db/shadow/
可插拔认证模块 (PAM)
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
文件指纹
file
xxd
nm -arch x86_64
otool -L
sudo vmmap
sudo lsof -p
xattr –xl
连接的磁盘和分区
diskutil list
diskutil info
diskutil cs
ap list
gpt –r show
gpt -r show -l
磁盘文件映像信息
hdiutil imageinfo *.dmg
用户钥匙串信息
security list-keychains
security dump-keychains -d
获取元数据
mdimport –X | -A
mdls