CMD ultimate defense

Preface

Open the intrusion information on the network! The backdoor of the hacker. You can also obtain a webshell by exploiting vulnerabilities in web programs, use the lower-Permission mongoshell to escalate permissions, and then implant backdoors ...... Various types of attacks indicate that the attacker and the attacker are related, because a attacker. EXE is an interface for user-to-system interaction, and is the primary target for intruders to enter the system. Of course, we can't sit down here, how to prevent others from getting your mongoshell through overflow, how to know that others have already entered the system and obtained mongoshell, how can we capture intruders when they log on to our machines? Now let's build an ultimate line of defense under cmd.

Principle 2

Mongoshell can still be obtained after you pull to a port. Today, I will introduce you to a new method. You do not need to set the cmd permission! Let's talk about the principle first, or open your cmd command window and run the command cmd /?, Let's see what we get! I. Note the following:

If/D is not specified on the command line, when CMD. EXE starts, it will look for the following REG_SZ/REG_EXPAND_SZ registry variable. If one or both of these variables exist, the two variables are executed first.

HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun

And/or

HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun

That is to say, if the HKEY_LOCAL_MACHINESoftwareMicrosoftCommand ProcessorAutoRun and HKEY_CURRENT_USERSoftwareMicrosoftCommand allow/dstart program exist, the program specified by these two key values will be executed before cmd.exe is started. Now, you can execute the program script before example. exe, and we can completely control the action of cmd.exe.

Three practices

We have found the east and west regions that we can use. Now, we can see what we can do with the feature of cmd.exe! The key is editing.
The content of HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun (if not, you can create a new one) is the location of a custom script for you. For convenience, we can use batch processing, and my system is 2000 adv server. For example, you can run the command before the c: worker process, and then edit the content of HKEY_CURRENT_USERSoftwareMicrosoftCommand ProcessorAutoRun to c: winntsystem32cmd. bat 2. Assume that your machine is not often patched in time, you can edit cmd under system32. the bat content is exit, so as to defend against remote overflow attacks, because the general overflow is either a reverse shell or a reverse shell, the shellcode that overflows runs cmd first. the content in bat is exactly exit. Here we want to show you that the command I specified is the pause command, three. In this way, people who do not know the truth will be very depressed, even if they know the truth, if he is a general cainiao, I want to be helpless to such a problem, unless other shellcode is used.
There is no point in preventing such attacks. We 'd better catch the intruders, so let's write the cmd. bat script! To capture intruders or to know the time when an intrusion event occurs, we can define cmd. bat as follows:

@ Echo off \ close command echo \
@ Netstat-an> c: winntsystem32et. log \ gets the current network connection status and outputs it to the net. log File. Use> Redirection to avoid log flushing \
@ Date/t> c: winntsystem32date. log \ obtain the time when the intrusion occurred \
@ Time/t> c: winntsystem32ime. log
@ Exit \

In this way, when someone overflows, his IP address will be in the log! You can add the content of this script according to your own situation, such as viewing processes and viewing port associations. I will not show it to you because it is not a program that comes with the system!
But is it possible to do so much? The program of logging can be fooled by us. For example, we can write in cmd. bat:

@ Echo off \ close command echo \
@ Netstat-an> c: winntsystem32et. log \ gets the current network connection status and outputs it to the net. log File. Use> Redirection to avoid log flushing \
@ Date/t> c: winntsystem32date. log \ obtain the time when the intrusion occurred \
@ Time/t> c: winntsystem32ime. log
@ Type c: winntsystem321_.txt \ Print the contents of cmd.txt, which is also defined by US \
@ Pause \ pause the program and let the intruders regret it! \
@ Exit \ exit program \

In this way, we can yell at the intruders. What do we shout? Don't yell at me if you swear. I will make an advertisement for myself here. When someone else telnet me to my machine, the fourth is my log Content 5. In fact, this is the same effect when logging on to any cmd backdoor. My Tcmd is very depressing, haha! These are also very miraculous in webshell. You can also use your imagination. There is nothing you can do.

Iv. Summary
There is nothing advanced about the article. It is actually an attribute of cmd. It works well with setting permissions. Someone has to ask, what should we do after setting it ourselves to start cmd? Well, we can simply start it with the cmd/D parameter during running.