as everyone knows , Blue team —— Worth is the defender , The red team —— Refers to the attacker . stay HVV When , The red side will do anything to get in , The blue side is to maintain the condition of defensive equipment . Next, let's talk about all aspects of the security screening of the blue side , Unlimited ideas .

In terms of operating system, we can divide it into Windows System 、Linux System , Therefore, it is necessary to determine the corresponding system for troubleshooting .

Windows Intrusion detection

Troubleshooting port

open cmd（win+r）, Input netstat  -ano Check all one port , It mainly depends on the opening of major assets to the public network

  If there is 3389,3306,22 Such as weak password vulnerability , It needs to be confirmed and modified by the administrator in time .

  Check the system account

stay Windows There are account permissions in the system , stay cmd（win+r） Input lusrmgr.msc, Check a valid account , Check whether there are hidden or cloned accounts

  Here you can use some gadgets to automatically check , For example, a D Shield firewall . Then combine the logs , Administrator login time , Operation history to determine whether the user has exceptions .

Troubleshooting process management

Hold down CYRL+SHIFT+ESC Open Task Manager

View the management of responses , process , service （ Generally speaking, when there are many assets , Basically in dazzling ）

stay CMD Input in tasklist-->> Viewing the process is also a way

  View event information

stay （win+r） Input eventvwr.msc

  Check the self start information

Some self start may have some malicious self start , stay （win+r） Input services.msc

Log analysis

Here we can roughly divide into two aspects

1. system log

（win+r）-->eventvwr.msc

You can see the log information

2.web Middleware log

Find the corresponding middleware log , Package and throw it into the response intelligence threat service and so on . If the service doesn't respond , Then we don't seem to have any reaction

Linux Intrusion detection

account number

The two files you must see

/etc/passwd

/etc/shadow

Intrusion detection

 Query privileged users ：awk -F: ‘$3==0{print $1}’ /etc/passwd
 Query the account that can be logged in remotely ：awk ‘/\$1|\$6/{print $1}’ /etc/shadow
 The query has sudo Authorized account number ：more /etc/sudoers | grep -v “^#\|^$” grep “ALL=(ALL)”

History commands  

Command Mastery

history

  Intrusion screening command

cat .bash_history >> history.txt

All packages are checked

Check port

Here and Windows The orders are different

netstat -antlp

Check progress monitoring

ps aux

Abnormal process found

direct     kill -s 9 pid

If you find an exception, export it immediately

Check exception file

Check out the sensitive Directory ,

  Check the system log

The default location for logs is ：/var/log

--------------------------------------