427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet156/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   152   153   154   155   156   157   158   159   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
Botnet Detection: Tools and Techniques • Chapter 5
183
427_Botnet_05.qxd 1/9/07 9:59 AM Page 183

we find nothing on the computer, since the virus scanner will actually delete
some of the intelligence data we are looking for. In our sample case, the intel-
ligence data we were looking for was found on the computer, so we did not
run a virus scan until after we completed the forensics.
First we open a help desk ticket. We use the RT ticketing system to track
all virus infections.This permits us to know whether a system has been rein-
fected after it has been cleaned.The ticket first goes to the network team to
place that computer’s network connection in a network quarantine area, to
prevent further spread of the bot while permitting the user to do some useful
work.Then we track down the computer and begin to gather the event logs
and the virus scanner logs.The order of the data isn’t important. We chose
this order to ensure that we had gathered the static data before we started
chasing the interesting stuff.
Event Logs
The event logs are located in Windows or WINNT directory under
%WinDir%\system32\config.These files end in .evt, but we have seen them
with different capitalization schemes (.evt, .EVT, .Evt).
The security event log is controlled by the 
Local Policy | Audit Policy
settings. For this type of analysis, the following policies should be set to suc-
cess, failure:

Audit account logon events

Audit account management

Audit policy change

Audit privilege use
In practice, we usually gather all the logs and then examine them one at a
time in real time, then later analyze them in nonreal time. Here we describe
the examination process as we tell how to locate each log. Use the
Administrative tool and Event Viewer to examine the security event log. In
the security event log you are looking first for failed logins (see Figure 5.4).
You can sort the file by clicking the 
Type
column.This will divide the log
into successes and failures. In our case the entries of interest are the failed
logins with a login type 3, the network login.You can find more information

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   152   153   154   155   156   157   158   159   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish