实战场景：

某X60全家桶下的Web环境，Webshell植入后的渗透测试对抗情况。

 

准备：

1、环境准备-单机系统&杀毒产品&流量产品

2、反编译打包环境-IDEA安装&反编译工具

 

引出问题：

1、webshell工具里面的后门代码不被杀毒检测到-混淆

2、webshell工具里面的功能操作不被杀毒拦截到-魔改

3、webshell工具里面的操作连接不被平台捕获到-魔改

 

检测冰蝎后门：（冰蝎几个版本）

安装：apt install suricata

监控：suricata -c /etc/suricata/suricata.yaml -i eth0 -s /etc/suricata/rules/Behinder3.rules

查看：cat /var/log/suricata/fast.log

 

Suricata规则下载：

0.

https://github.com/al0ne/suricata-rules

https://github.com/ptresearch/AttackDetection

1.

规则集名称：Proofpoint -- Emerging Threats Open Ruleset [et/open]

获取：https://rules.emergingthreats.net/open/

2.

规则集名称：Proofpoint -- Emerging Threats Pro Ruleset [et/pro]

获取：https://rules.emergingthreats.net/PRO_download_instructions.html

3.

规则集名称：OISF -- Suricata Traffic ID ruleset [oisf/trafficid]

获取：https://openinfosecfoundation.org/rules/trafficid/trafficid.rules

4.

规则集名称：Positive Technologies -- Positive Technologies Attack Detection Team ruleset [ptresearch/attackdetection]

获取：https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz

5.

规则集名称：Secureworks -- Secureworks suricata-enhanced ruleset [scwx/enhanced]

获取：https://www.secureworks.com/contact/

6.

规则集名称：Secureworks -- Secureworks suricata-malware ruleset

获取：https://www.secureworks.com/contact/

7.

规则集名称：Secureworks -- Secureworks suricata-security ruleset [scwx/security]

获取：https://www.secureworks.com/contact/

8.

规则集名称：Abuse.ch -- Abuse.ch SSL Blacklist

获取：https://sslbl.abuse.ch/blacklist/sslblacklist.rules

9.

规则集名称：Abuse.ch -- Abuse.ch Suricata JA3 Fingerprint Ruleset [sslbl/ja3-fingerprints]

获取：https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules

10.

规则集名称：Etnetera a.s. -- Etnetera aggressive IP blacklist

获取：https://security.etnetera.cz/feeds/etn_aggressive.rules

11.

规则集名称：tgreen -- Threat hunting rules [tgreen/hunting]

获取：https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules

12.

规则集名称：malsilo -- Commodity malware rules [malsilo/win-malware]

获取：

https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz

13.

规则集名称：Stamus Networks -- Lateral movement rules [stamus/lateral]

获取：

https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz