CyberLab-Eventlog
Cyberlab event log 分析
- 凡走過必留下痕跡
- File
- Network
- Process&Memory
Threat hunting
準備 > 偵測分析 > 移除復原 > 後續檢討
事件調查思路
- 人
- 確認誰被攻擊
- 確認攻擊來源
- 事
- 確認事件類別
- 過去是否發生過
- 時
- 確認攻擊時間點
- 地
- 確認發生的網段
- 誰可以存取
- 平時如何管理
- 物
- 確認有甚麼東西產生
- 確認是否有東西流出
Forensic
- History&log
- shell history
- Web accesslog
- Eventlog
- Process
- Services
- Connection
- File
- App(binary,script)
- Autoruns
- Config
linux forensic (file-webshell)
- Web service access logs:
- mtime n : File’s data was last modified n minutes ago
- atime n : File was last accessed n minutes ago.
1 |
|
1 |
|
1 |
|
- ps -ef
- ls /proc
- strace -f -p pid
- lsof -i:port
- lsof -p pid
- crontab -e
- cat /etc/rc.local
- ls /etc/init.d
- ls /etc/profile.d
- ls /var/log/cron*
- ls /var/log/secure*
lab - windows7 iis server forensic
- History&log
- web access log (iis log)
- eventlog (4688,sysmon)
- Process
- services
- connection
- File
- App (binary,script)
- autoruns
- config
- executing history
- shimacache
- amcache
1 |
|
- windows webshell
- parentprocessid:3444
- parentimage: w3wp.exe
CyberLab-Eventlog
https://luoming1995125.github.io/2021/09/17/CyberLab-Eventlog分析/