Rapid self-test computer has been hacked (Windows edition) (reproduced)

We often feel that the computer behavior is a bit strange, such as always open the inexplicable website, or occasionally change the card (network/cpu), it seems to be "poisoned", but X60 security guard or X-ray computer housekeeper after scanning and said your computer "very safe", then it is possible that you have been a hacker visited. It may be time for professional forensics to come out, but it seems to be a bit small to mention. So this article introduces some low-cost self-test methods, for individual users can quickly determine whether they have been compromised.

1. Logging of exceptions

Usually we need to check some suspicious event records, such as:

File Protection is not active on this system.”(Windows文件保护未开启)“The protected System file [file name] was not restored to its original, valid version because of the Windows File Protection…”(受保护的系统文件XXX无法还原)“The MS Telnet Service has started successfully.”(Telnet服务开启成功)

In addition, you can also see if there is a large number of failed login logs or locked accounts.

There are two ways to view the event log:

1) View from the graphical interface, start and runeventvwr.msc

2) from the command line view, mainly using the eventquery.vbs script:

C:> eventquery.vbs | more

Or just look at the logs under an entry:

C:> eventquery.vbs /L security

Eventquery.vbs is an official document that can be used to view command-line help or Microsoft.

2. Unusual processes and services

That is, in our Windows任务管理器中 well-known view of whether there are strange processes running, focus on the user name is SYSTEM(系统) either Administrator(管理员) , and the user in the Administrators group. Of course, you'd better be familiar with normal processes and services, or you won't know if a process is "abnormal". It doesn't matter if you're not familiar. To the task Manager does not know the process, Google once again can probably understand.

Find Exception process

Ctrl+Alt+DelOpen Task Manager with shortcut keys or start taskmgr.exe -to-run to see running processes. Of course, you can also use the command line to view the process:

C:> tasklistC:> wmic process list full

Find Exception Services

• 1). Graphical interface: Start-to-runservices.msc

• 2). Command line:

  C:> net start c:> sc query

Find the services associated with each process:

C:> tasklist /svc

3. Unusual files and registry

If the disk free space suddenly decreases, we can look for the file to see if there is an exception. From the Start menu, click:

开始->查找->文件或目录

Then set the Find options, such as file size greater than 10000KB, or create/modify time within a week, and search for related files.

For the registry, it is usually looking for a self-initiated registration point and checking the corresponding application, the common startup point is:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows\CurrentVersion\RunonceExHKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunonceHKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Note: HKLM and HKCU are HKEY_LOCAL_MACHINE abbreviated respectively HKEY_CURRENT_USER .

There are two ways to view the registry:

1) Graphical interface: Start-to-runregedit.exe

2) command line reg query <key> , example:

C:> reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Of course, there are many registration points can be self-initiated, this is said below.

4. Unusual Scheduled Tasks

The next step is to look at the scheduled tasks for the exception, focusing on tasks that start with the Administrator group or system permissions, or timed with a blank user name.

View Scheduled Tasks

1) graphical interface, can be opened through the Start menu search Task Scheduler , or:

开始->运行 taskschd.msc /s

2) command line output Scheduled tasks:

C:> schtasks

Viewing self-launcher programs

1) graphical interface, start and run Msconfig.exe

2) command line:

list full

Other self-priming portals

It is important to note that Msconfig these commands are only listed in the partial boot autostart program, Windows boot from a lot of ways, including the hijacking System program/Dynamic Runtime library, etc., which involves many registry portals, interested friends can view other articles on the Internet.

5. Abnormal network traffic

Common network-related self-test commands:

• Check the firewall configuration:

  C:> netsh firewall show config

• Check the shared files to see if they are actively shared:

  C:> net view \127.0.0.1

• To view a native active session:

  C:> NET session

• To view the sessions that are open to other systems on this computer:

  C:> net use

• To view the activation status of NetBIOS over TCP/IP:

  C:> nbtstat-s

• To view current network connections and listening conditions:

  C:> Netstat-na

• Continue to output the above information, refreshed every 3 seconds:

  C:> Netstat-na 3

• View the process ID (-O) and process name (-B) for the network connection

  C:> NETSTAT-NAOB

Note: Netstat-b, in addition to displaying the process name, also shows the DLL information loaded by the process, so the continuous output will consume more CPU resources. For other options, you can netsat /h view the help.

6. Exception Account

Focus on new accounts added to the Admins group.

1) graphical interface mode:

开始->运行 lusrmgr.msc -> 点击用户组 -> 双击管理员

Then look at the list of users inside.

2) command line mode:

C:> net userC:> net localgroup administrators

Summary

When the computer suddenly changes the card, you should check the Task manager in time to see if there is an exception process that consumes a lot of CPU resources; When the system crashes, the corresponding logs should be checked in time to see if a program performs exp-caused crashes. In summary, it is often best to do a quick check of the system as described above, even if it is possible to identify anomalies that may be caused by a computer intrusion, so as not to cause damage to personal information and property.

Rapid self-test computer has been hacked (Windows edition) (reproduced)