Host external connection investigation for enterprise emergency response, with self-made investigation script

Event description

Illegal external connectionIt refers to the connection established with external networks or servers by hosts, networks, or applications without authorization or in violation of security policies.

Situations that may cause external connections include: Unauthorized network connections, malware, viruses, etc.

Possible hazards:

Illegal external connection may cause the loss of sensitive data, leading to the leakage of sensitive data (such as customer information, financial records, company secrets, etc.) to external attackers or third parties. Intellectual property damage: Confidential research and development information or business secrets may be stolen. Malware may communicate with remote control servers through illegal external connections, allowing attackers to remotely control the host. Infected hosts can spread viruses or other malicious software to other systems through the network, causing widespread damage.

How to identify illegal external connection:

Traffic monitoring: Detect abnormal traffic patterns, unauthorized connection requests, or external communications through network monitoring tools.

Log analysis: Analyze the logs of hosts and network devices to find unauthorized external connection records.

Security policy audit: Regularly review network and security policies to ensure that all external connections meet the organization's security requirements.

How to investigate when illegal external connection occurs:

• Firstly, confirm the illegal external connection host based on the alarm of relevant devices and block the external address on the relevant devices.
• After blocking, investigate the host

Use the command 'netstat -ano' to view port and external connection information (or use 'netstat -ano | findstr "x.x.x.x"

Locate the program through the queried process pid.

Command: wmic process where processid="PID" get ExecutablePath, where pid is the pid queried out, and this command successfully locates the related program location.

Or use powershell for location

Command: (Get-Process -Id PID).Path

At this point, the program path of the process has been obtained. Sometimes you may encounter the situation where the file is hidden. You can switch the command line to the directory where the file is located and use the attrib command to cancel the hidden attribute to extract the file.

attrib –H xxxx   xxxx is the filename

When a process is found to be a system process, since the trojan uses injection methods, there is no point in extracting files from the disk. At this time, it is necessary to extract the dump of the process running in memory. Open Task Manager, find the corresponding process name in the process column, right-click -> create dump file.

To determine whether a process and its corresponding file are system files, first, the username of the user who created the process is generally System. Second, after locating the file location, most system processes are located in the Windows System32 directory. Hash this file in VT to determine whether it is a virus disguise.

TCPView:

TCPViewIt is a free tool provided by Microsoft's Sysinternals for real-time viewing of all TCP and UDP port activities in the Windows system. It is similar to the command-line tool netstat, but it has a more intuitive and user-friendly graphical interface.