更新

更新

Windows-应急响应.md

@@ -1,50 +1,47 @@
 ## 一. 账户安全
 
-```bash
+```sh
 query user  查看当前登录账户
 logoff ID 注销用户id
 net  user 查看用户
 net user username 查看用户登录情况
 lusrmgr.msc 打开本地用户组
 ```
 
-
 `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Users\\`
 regedit注册表查看账户，确认系统是否存在隐藏账户
 
-
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/22.png)
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/23.png)
 
-
 ### 利用LogParser查看日志
 
 [https://www.microsoft.com/en-us/download/confirmation.aspx?id=24659](https://www.microsoft.com/en-us/download/confirmation.aspx?id=24659)
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/24.png)
 
 查询用户登录情况
-```bash
+
+```sh
 LogParser.exe -i:EVT "SELECT TimeGenerated,EXTRACT_TOKEN(Strings,5,'|') AS USERNAME,EXTRACT_TOKEN(Strings,5,'|') AS SERVICE_NAME,EXTRACT_TOKEN(Strings,5,'|') AS Client_IP FROM 'C:\Users\wp_bj_windows\Desktop\安全.evtx' WHERE EventID=4624"
 ```
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/25.png)
 
-
 查询登录成功的事件
-```bash
+
+```sh
 LogParser.exe -i:EVT –o:DATAGRID  "SELECT * FROM 'C:\Users\wp_bj_windows\Desktop\安全.evtx' where EventID=4624"   
 ```
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/26.png)
 
-
 ## 二. 检查异常端口进程
 
 目前连接
 
-```bash
+```sh
 netstat  -ano
 netstat -ano | findstr "ESTABLISHED"    #已经成功建立的连接
 ```
@@ -57,45 +54,64 @@ msfinfo32
 
 利用wmic查看进程执行时的命令
 约束条件 name
-```bash
+
+```sh
 Wmic process where name='sqlceip.exe' getname,Caption,executablepath,CommandLine ,processid,ParentProcessId  /value
 ```
+
 或者pid
-```bash
+
+```sh
 Wmic process where processid='2352' get name,Caption,executablepath,CommandLine ,processid,ParentProcessId  /value
 ```
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/29.png)
 
 ## 三. 启动项
-![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/30.png)
 
+![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/30.png)
 
 注册表
 
 `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run`
 
-
 `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce`
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/31.png)
 
-
-
 ## 系统定时任务
+
 win7系统利用at
 
-```bash
+```sh
 schtasks | more
 ```
-![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/32.png)
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/cbea8f99ff770254d6034e88dc67a453.png)
 
 ### 任务清单
 
 `C:\Windows\System32\Tasks `
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/33.png)
 
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/3ca8925c0e7b8c239074909ae970016d.png)
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/3ca8925c0e7b8c239074909ae970016d.png)
+
+使用VScode打开
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/f276b1b7b425ecb2bda413cc4b78b07c.png)
+
+按时间执行
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/d7e56a1ca99405b906d067a558aeaab8.png)
+
+<br/>
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/0d0ed78e867ef193fc500412805b839b.png)
+
+![截图](https://github.com/wpsec/Emergency-response-notes/blob/main/images/1b96d69aeadfc239f536cbca8126f280.png)
 
 ### 删除任务计划
 
@@ -106,18 +122,12 @@ SchTasks /Delete /TN  任务计划名称
 
 `services.msc`
 
-
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/34.png)
 
-
-
-
 `sc stop` [服务名称]停止服务后，
 
-
 `sc delete` [服务名称]删除服务
 
-
 ## 六. 文件
 
 最近打开的文件
@@ -126,18 +136,10 @@ SchTasks /Delete /TN  任务计划名称
 
 ![image](https://github.com/wpsec/Emergency-response-notes/blob/main/images/35.png)
 
-
-
-
 C:\Users 目录下文件
 
 ## 七. 安防软件日志记录
 
-
-
-
-
 版权声明：本文为个人笔记，遵循 [CC 4.0 BY-SA](http://creativecommons.org/licenses/by-sa/4.0/) 版权协议，转载请附上原文出处链接和本声明。
 
 本文链接:[https://github.com/wpsec/Emergency-response-notes](https://github.com/wpsec/Emergency-response-notes)
-

tools/内存取证/volatility/readme.txt

@@ -0,0 +1 @@
+https://www.volatilityfoundation.org/26

tools/内存取证/volatility/tool-for-CTF/README.md

@@ -0,0 +1,6 @@
+## What's this?
+
+Some tool for CTF
+
+Welcome to add.
+

tools/内存取证/volatility/tool-for-CTF/auto_install_script/.condarc

@@ -0,0 +1,6 @@
+channels:
+  - https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/main/
+  - https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/free/
+  - https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/conda-forge/
+  - https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/msys2/
+show_channel_urls: true

tools/内存取证/volatility/tool-for-CTF/auto_install_script/gmpy2.sh

@@ -0,0 +1,8 @@
+# gmp 库安装
+sudo apt-get install -y libgmp-dev
+# mpfr 库安装
+sudo apt-get install -y libmpfr-dev
+# mpc 库安装
+sudo apt-get install -y libmpc-dev
+sudo pip install gmpy2
+sudo pip3 install gmpy2

tools/内存取证/volatility/tool-for-CTF/auto_install_script/kali-for-misc.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# 换源
+sudo rm /etc/apt/sources.list
+sudo echo "deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free" > /etc/apt/sources.list
+sudo echo "deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
+apt-get update
+# pip
+sudo apt-get install -y python-pip
+sudo apt-get install -y python3-pip
+pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
+# mkdir
+mkdir -p ~/ctf/tool
+cd ~/ctf/tool
+# volatility
+sudo apt-get install -y volatility
+# foremost
+sudo apt-get install -y foremost
+# pngcheck
+sudo apt-get install -y pngcheck
+# imagemagick(convert)
+sudo apt-get install -y imagemagick
+# exiftool
+sudo apt-get install -y exiftool
+# steghide
+sudo apt-get install -y steghide
+# gaps
+git clone https://github.com/nemanja-m/gaps
+cd gaps
+pip3 install numpy opencv-python pytest matplotlib pillow
+python3 setup.py install
+cd ../
+# 盲水印
+git clone https://github.com/chishaxie/BlindWaterMark
+# F5隐写
+git clone https://github.com/matthewgao/F5-steganography
+# lsb
+git clone https://github.com/livz/cloacked-pixel
+# RSA
+git clone https://github.com/Ganapati/RsaCtfTool
+sudo apt-get install -y libgmp3-dev libmpc-dev
+cd RsaCtfTool
+pip3 install -r requirements.txt -y
+cd ../
+# outguess隐写
+git clone https://github.com/crorvick/outguess
+cd outguess
+sudo ./configure
+sudo make
+sudo make install
+cd ../
+# zsteg
+gem sources --remove https://rubygems.org/
+gem sources --add https://gems.ruby-china.com/
+gem install zsteg

tools/内存取证/volatility/tool-for-CTF/auto_install_script/local_codemoji.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+mkdir ~/ctf/tool
+cd ~/ctf/tool
+git clone https://github.com/mozilla/codemoji
+cd codemoji
+sudo apt-get install -y nodejs
+sudo apt install -y node-gyp npm
+sudo npm config set registry https://registry.npm.taobao.org
+sudo npm i -g npm
+npm install -g bower
+npm install -g grunt-cli
+npm install -g gulp-cli 
+
+npm install
+bower install --allow-root
+grunt dev

tools/内存取证/volatility/tool-for-CTF/auto_install_script/tensorflow_on_ubuntu.sh

@@ -0,0 +1,9 @@
+# /bin/bash
+cp ./.condarc ~
+conda create -n tensorflow python=3.7 -y
+conda activate tensorflow
+pip install tensorflow==1.15.3 -i https://pypi.tuna.tsinghua.edu.cn/simple/ --timeout=1000
+pip install pandas -i https://pypi.tuna.tsinghua.edu.cn/simple/ --timeout=1000
+pip install matplotlib -i https://pypi.tuna.tsinghua.edu.cn/simple/ --timeout=1000
+pip install opencv-python -i https://pypi.tuna.tsinghua.edu.cn/simple/ --timeout=1000
+pip install librosa -i https://pypi.tuna.tsinghua.edu.cn/simple/ --timeout=1000

tools/内存取证/volatility/tool-for-CTF/volatility_plugins/README.md

@@ -0,0 +1,3 @@
+* mimikatz.py 获取密码
+* lastpass.py Chrome记录的登录密码
+* usbstor.py 扫描注册表查找插入系统的USB设备