First, how to find malicious files
- Check the network connection Netstat-ano, if there is malicious external connection need to pay attention to Oh, especially mining, external violence crack.
- Find process based on PID
tasklist | Findstr "$PID" or wmic process get Name,executablepath,processid | Findstr $PID
$PID as a PID number that can process
- Find malicious files
(1) Manually find malicious files using Task Manager and cmd command line
- Task Manager taskmgr
- Service Services.msc
(2) Process analysis Artifact pc Hunter (www.xuetr.com) No publisher signed, name/path exception can be process
(3) Process analysis artifact processes Explore https://technet.microsoft.com/en-us/sysinternals/bb896653/
(4) Simple rough: 360 security guard Trojan overall Avira
About PC Hunter and process Explore, I'll cover it in other chapters.
- Find can file after upload it to Trojan identification website
- Micro-Step Online: https://x.threatbook.cn/
- Virustotal:www.virustotal.com
Second, log analysis
1.windows comes with Log Manager: EVENTVWR
2. Log analysis Artifact Splunk
- Find out if there is a burst login record at a critical point in time
- Whether there is an offsite exception successful login record
- Confirm that there is a weak password for the Telnet account
Event id:4722 Create user
Event ID:4624RDP Login Successful
Event id:7045 registered as a Windows service
A log of successful Windows logins and Splunk analysis will be introduced in other chapters.
Iii. other means of assistance
1. View the Users net user
2. Detection of no weak password https://password.kaspersky.com/
3. Performance Monitor Perfmon.msc
4. Resource Monitor Resmon.exe
5. Registration Form Regedit.exe
6. Group Policy gpedit.msc
7.Wndows Update Check
- 2008: Control Panel \ All Control Panel items \ Windows Update
- 2012: Control Panel \ All Control Panel items \ Windows Update \ View update history
8. View Scheduled Tasks
A) Windows Server 2008 runs at
b) Windows Server 2012 runs Schtasks.exe
9. Cloud service providers will generally provide situational awareness services, with the help of ids/waf/security log Assist analysis
Windows host intrusion Analysis ideas