Shulou(Shulou.com)06/01 Report--

This article is about how Windows servers implement intrusion detection. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

01. Check the system account

(1) check whether the remote management port is open to the public network and whether the server has a weak password.

Inspection method:

Check the firewall mapping rules to obtain the login of the server account, or consult the relevant administrator according to the actual situation.

(2) check whether there are suspicious accounts on the server and add new accounts.

Inspection method:

Open the cmd window and enter the lusrmgr.msc command to see if there are any new / suspicious accounts, such as those in the admin group (Administrators), and retain or delete them according to the actual application.

(3) check whether there are hidden accounts and clone accounts on the server.

Check the hidden account method:

The CMD command line uses "net user" and the account "test$" is not visible, but this user can be displayed in the control panel and local users and groups.

Check the method of cloning an account:

Open the registry and view the administrator's corresponding key value.

Use the DShield _ web tool to integrate the function of detecting cloned accounts.

(4) check whether there is an exception in the administrator login time and user name by combining the Windows security log.

Inspection method:

Win+R open to run, type "eventvwr.msc", enter to run, open "event Viewer". Or we can export Windows logs-security, using Log Parser for analysis.

02. Check for abnormal ports

(1) check the port connection

Inspection method:

A, netstat-ano view the current network connection and locate the suspicious ESTABLISHED

B. Locate the pid according to the netstat, and then use the tasklist command to locate the tasklist | findstr "PID"

(2) check for suspicious network connections

Inspection method

Check if there is a suspicious network connection. If you find something unusual, you can use Wireshark network to grab packets to assist in the analysis.

03. Check the abnormal process

(1) check whether there is a suspicious process

Inspection method:

A, start-run-enter msinfo32, and then click "Software Environment → running tasks" to see the details of the process, such as process path, process ID, file creation date, startup time, and so on.

B. Open the DShield _ web tool, check the process, and pay attention to the process without signature information.

C, through the official Microsoft Process Explorer and other tools for troubleshooting.

D. View suspicious processes and their children. You can observe the following:

Processes without signature verification information

A process without describing information

The owner of the process

Whether the path of the process is legal

Processes that take up too much CPU or memory resources for a long time

(2) how to find the program location corresponding to the process

Task Manager-Select the corresponding process-right-open the file location

Run the input wmic,cmd interface and enter process

04. Check startup items

(1) check whether the server has abnormal startup items.

Inspection method:

Log in to the server, and click * * start * *-> * * all programs * *-> * * start * *. By default, this directory is an empty directory, and confirm whether there are any non-business programs in this directory.

B, click start menu > [run], enter msconfig to see if there is a startup project with a named exception, uncheck the startup project with a named exception, and delete the file to the path shown in the command.

C. Click [start] > [run], enter regedit, open the registry, and check whether the boot key is normal.

Pay special attention to the following three registry entries:

HKEY_CURRENT_USER\ software\ micorsoft\ windows\ currentversion\ run HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Runonce

Check whether there is an abnormal start on the right side of the project, if any, please delete, and it is recommended to install antivirus software to check and kill viruses and remove residual viruses or Trojans.

D, use security software to check startup items, boot time management and so on.

E, Group Policy, run gpedit.msc.

05. Check scheduled tasks

(1) check whether there are any suspicious scripts in the planned task

Inspection method:

Click * * start * *-> * * Settings * *-> * * Control Panel * *-> * * Task Plan * * to view the scheduled task properties, and then you can find the path of the Trojan file.

B, click [start] > [run]; enter cmd, and then enter at to check the sessions or scheduled tasks between the computer and other computers on the network, and if so, confirm that it is a normal connection.

06. Inspection service

(1) check the system service name, description and path to confirm whether it is abnormal

Inspection method:

Click * * start * *-> * * run * *, enter services.msc, pay attention to the service status and startup type, and check whether there are any abnormal services.

07. Check suspicious documents

(1) check new files, recently accessed files and related download directories, etc.

Inspection method:

A. Check the user directory. The new account will generate a user directory in this directory to see if there is a new user directory.

Window 2003 C:\ Documents and Settings

Window 2008R2 C:\ Users\

B, click [start] > [run], enter% UserProfile%\ Recent, and analyze the most recent open suspicious files.

C, in each directory of the server, you can sort according to the time of the file list in the folder to find suspicious files.

D, Recycle Bin, browser download directory, browser history

E. Suspicious files whose modification time is before the creation time.

(2) if you find the creation time of a WEBSHELL or remote control Trojan, how to find out the files created within the same time range?

Inspection method:

A, using the search function of Registry Workshop registry editor, you can find the file that was last written in the time interval.

B, make use of the computer's own file search function to specify the modification time to search.

08. Check the system log

(1) check the system security log

In general, you can learn about account logins, such as the number of successes / failures, by checking the Windows security log.

LogParser.exe-i:EVT-o:DATAGRID "SELECT EXTRACT_TOKEN (Strings,10,' |') as EventType, EXTRACT_TOKEN (Strings,5,' |') as user, count (EXTRACT_TOKEN (Strings,19,' |') as Times,EXTRACT_TOKEN (Strings,19,' |') as LoginIp FROM F:\ security.evtx where EventID=4625 GROUP BY Strings"

(2) Historical order record

The higher version of Powershell will record PowerShell commands, and all PowerShell commands will be saved in a fixed location:

% appdata%\ Microsoft\ Windows\ PowerShell\ PSReadline\ ConsoleHost_history.txt

View PowerShell history:

Get-Content (Get-PSReadlineOption). HistorySavePath

Default Powershell v5 support, Powershell v3 and Powershell v4, you need to install Get-PSReadlineOption before you can use it.

Thank you for reading! This is the end of this article on "how to achieve intrusion detection on Windows servers". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.