Home > Cloud Computing > Cloud Security

How to obtain evidence after Windows host system Intrusion

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. Record the current time
Doscommand: dat/t & time/t

2. log on to the user session
Dos command: net sessions
Tool: Psloggedon.exe Logonsessions.exe


3. Record opened files
Dos command: net file
Tool: psfile.exe open? Les.exe
Others: view the opening history


4. Network Information (netbios cache)
Doscommand: nbtstat-c
Nbtstat-A remoteip


5. Current network connection status
Doscommand: netstat-ano


6. Current Process status
Tool: Process Manager tlist.exe (tlist-m xxx. dll) tasklist.exe pslist.exe listdll.exe processhacker.exe processexplorer.exe
Focus: process memory module, process port ing


7. Network
Doscommand: ipconfig/all


8. Clipboard content
Find a word and paste it directly.
Tool: Win32: Clipboard ()-> Get ()


7. Service and driver information
Tool: svc.exe
Focus: Service exceptions and exception drivers


8. DOS command history
Tool: doskey.exe (doskey/history)


9. Drive ing
Tool: di.exe


10. Share
Focus: HKEY_LOCAL_MACHINESystemCurrentControlSetServiceslanmanserverS
Hares
Net share


11. Automatic Operation
Start folder
HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLL
HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsload
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce
Bytes
Bytes
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareClassesExe? LeShellOpencommand
Special cases: Service hijacking, abnormal services, pe injection, DLL hold, etc. Some memory Trojans are automatically deleted after startup and need to be analyzed in memory.
View extended hijacking: ftype.exe exefile
Tool: autorun.exe


12. System Logs
Tool: psloglist.exe dumpevt.exe


13. browser history and browser configuration (such as enabling the Automatic completion function and proxy)


14. File Creation
Use windows to search for files created during intrusion.


15. process memory DUMP and DUMP file Analysis
Lspm. pl + bintext3.0
It is recommended that processhacker.exe be used directly.


16. Registry analysis points
HKLMSoftwareMicrosoftWindows ntcurrentversionwinlogonpolicy
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution
Options
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses
HKEY_LOCAL_MACHINESystemMountedDevices
Softwaremicrosoftwindowscurrentversionpolicerrecentdocs
Softwaremicrosoftwindowscurrentversionpolicerrunmru
SoftwareMicrosoftInternet assumertypedurls
Softwaremicrosoftwindowscurrentversionjavasercomdlg32opensavemru
Softwaremicrosoftwindowscurrentversionpolicerfileexts
SoftwareMicrosoftSearch AssistantACMru
Softwaremicrosoftwindowscurrentversionpolicermap Network Drive MRU
Softwaremicrosoftwindowscurrentversionpolicermountpoints2
Softwaremicrosoftwindowscurrentversionpolicercomputerdescription
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
SystemRestore


16. system security logs
Tool: Vista Event Viewer
HKEY_LOCAL_MACHINESystemControlSet00xServicesEventLog
Doscommand: wevtutil el (view the log wevtutil gl logname)

 

17. IISLOG or ApacheLog
Iislog: W3SVCn,
Apachelog: defined in http. conf (LOGS directory)


18. Software Installation Log
Setuplog.txt Setupact. log SetupAPI. log Netsetup. log


19. scheduled task log
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSchedulingAgent


20. XP Firewall Logs


21. Dr. Watson's log
C: Documents and SettingsAll UsersApplication DataMicrosoftDr Watson
HKEY_LOCAL_MACHINESOFTWAREMicrosoftDrWatson


22. crash dump File
Dumpfile upload bintext.exe


23. Recycle Bin


24. PE Analysis
Bintext.exe open
PELOAD/PEVIEW analysis (follow, IAT table)
PEID shell check
Check whether PE is BIND


Others: Virtual Machine dynamic debugging (OD)
Dumpbin viewing API calls, etc.


25. rootkit
Tool: icesword.exe Helios


26. Whether the hostfile is modified
Driver/etc/hosts
 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More