Hacking Book | Free Online Hacking Learning


overall thinking and basic process of emergency response

Posted by patinella at 2020-03-18

In 2018, information security incidents occurred frequently, and the demand for information security skills and talents increased greatly. Now, no matter ordinary enterprises or professional security manufacturers, they inevitably need to master and use the knowledge and skills of information security, so that they can resist the enemy for thousands of miles when they need to. The so-called "military training for a thousand days, military employment for a while", with a perfect team or complete process, can ensure that the enterprise can deal with major security incidents in an orderly manner, and reduce the scope of damage in time.

We are deeply convinced that EDR security team has participated in the emergency response of various major epidemic viruses and security events throughout the year. Here, we share the whole year's thinking and the formed process of the team, hoping to give some enlightenment to the people who are going to be engaged in the future or engaged in emergency response and security research for a long time.

We describe from eight aspects: the overall idea of emergency response, the basic process of emergency response, the introduction of emergency tool set, system log and log analysis, the role of threat intelligence, common viruses and classification, understanding vulnerabilities and patches, and suggestions for skill improvement.

1、 The whole idea of emergency response

The overall idea of emergency response is that the upper level has guiding principles and ideas, and the lower level has skills, knowledge points and tools to jointly promote and guarantee the whole life cycle of emergency response process.

Principles and guiding ideas

3w1h principle: 3W is who, what, what, and 1H is how. In emergency response, we should work with questions, and we must collect these information. What is the network topology like? What are the needs? What is going on? What can you do? What products do users use? What is the product version? What is the virus library version? How many hosts are there? Is the host a normal PC or a server? What does the server do The more information is collected, the more favorable it is for emergency response.

The principle of vulnerability: information collection and evidence collection are necessary for emergency response, but there is a certain sequence here, that is, the most easily lost data should be collected first, and others in turn.

Element principle: emergency response mainly focuses on key evidence, i.e. elements, including samples, traffic, logs, processes and modules, memory and startup items.

Principle of avoiding harm: in order to make emergency response, it is necessary to seek benefits and avoid harm. Instead of solving the problem, new problems are introduced. For example, the tools used by oneself are infected without knowing; the improper tools or software used by users cause problems in the client host; sending samples to others without encryption or compression leads to others' poisoning by delay. The most extreme scenario is sending extortion samples to others without compression, leading to others' poisoning by delay.

Skills, knowledge points and tools

Emergency tool set: a set of tools necessary for emergency response, which can assist emergency personnel to make analysis and improve efficiency.

Log analysis: it can analyze logs, including but not limited to system logs (Windows / Linux, etc.), application logs, security device logs (firewall, antivirus, situational awareness, etc.).

Threat Intelligence: security events may not be isolated, and security sites or search sites can find information related to security events.

Vulnerability patch knowledge: know the relationship between vulnerabilities and patches, their roles in emergency response, and understand common vulnerabilities and patches.

Common viruses and classification: know the general classification of viruses and common viruses.

Sample analysis: at least one simple and dynamic analysis can be performed on the sample.

Operating system knowledge: at least have certain knowledge reserve for Windows system and Linux system, and know its basic working principle.

2、 Basic process of emergency response

Emergency response can be roughly divided into five parts, and its basic process includes collecting information, judging types, in-depth analysis, clearing and disposal, and output reports.

Collect information: collect customer information and poisoning host information, including samples.

Judgment type: judge whether it is a safety event, what kind of safety event, blackmail, mining, network disconnection, DOS, etc.

In depth analysis: log analysis, process analysis, startup analysis, sample analysis.

Clean up: directly kill the process, delete the file, patch, or repair the file.

Output report: sort out and output complete security incident report.

Blackmail and mining events can account for more than 50%, and the business characteristics of these two kinds of security events are very distinct, so the process can be put forward separately for disposal.

Information collection form

Customer name

What area and what customers

Number of infected hosts

Infected most hosts

Patch situation

What patches have been applied and whether there are any missed patches

Poisoning phenomenon

Blackmail / mining / DOS / botnet / back door / Trojan

Account password

Confirm whether there is a weak password

External development port

What ports have been developed externally

Services opened

What services are enabled

Operating system version

Operating system version information

customer demand

Confirm the specific needs of customers

Forensics elements: forensics is not without clue. The virus itself must have network behavior and the memory must have its binary code. It is either a separate process module or a DLL / so module of the process. Generally, in order to keep alive, it is likely to have its own startup item and network heartbeat package.

In short, it can be summed up as the following four elements: traffic, memory, module, boot item.

Wireshark can be used for traffic analysis, mainly analyzing which domain names, URLs, services are accessed by the current host, which ports, services and directories are accessed by the external IP addresses of the local host, and which protocols are used.

For example, using Wireshark to observe that the host visited the dynamic domain name sjb555.3322.org, we can roughly guess that this is a C & C server (how to judge a domain name is a suspicious domain name, please refer to the following article).

Sometimes, we can filter and analyze the traffic directly according to the network protocol. For example, IRC protocol is rarely used at present, but the phenomenon of using IRC to establish botnet channel is still common. Using Wireshark, enter "IRC" directly in the filter condition, and enter to see if there is any relevant traffic.

As shown in the figure below, we can see that there is related IRC protocol traffic, which is suspicious.

Wireshark performs the follow TCP stream operation and finds that the current botnet host is joining an IRC channel. In addition, you can start from the destination IP, which can be found to be a malicious IRC botnet server.


For network traffic, you can also use the tcpview tool to view the specific connection established. As follows, we use tcpview to find two connections:

chenyu-57068a53.localdomain.2671 ->

chenyu-57068a53.localdomain.2674-> amsterdam.nl.eu.undernet.org.6667

When we encounter difficulties in analyzing virus processes, its memory is the last line of defense for us to find problems.

Take a Linux server emergency event as an example, as shown in the figure below, we find the parent-child relationship of three virus processes [ksoftirqd / 7]. We can see that 11275 pulls up 11276 and 11277, but 11275 is pulled up by process 1, that is, init is its parent process.

This means that the actual parent process (the original virus file) is not traceable in the current state.

The process tree can't track the parent process. There are not many places to start. If the virus file corresponding to [ksoftirqd / 7] is disassembled, the time is short (not enough) for an emergency response event. But simply think about it, that is, no matter what kind of confusion and shelling the virus file, the code that runs on the memory finally is the original code, at least the stack has a lot of information.

In the Linux environment, you can use the system's own GDB, type the command GDB attach 11275, attach to the virus process 11275, and in the GDB environment, use dump binary memory file start ﹣ addr end ﹣ addr to dump the 11275 effective memory space.

For example: file is the output file, which can be specified as 11275.dump, start_addr as the start address, end_addr as the end address. For example, dump binary memory / TMP / 11275.dump 0x13838000 0x13839000 (here is just an example, the actual address is obtained in GDB)

For the memory file 11275.dump, use the command strings - N 8 11275.dump to get the string content with a length of 8 and above. We find the following line:


This is found in the virus running memory, either the virus configuration file or the original virus file.

We CD / etc / security and use LS - al to view the contents as follows:

As you can see, ntps.conf is not a configuration file, it is executable (you can know it is an elf executable file by using the file command), and the file modification time should be forged.

3、 Introduction to emergency Toolset

If you want to be good at your work, you must first make use of your tools. It's hard for a skillful woman to cook without rice. In fact, it's the same with emergency response. Emergency response and safety researchers must have a complete set of tools available at any time in advance.

Type of emergency tools

Traffic analysis tools: the commonly used traffic analysis tools are Wireshark and tcpview. You can also use branch network analysis tools. You can also use tcpdump, which is familiar with tcpdump under Linux.

Process analysis tool: a tool that can analyze process related information, mainly processhacker, PC hunter, etc.

Startup analysis tool: mainly AutoRuns tool, which is convenient for locating virus startup items.

Special killing tools: some popular virus families usually have inhibitory effect on killing soft, or they are infectious. Special killing tools are needed to kill and repair normal files.

Auxiliary tools: WinHex, file hash tool, everything search tool, Unlocker file unlocking tool, etc.

Memory scanning tool: mainly memscanner.

4、 System log and log analysis

Log type

Windows system log: the audit log, operation log, and fault log of the windows system.

Linux system log: audit log, operation log and fault log of Linux system.

Application log: including but not limited to many complicated logs such as web application.

Windows system log

Log path: C: \ windows \ system32 \ winevt \ logs

Required logs: security.evtx, system.evtx, application.evtx

Linux system log

Log path / var / log

Required logs: secure, history

Most logs are readable and easy to understand. For example, it is easy to see. The following log records the SSH blasting process.

5、 The role of Threat Intelligence

In security incidents, Threat Intelligence sometimes provides us with a lot of useful information, and even directly promotes the rapid response of security incidents.

Elements of threat intelligence, including but not limited to domain name, URL, IP, file hash, file path, file name, digital signature, filing information and ranking information.

Sources of Threat Intelligence

Google: www.google.com

Baidu: www.baidu.com


Micro step online: x.threatbook.cn

Tencent Hubble: habo.qq.com





Alexa Rank: www.alexa.com

Record query: beian.cndns.com

Shenxin security center: sec.sangfor.com.cn

Suntrust threat analysis platform: wiki.sec.sangfor.com.cn

Shenxin EDR security software center: edr.sangfor.com.cn

In Threat Intelligence, domain name plays a very basic and key role, and URL is also based on domain name. Here are several types of domain names, which are commonly used (preferred) by hackers. In the process of obtaining evidence, we need to focus on the information of such domain names.

Random domain name (DGA):

Intranet IP uses specific random algorithm to generate domain name (DGA), and hacker will use this random algorithm to register domain name, so as to avoid being blocked due to long-term communication with a domain name or IP.

For example, a source IP in the intranet resolves the following domain names in a short time (log screenshot)

Looking at these domain names, we can see that the "character characteristics" of these domain names look random. The invention of domain name (DNS) was born for the convenience of human memory. Therefore, we often register some domain names that are easy to remember and easy to read. Obviously, the domain name in the example does not have this feature. DGA's behavior in the opposite direction is obviously not from people visiting websites, but from viruses using some algorithm.

Dynamic domain name:

The dynamic domain name is open to other people, and the IP bound by the sub domain name can be obtained dynamically, most of which are free, so it is often used by hackers, such as abc.3322.org (3322.org is the dynamic domain name provider, and the sub domain name abc.3322.org can be used by others).

Common dynamic domain name providers:

'f3322.net','3322.org','7766.org','8866.org', '9966.org','8800.org','2288.org','6600.org', 'f3322.org', 'ddns.net', 'xicp.net', 'vicp.net','wicp.net','oicp.net','xicp.net','vicp.cc','eicp.net','uicp.cn','51vip.biz','xicp.cn','uicp.net','vicp.hk','5166.info','coyo.eu','imblog.in','imzone.in','imshop.in','imbbs.in','imwork.net','iego.cn','vicp.co', 'iego.net','1366.co','1866.co','3utilities.com','bounceme.net','ddnsking.com','gotdns.ch','hopto.org','myftp.biz','myftp.org','myvnc.com','no-ip.biz','no-ip.info','no-ip.org','noip.me','redirectme.net','servebeer.com','serveblog.net','servecounterstrike.com','serveftp.com','servegame.com','servehalflife.com','servehttp.com','serveminecraft.net', 'servemp3.com','servepics.com','servequake.com','sytes.net','webhop.me','zapto.org','dynamic-dns.net','epac.to','longmusic.com','compress.to','wikaba.com','zzux.com','dumb1.com','1dumb.com','onedumb.com','wha.la','youdontcare.com','yourtrap.com','2waky.com','sexidude.com','mefound.com','organiccrap.com','toythieves.com','justdied.com', 'jungleheart.com','mrbasic.com','mrbonus.com','x24hr.com','dns04.com','dns05.com','zyns.com','my03.com','fartit.com','itemdb.com','instanthq.com','xxuz.com','jkub.com','itsaol.com','faqserv.com','jetos.com','qpoe.com','qhigh.com','vizvaz.com','mrface.com','isasecret.com','mrslove.com','otzo.com','sellclassics.com','americanunfinished.com', 'serveusers.com','serveuser.com','freetcp.com','ddns.info','ns01.info','ns02.info','myftp.info','mydad.info','mymom.info','mypicture.info','myz.info','squirly.info','toh.info','xxxy.info','freewww.info','freeddns.com','myddns.com','dynamicdns.biz','ns01.biz','ns02.biz','xxxy.biz','sexxxy.biz','freewww.biz','www1.biz','dhcp.biz','edns.biz', 'ftp1.biz','mywww.biz','gr8domain.biz','gr8name.biz','ftpserver.biz','wwwhost.biz','moneyhome.biz','port25.biz','esmtp.biz','sixth.biz','ninth.biz','got-game.org','bigmoney.biz','dns2.us','dns1.us','ns02.us','ns01.us','almostmy.com','ocry.com','ourhobby.com','pcanywhere.net','ygto.com','ddns.ms','ddns.us','gettrials.com','4mydomain.com','25u.com', '4dq.com','4pu.com','3-a.net','dsmtp.com','mynumber.org','ns1.name','ns2.name','ns3.name','changeip.name','ddns.name','rebatesrule.net','ezua.com','sendsmtp.com','trickip.net','trickip.org','dnsrd.com','lflinkup.com','lflinkup.net','lflinkup.org','lflink.com','dns-dns.com','proxydns.com','myftp.name','dyndns.pro','changeip.net', 'mysecondarydns.com','changeip.org','dns-stuff.com','dynssl.com','mylftv.com','mynetav.net','mynetav.org','ikwb.com','acmetoy.com','ddns.mobi','dnset.com','authorizeddns.net','authorizeddns.org','authorizeddns.us','cleansite.biz'

F3322.net, 3322.org, 7766.org and so on are dynamic domain name providers.

Sjb555.3322.org is a dynamic domain name, which is marked as malicious on VirusTotal.


Such domain names are often hotbeds of viruses. Both the national Internet Emergency Center and China Anti network virus alliance are the focus of observation. Enterprise users rarely take the initiative to use dynamic domain names.

Recent domain name:

All domain names have a creation time (registration time). Alexa's domain names ranked within one million in the world have been registered for a long time, ranging from several years to more than ten or twenty years. Hacker attacks to avoid blocking the firewall, most likely in the implementation of time, to register a domain name. Registering a domain name with a letter length greater than 7 is not expensive, even as low as 8 yuan / year (some are free). Hackers tend to do this because the old domain name is likely to have been blacklisted (that is, blocked) by security agencies.

Just imagine, why do enterprise users visit a domain just registered for no reason?

For example, the firewall generated logs as follows. It was observed that the log was generated on January 27, 2016 and the site visited was cazwmwez.info.

Next, let's check the registration time of the domain name. Method: through VirusTotal query, in the whois lookup column, as shown in the figure, observe that creation date means the registration time is January 12, 2016, and registry expiry date means the expiration time is one year later. Obviously, this is a newly registered and very short-lived domain name (this domain name comes from a real poisoned customer, at that time, the time to intervene in the forensic investigation was at the beginning of February 2016, i.e. less than one month). The owner of the domain name does not intend to maintain it for a long time. In addition, the owner of the domain name is not the customer's (ask the customer to know).

Dark network proxy domain name:

Dark network, also known as tor network, is the hotbed of black industrial chain because its access and transmission traffic cannot be traced back. To access the dark network, either the virus implements the tor client itself or accesses the tor network through the tor agent. The traffic accessed through the tor agent is unencrypted, and it directly uses the tor agent to access the tor site server.

Therefore, the dark network proxy domain name can be detected.

For example, to visit https://abbujjh5vqtq77wg.onion.link/ because the secondary domain name onion.link belongs to the tor proxy domain name, it is considered that this visit is a tor network access behavior, and the possibility of illegal access is very high.

Top level domain name:

Not all top-level domain names need special attention. It is necessary to start from the customer business to reverse why the client host needs to access the relevant top-level domain names. That is to say, there are a batch of top-level domain names in it. The actual customer business does not need to visit, so the only thing left is hacking. The following table shows such a batch of top-level domain names (including but not limited to the following top-level domain names):

Top-level domain name

Application area or organization

Why focus



Russia is rich in hackers


Eastern Samoa

Unknown country, easy to apply, hard to track registrants


Cocos Islands

Unknown country, easy to apply, hard to track registrants



Unknown country, easy to apply, hard to track registrants



Unknown country, easy to apply, hard to track registrants


Soviet Union

Although the former Soviet Union was disintegrated, the top-level domain names were still in use, and most of them were related to the black production



Unknown country, easy to apply, hard to track registrants



Unknown country, easy to apply, hard to track registrants



Unknown country, easy to apply, hard to track registrants



Unknown country, easy to apply, hard to track registrants

For example, on an alarm host, we use Wireshark to grab the network and filter DNS protocol directly as follows:

It can be seen that this host resolves a large number of domain names of. PW sites, such as koqqveoukgjc.pw, which is the top-level domain name of Palau country. This country is a very small island country, and has no diplomatic relations with mainland China. The possibility that domestic enterprises need to visit their sites is as low as zero (or the possibility that businesses are in Palau).

6、 Common viruses and classification

Blackmail virus: a virus that encrypts user files.

Mining virus: a virus that consumes CPU and GPU resources of users, performs a large number of operations, and obtains cryptocurrency.

Worm: a virus that automatically copies its own copy to another host.

Trojan horse: a virus with strong concealment, often used to monitor user behavior or steal user data.

Infectious virus: a virus that can insert its own malicious code into a normal file.

Script virus: a virus written in a script.

Macro virus: macro is a special function designed by Microsoft for its office software package. Because of its powerful function, hackers can realize malicious operation by elaborately constructed macro code, which is called macro virus. Macro viruses often attack users in the form of spam, because forged office documents are not easy to arouse users' suspicion, so when users open office documents without precaution and enable macros, macro viruses will start to run, malicious operations on user hosts.

Botnet virus: can form a large one to many, many to many remote control virus.

Backdoor: open port on the host to allow remote unauthorized access.

Take infectious virus as an example, we need to know and understand its principle:

The normal PE file execution process is as follows:

[1] Extract the entry point address EP from the PE header.

[2] Locate the PE code at EP.

[3] Start PE code execution.

The execution process of the infected PE file is as follows, including multiple malicious code links:

[1] Extract the entry point address EP from the PE header.

[2] By tampering with EP or overwriting the original entry point code, EP points to malicious code.

[3] Execute malicious code.

[4] After the execution of malicious code, jump back to the original PE code.

Although the overall idea of infection is to let the host file execute malicious code first, and then jump back to the original code after execution, but the way to implement each virus family is different. I summarize it into four categories, with the order of complexity from low to high: offset, overlay, encryption and obfuscation.

Terminology: entry point EP (entry point), original entry point OEP (original entry point).

Offset is the most commonly used infection mode of infectious virus. The virus will inject malicious code into an idle location of the host file, and then modify the EP address in the PE header to point to the beginning of the malicious code. After the infected file runs, it will execute the malicious code first. After the malicious code is executed, it will obtain the OEP offset (the OEP offset value of each virus family is hidden in a different place), and then jump the execution flow back to the OEP to execute the original code of the host file.

7、 Understanding vulnerabilities and patches

Vulnerabilities and patches are indispensable in emergency response. If the hacker invades the system through some kind of loophole, and in the emergency response, the loophole that the hacker exploits cannot be found out, it means that the invasion can happen repeatedly. On the terminal side, it will show that the virus is not cleaned up and killed again, so we must find out the loopholes.

After finding the vulnerability, you need to apply the corresponding patch, which is a complete disposal.

How to check the system patch? Take windows as an example. Open CMD directly and enter systeminfo to get it.

What is vulnerability: vulnerability refers to the weakness or defect of a system.

How it came about: a defect in system design or an error in coding.

What are the consequences: hacking and virus resident, data loss and tampering, privacy disclosure, system being controlled and used as a springboard to invade other host systems, etc.

Solution: patch.

8、 Suggestions for skill improvement

Pay more attention to safety information: pay more attention to some safety information released by safety companies, pay more attention to and learn more.

Read more security books: read more security books, recommend "malicious code analysis practice", etc.

Visit the security forum more often: it is recommended to visit freebuf, snow Institute, etc.

Ask in the safety communication group: ask if you don't understand.

More practice: more practice, more try to solve the safety problems by yourself.