Home > Developer > Windows

Windows host intrusion Analysis ideas

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

First, how to find malicious files
    1. Check the network connection Netstat-ano, if there is malicious external connection need to pay attention to Oh, especially mining, external violence crack.
    2. Find process based on PID

tasklist | Findstr "$PID" or wmic process get Name,executablepath,processid | Findstr $PID

$PID as a PID number that can process

    1. Find malicious files

(1) Manually find malicious files using Task Manager and cmd command line

    • Task Manager taskmgr
    • Service Services.msc

(2) Process analysis Artifact pc Hunter (www.xuetr.com) No publisher signed, name/path exception can be process
(3) Process analysis artifact processes Explore https://technet.microsoft.com/en-us/sysinternals/bb896653/
(4) Simple rough: 360 security guard Trojan overall Avira

About PC Hunter and process Explore, I'll cover it in other chapters.

    1. Find can file after upload it to Trojan identification website
      • Micro-Step Online: https://x.threatbook.cn/
      • Virustotal:www.virustotal.com
Second, log analysis

1.windows comes with Log Manager: EVENTVWR
2. Log analysis Artifact Splunk

    • Find out if there is a burst login record at a critical point in time
    • Whether there is an offsite exception successful login record
    • Confirm that there is a weak password for the Telnet account

Event id:4722 Create user
Event ID:4624RDP Login Successful
Event id:7045 registered as a Windows service

A log of successful Windows logins and Splunk analysis will be introduced in other chapters.

Iii. other means of assistance

1. View the Users net user
2. Detection of no weak password https://password.kaspersky.com/
3. Performance Monitor Perfmon.msc
4. Resource Monitor Resmon.exe
5. Registration Form Regedit.exe
6. Group Policy gpedit.msc
7.Wndows Update Check

    • 2008: Control Panel \ All Control Panel items \ Windows Update
    • 2012: Control Panel \ All Control Panel items \ Windows Update \ View update history

8. View Scheduled Tasks

A) Windows Server 2008 runs at
b) Windows Server 2012 runs Schtasks.exe

9. Cloud service providers will generally provide situational awareness services, with the help of ids/waf/security log Assist analysis

Windows host intrusion Analysis ideas

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
top 5 host intrusion detection systems windows malware analysis tools host git on windows host git server windows just host windows hosting windows host key windows script host download

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More