8.14. Emergency Response¶

8.14.1. Response Process¶

8.14.1.1. Event Occurrence¶

Operation and maintenance monitoring personnel, customer service auditors, etc. find problems and report them to the top.

8.14.1.2. Event acknowledgement¶

Collect event information, analyze network activity related programs, logs and data, judge the severity of the event, evaluate the severity of the problem, and report it upwards.

8.14.1.3. Incident Response¶

All departments work together to deal with security issues and solve them in detail to avoid residual problems such as unpatched vulnerabilities and unremoved backdoors.

8.14.1.4. Event shutdown¶

After handling the incident, it is necessary to close the incident, and write a security emergency handling analysis report to complete the entire emergency process.

8.14.2. Event classification¶

Virus, Trojan, Worm Incident
Web server intrusion event
Third-party service intrusion events
system intrusion event
- Exploiting Windows Vulnerabilities to Attack Operating Systems
cyber attack incident
- DDoS/ARP spoofing/DNS hijacking etc.

8.14.3. Analysis direction¶

8.14.3.1. File Analysis¶

Change-Based Analysis
- date
- File additions and changes
- Recently used files
Source code analysis
- Check source code changes
- Kill WebShell and other backdoors
System log analysis
Application log analysis
- Analyze User-Agent，e.g. awvs / burpsuite / w3af / nessus / openvas
- keyword matching for each attack，e.g. select/alert/eval
- Abnormal request, continuous 404 or 500
md5sum Check hashes of common command binaries for rootkits

8.14.3.2. Process Analysis¶

A process with the following characteristics
- CPU or memory resource usage is too high for a long time
- No signature verification information
- Process without description information
- The path to the process is invalid
dump system memory for analysis
running process
running service
parent process and child process
The full hash of the background executable
installed applications
Running keys or other persistent programs that are running automatically
Scheduled Tasks

8.14.3.3. Analysis of identity information¶

Local and domain account users
Unusual authentication
Username in non-standard format

8.14.3.4. Log Analysis¶

Antivirus detection record

8.14.3.5. Network Analysis¶

Firewall configuration
DNS configuration
routing configuration
Listening ports and related services
Recently established network connection
Sessions such as RDP / VPN / SSH

8.14.3.6. Configuration Analysis¶

Check Linux SE configurations
Check environment variables
Check the supporting registry information retrieval, SAM file
kernel module

8.14.4. Linux Emergency Response¶

8.14.4.1. File Analysis¶

Recently used files
- find / -ctime -2
- C:\Documents and Settings\Administrator\Recent
- C:\Documents and Settings\Default User\Recent
- %UserProfile%\Recent
System log analysis
- /var/log/
Focus analysis location
- /var/log/wtmp Log in, log out, data exchange, shutdown and restart records
- /var/run/utmp Information record about the currently logged in user
- /var/log/lastlog The file records the last logged-in information of the user, which can be viewed with the lastlog command.
- /var/log/secure The files that log in to the system to access data, such as pop3/ssh/telnet/ftp, will be logged.
- /var/log/cron Log information related to scheduled tasks
- /var/log/message Information and error logs after system startup
- /var/log/apache2/access.log apache access log
- /etc/passwd user list
- /etc/init.d/ Startup items
- /etc/cron* timed task
- /tmp temporary directory
- ~/.ssh

8.14.4.2. User Analysis¶

/etc/shadow Password login related information
uptime View user login time
/etc/sudoers sudo user list

8.14.4.3. Process Analysis¶

netstat -ano Check if suspicious ports are open
w command to view users and their processes
Analyze boot programs/scripts
- /etc/init.d
- ~/.bashrc
View scheduled or timed tasks
- crontab -l
netstat -an / lsof View process port usage

8.14.5. Windows Emergency Response¶

8.14.5.1. File Analysis¶

Recently used files
- C:\Documents and Settings\Administrator\Recent
- C:\Documents and Settings\Default User\Recent
- %UserProfile%\Recent
System log analysis
- event viewer eventvwr.msc

8.14.5.2. User Analysis¶

Check if there are new users
Check if the server has weak passwords
View the corresponding key value of the administrator
lusrmgr.msc View account changes
net user List currently logged in accounts
wmic UserAccount get List all accounts in the current system

8.14.5.3. Process Analysis¶

netstat -ano Check if suspicious ports are open
tasklist Check for suspicious processes
Analyze boot programs
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- (ProfilePath)\Start Menu\Programs\Startup startup item
- msconfig Startup tab
- gpedit.msc Group Policy Editor
View scheduled or timed tasks
- C:\Windows\System32\Tasks\
- C:\Windows\SysWOW64\Tasks\
- C:\Windows\tasks\
- schtasks
- taskschd.msc
- compmgmt.msc
View startup services
- services.msc