CN114499929A - Remote transverse penetration monitoring method and device for planned task intranet - Google Patents

Remote transverse penetration monitoring method and device for planned task intranet Download PDF

Info

Publication number
CN114499929A
CN114499929A CN202111520818.2A CN202111520818A CN114499929A CN 114499929 A CN114499929 A CN 114499929A CN 202111520818 A CN202111520818 A CN 202111520818A CN 114499929 A CN114499929 A CN 114499929A
Authority
CN
China
Prior art keywords
task
planned
planned task
intranet
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111520818.2A
Other languages
Chinese (zh)
Inventor
林岳川
孙诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202111520818.2A priority Critical patent/CN114499929A/en
Publication of CN114499929A publication Critical patent/CN114499929A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The embodiment of the invention provides a remote transverse penetration monitoring method and device for a planned task intranet. The monitoring method is applied to equipment in an intranet, and comprises the following steps: a plan task service process responding to an operating system calls a plan task creating function to create a plan task and obtains creating data of the plan task; based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote calling type, acquiring an address of a target device in the intranet initiating creation of the planned task; and sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse penetration behavior. The embodiment of the invention can solve the problem that the monitoring of the network attack lacks the behavior of effectively and accurately identifying the remote intranet creation plan task, and improve the detection capability of the equipment on the security threat.

Description

Remote transverse penetration monitoring method and device for planned task intranet
Technical Field
The invention relates to the technical field of network security, in particular to a remote transverse infiltration monitoring method and device for a planned task intranet.
Background
In the network penetration complete attack chain, the remote transverse penetration stage of the intranet is that an attacker tries to attack other equipment in the same network on one attacked equipment by taking the equipment as a springboard to obtain more valuable evidences and higher authority so as to expand an attack surface and further control the whole intranet network.
Planning tasks are a common function of systems, with which any script, program or document can be scheduled to run at some convenient time. When a user needs to execute a plurality of repetitive events regularly, a prepared script, a batch folder, a program or a command can be run by a program of a planning task, and the program is run at a specific time. Remote attack through a planning task is a common attack means for an attacker to perform intranet horizontal penetration, and is a capability of utilizing the own mechanism of an operating system.
The existing method for monitoring the planned tasks can only identify the operation of the locally initiated planned tasks, and for an attacker, the equipment which is already attacked in the intranet is used as a springboard, and the behavior of remotely creating the planned tasks is initiated on other equipment in the intranet, so that the equipment which is used as a defense party is in a monitoring failure state due to the lack of a protection mechanism for effective and accurate identification, and the existing network attack detection means can not effectively and accurately cover the attack means.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a remote transverse infiltration monitoring method and device for a planned task intranet.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for monitoring remote lateral infiltration of a planned task intranet, which is applied to a device in the intranet, and includes:
a plan task service process responding to an operating system calls a plan task creating function to create a plan task and obtains creating data of the plan task;
based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote calling type, acquiring an address of a target device in the intranet initiating creation of the planned task;
and sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
Further, the monitoring method is executed by setting a HOOK function in the planned task creation function of the device in the intranet;
setting the HOOK function in the planned task creating function, including:
searching the planned task service process of the operating system, and installing a monitoring module in the planned task service process;
and setting the HOOK function in the planned task creating function of the planned task service process through the monitoring module.
Further, setting the HOOK function in a planned task creating function of the planned task service process includes:
determining a planned task core function file called by the planned task service process;
determining a planned task service interface in the planned task core function file based on an identifier of the planned task service interface;
setting the HOOK function in the planned task creating function of the determined planned task service interface.
Further, the determining an address of the planned task service interface in the planned task core function file based on the identifier of the planned task service interface includes:
determining an identifier of the planned task service interface based on version information of the operating system;
determining the planned task service interface in the planned task core function file based on the determined identifier of the planned task service interface.
Further, the determining the planned task core function file called by the planned task service process includes:
and determining the memory address of a Schedsvc.dll or Taskcomp.dll file called by the planning task service process.
Further, the determining an identifier of the planned task service interface based on the version information of the operating system includes:
judging whether the version information of the operating system is a version above Windows 7;
if the version information of the operating system is a version above Windows 7, determining that the identifier of the planned task service interface is a first identifier;
otherwise, judging whether the version information of the operating system is Windows XP;
if the version information of the operating system is Windows XP, determining that the identifier of the planned task service interface is a second identifier;
the determining the planned task service interface in the planned task core function file based on the determined identifier of the planned task service interface comprises:
determining a memory address of an ITask SchedulService interface in the planned task core function file based on the first identifier; alternatively, the first and second electrodes may be,
determining the memory address of an IAtSvc interface in the planned task core function file based on the second identifier;
the setting the HOOK function in the scheduled task creating function of the determined scheduled task service interface includes:
setting the HOOK function in a SchRpcRegisterTask function of the ITaskSchedulService interface based on the memory address of the ITaskSchedulService interface; alternatively, the first and second electrodes may be,
and setting the HOOK function in the NetrJobAdd function of the IAtSvc interface based on the memory address of the IAtSvc interface.
Further, obtaining creation data of the planned task includes:
calling an application program interface function to obtain return data for creating the plan task;
the acquiring, based on the acquired creation data of the planned task, an address of a target device in the intranet, which initiates creation of the planned task, if it is determined that the creation type of the planned task is a remote invocation type, includes:
acquiring the creation type of the planning task from the acquired return data for creating the planning task;
judging whether the acquired creation type of the plan task is a remote calling type;
and if the creation type of the acquired planned task is a remote calling type, acquiring the address of the target equipment in the intranet initiating the creation of the planned task from the acquired return data for creating the planned task.
In a second aspect, an embodiment of the present invention further provides a device for monitoring remote lateral infiltration of an intranet in a mission plan, which is applied to an intranet device, and includes:
the data acquisition module is used for responding to a plan task service process of an operating system, calling a plan task creating function to create a plan task and acquiring creating data of the plan task;
an address acquisition module, configured to, based on the acquired creation data of the scheduled task, acquire an address of a target device in the intranet that initiates creation of the scheduled task if it is determined that the creation type of the scheduled task is a remote invocation type;
and the information sending module is used for sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine so as to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for planning remote intra-task network lateral infiltration monitoring according to the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for remote monitoring of intra-mission remote lateral infiltration in a planning task according to the first aspect.
In a fifth aspect, embodiments of the present invention further provide a computer program product having executable instructions stored thereon, which when executed by a processor, cause the processor to implement the steps of the method for planning intra-task network remote lateral infiltration monitoring according to the first aspect.
The remote transverse penetration monitoring method and device for the planning task intranet provided by the embodiment of the invention can accurately identify the behavior of the remote creation planning task from the intranet and acquire the address of intranet equipment initiating the remote creation planning task by acquiring the creation data of the planning task and monitoring the creation of the planning task when the planning task service process of an operating system calls a planning task creation function to create the planning task, can further monitor whether the behavior of the remote creation planning task comprises the transverse penetration behavior by sending the acquired data and the address to a threat behavior identification engine, can grasp the information of an attacker in real time during the remote transverse penetration attack of the intranet, and can further track the source by acquiring the address of the attacker, thereby effectively improving the safety defense capability of the equipment, solving the problem that the monitoring of network attack lacks the behavior of effectively and accurately identifying the intranet remote creation planning task, the detection capability of the device for security threats can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a planned task intranet remote lateral penetration monitoring method provided by the present invention;
FIG. 2 is a schematic flow chart of setting a HOOK function in a planning task creating function according to the present invention;
FIG. 3 is a schematic flow chart illustrating the process of setting the HOOK function by the monitoring module according to the present invention;
FIG. 4 is a flow chart illustrating the determination of a task-scheduled service interface in a task-scheduled core function file according to the present invention;
FIG. 5 is a flow chart illustrating another example of the monitoring module setting the HOOK function according to the present invention;
FIG. 6 is a schematic flow chart of the present invention for obtaining creation data of a planning task;
FIG. 7 is a schematic flow chart of an application scenario of the method for remote monitoring of horizontal penetration of an intranet in a mission plan according to the present invention;
FIG. 8 is a schematic diagram of the construction of the planned mission intranet remote lateral infiltration monitoring device provided by the present invention;
fig. 9 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The planned mission intranet remote lateral penetration monitoring method of the present invention is described below in conjunction with fig. 1-7.
Referring to fig. 1, fig. 1 is a schematic flow diagram of a remote transverse infiltration monitoring method for a planned task intranet according to the present invention, and the remote transverse infiltration monitoring method for a planned task intranet shown in fig. 1 is applied to a device in an intranet, as shown in fig. 1, the remote transverse infiltration monitoring method for a planned task intranet at least includes:
and 101, responding to a plan task service process of the operating system to call a plan task creating function to create a plan task, and acquiring creating data of the plan task.
In the embodiment of the present invention, the intranet may be an enterprise lan, a campus lan, a shopping mall lan, or the like, and the application scenario of the intranet is not limited in the embodiment of the present invention, and the intranet may include a wired network and/or a wireless network. The devices in the intranet can be personal computers, servers, workstations, databases and the like, and the type of the devices in the intranet is not limited in the embodiment of the invention. An operating system for managing computer hardware and software resources, such as a Windows system, is run in the device in the intranet, and the embodiment of the present invention does not limit the type of the operating system. The scheduled tasks may be created and executed by a scheduled task service process that starts at operating system boot time and runs in the background. The scheduled task creating function is a function for performing scheduled task creation/registration, and the scheduled task service process can create/register a scheduled task by calling the scheduled task creating function.
In the embodiments of the present invention. When the planning task service process of the operating system calls the planning task creating function to create the planning task, the data when the planning task creating function creates the planning task, that is, the creating data of the planning task, may be captured, and the behavior characteristics of creating the planning task may be reflected by the creating data of the planning task, for example, the creating data of the planning task may include the return data of the planning task.
And 102, based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote call type, acquiring the address of the target device in the intranet initiating the creation of the planned task.
In the embodiment of the present invention, after the creation data of the planned task is acquired, the creation type of the planned task may be determined according to the acquired creation data of the planned task. Optionally, the method for obtaining the creation type of the planned task may be determined according to the type of the acquired creation data of the planned task, so that the creation type of the planned task is determined according to the acquired creation data of the planned task, which is not limited in the embodiment of the present invention. For example, the creation data of the planning task includes return data of the planning task, and the creation type of the planning task may be determined by identifying the return data of the planning task.
In the embodiment of the present invention, the creation type of the scheduled task may be divided into a remote invocation type and a local invocation type according to the device that initiates the creation of the scheduled task. If the device initiating the creation of the scheduled task is other devices in the intranet, that is, a device other than the local device, the creation type of the scheduled task is a Remote Call type, for example, a Remote Procedure Call (RPC), and if the device initiating the creation of the scheduled task is a local device, that is, a device executing the creation of the scheduled task, the creation type of the scheduled task is a local Call type. After the creation type of the planned task is determined, if the creation type of the planned task is a remote invocation type, the address of the target device in the intranet initiating the creation of the planned task can be further obtained according to the obtained creation data of the planned task. Optionally, the method for acquiring the address of the target device in the intranet from which the scheduled task is initiated may be determined according to the type of the acquired creation data of the scheduled task, so that the address of the target device in the intranet from which the scheduled task is initiated is acquired according to the acquired creation data of the scheduled task, which is not limited in the embodiment of the present invention. For example, the creation data of the scheduled task includes return data of the scheduled task, and the IP address of the target device in the intranet that initiates creation of the scheduled task may be directly obtained from the return data of the scheduled task.
103, sending the acquired address of the target device in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse penetration behavior.
In an embodiment of the present invention, after obtaining the creation data of the planned task and the address of the target device in the intranet, the obtained creation data of the planned task and the address of the target device in the intranet may be sent to a threat behavior recognition engine to monitor whether the operation of creating the planned task includes a lateral penetration behavior. The threat behavior recognition engine is a cloud-based behavior recognition system, and can detect whether an operation behavior is an attack behavior or not through a set of rules for matching behavior data formed by accumulated experience of safety operation experts. Optionally, a behavior identification result fed back by the threat behavior identification engine may be further received, whether protection interception is performed on the operation of creating the planned task is determined according to the behavior identification result, if the behavior identification result indicates that the operation of creating the planned task includes a lateral penetration behavior, the operation of creating the planned task may be subjected to protection interception, so as to prevent an attacker from further expanding an attack surface, improve the safety protection capability of the device, and if the behavior identification result indicates that the operation of creating the planned task does not include the lateral penetration behavior, the operation of creating the planned task may be returned to the planned task creating function for continuing execution.
The remote transverse penetration monitoring method for the planning task intranet provided by the embodiment of the invention can accurately identify the behavior of the remote creation planning task from the intranet by acquiring the creation data of the planning task and monitoring the creation of the planning task when the planning task service process of the operating system calls the planning task creation function to create the planning task, acquire the address of intranet equipment initiating the remote creation planning task, and send the acquired data and the address to the threat behavior identification engine, so that whether the behavior of the remote creation planning task comprises transverse penetration behavior can be further monitored, the information of an attacker can be mastered in real time during remote transverse penetration attack of the intranet, and the address of the attacker can be further acquired to trace the source, thereby effectively improving the safety defense capability of the equipment, solving the problem that the monitoring of network attack lacks the behavior of effectively and accurately identifying the intranet remote creation planning task, the detection capability of the device for security threats can be improved.
The Hook function is also called a Hook function, and is used for capturing a function call preferentially when a system calls the function, acquiring the control right of the function and performing additional processing on the function. The creation of the planned task may be monitored by a HOOK function preset in the planned task creation function. Referring to fig. 2, fig. 2 is a schematic flow chart illustrating the setting of a HOOK function in a planned task creating function according to the present invention, and as shown in fig. 2, the setting of the HOOK function in the planned task creating function at least includes:
and 201, searching a scheduled task service process of the operating system, and installing a monitoring module in the scheduled task service process.
In the embodiment of the present invention, a scheduled task service Process of an operating system may be searched by calling an Application Programming Interface (API) provided by the operating system, to obtain a Process identifier (Process Identification, PID) of the scheduled task service Process, for example, the Application program Interface function is QueryServiceStatusEx, and then a monitoring module may be injected into the scheduled task service Process according to the obtained Process identifier of the scheduled task service Process, where a method for injecting the monitoring module into the scheduled task service Process may use an existing Process injection method, which is not limited in the present invention.
And 202, setting a HOOK function in a planned task creating function of the planned task service process through the monitoring module.
In the embodiment of the invention, after the monitoring module is installed in the scheduled task service process of the operating system, the scheduled task creating function can be determined by the monitoring module according to the scheduled task service process, and the HOOK function is set in the scheduled task creating function. The embodiment of the invention does not limit the method for determining the planned task creating function by the monitoring module according to the planned task service process, for example, the method can determine the planned task core function file called by the planned task service process according to the planned task service process, and determine the planned task creating function in the planned task core function file. The embodiment of the present invention does not limit the method for setting the HOOK function in the planned task creating function by the monitoring module, and for example, the HOOK function may be set in the planned task creating function by modifying the code of the planned task creating function.
Referring to fig. 3, fig. 3 is a schematic flow chart illustrating the setting of the HOOK function by the monitoring module according to the present invention, and as shown in fig. 3, the setting of the HOOK function by the monitoring module at least includes:
301, determining the scheduled task core function file called by the scheduled task service process.
In the embodiment of the present invention, the monitoring module may obtain a file called by the scheduled task service process according to the scheduled task service process, and determine a scheduled task core function file according to the file called by the scheduled task service process, where the scheduled task core function file is a file for providing a scheduled task function, and for example, the scheduled task core function file may be a Dynamic Link Library (DLL). The method for obtaining the file called by the service process of the planned task may be implemented by using a method in the prior art, which is not limited in the embodiment of the present invention. After the file called by the scheduled task service process is obtained, whether the scheduled task service process calls the scheduled task core function file or not can be judged according to the name of the scheduled task core function file, and if the scheduled task service process calls the scheduled task core function file, the address of the scheduled task core function file called by the scheduled task service process in the memory can be further determined.
And 302, determining the planned task service interface in the planned task core function file based on the identifier of the planned task service interface.
In the embodiment of the present invention, after determining the planned task core function file called by the planned task service process, the monitoring module may search in the planned task core function file according to an Identifier (global Unique Identifier, abbreviated as GUID) having uniqueness in a data structure of the planned task service interface, and locate the corresponding planned task service interface in the planned task core function file. The method for searching and positioning the planned task service interface in the planned task core function file according to the GUID can be implemented by adopting a method in the prior art, and the embodiment of the invention does not limit the method. Searching in the planned task core function file according to the GUID, and positioning the address of the corresponding planned task service interface in the memory in the planned task core function file.
303, setting a HOOK function in the determined planned task creating function of the planned task service interface.
In the embodiment of the present invention, after determining the scheduled task service interface in the scheduled task core function file, the monitoring module may set a HOOK function in a scheduled task creating function of the scheduled task service interface according to the determined scheduled task service interface. The method includes the steps of determining an address of a planned task service interface in a memory, setting a HOOK function in a planned task creating function of the planned task service interface according to the determined address of the planned task service interface in the memory, for example, modifying a code of the planned task creating function in the memory according to the address of the planned task service interface in the memory, and setting the HOOK function in the planned task creating function, so that the HOOK function can be entered into the HOOK function when the planned task creating function is called, and the HOOK function can be returned to the planned task creating function again to continue to be executed after the HOOK function is executed.
Referring to fig. 4, fig. 4 is a schematic flowchart of determining a planned task service interface in a planned task core function file according to the present invention, and as shown in fig. 4, determining the planned task service interface in the planned task core function file based on an identifier of the planned task service interface at least includes:
based on the version information of the operating system, an identifier of the planned task service interface is determined 401.
A scheduled task service interface is determined in the scheduled task core function file based on the determined identifier of the scheduled task service interface 402.
In the embodiment of the present invention, because the planned task service interfaces of the operating systems of different versions may be different, and different planned task service interfaces have different GUIDs, when determining a planned task service interface according to an identifier of the planned task service interface, the monitoring module may first determine the GUID of the planned task service interface according to version information of the operating system, then search in the planned task core function file according to the GUID of the determined planned task service interface, and locate the corresponding planned task service interface in the planned task core function file. For example, the GUID of the planned task service interface may be determined to be the first identifier according to the operating system being Windows 10, and the GUID of the planned task service interface may be determined to be the second identifier according to the operating system being Windows XP.
Referring to fig. 5, fig. 5 is a schematic flow chart illustrating another monitoring module setting a HOOK function according to the present invention, and as shown in fig. 5, the monitoring module setting the HOOK function at least includes:
501, determining the memory address of the Schedsvc.dll or Taskcomp.dll file called by the scheduled task service process.
502, it is determined whether the version information of the operating system is a version of Windows 7 or more.
If the version information of the operating system is a version above Windows 7, 503 is executed; otherwise, 506 is performed.
And 503, determining the identifier of the scheduled task service interface as a first identifier.
And 506, judging whether the version information of the operating system is Windows XP.
If the version information of the operating system is Windows XP, 507 is executed; otherwise, the operation is ended.
And 507, determining the identifier of the planned task service interface as a second identifier.
And 504, determining the memory address of the ITask SchedulService interface in the planned task core function file based on the first identifier.
505, setting a HOOK function in a SchRpcRegisterTask function of the ITask SchedulService interface based on the memory address of the ITask SchedulService interface.
And 508, determining the memory address of the IAtSvc interface in the planned task core function file based on the second identifier.
509, based on the memory address of the IAtSvc interface, a HOOK function is set in the NetrJobAdd function of the IAtSvc interface.
Because the version above Windows 7 and Windows XP are the more commonly used Windows operating systems at present, the version above Windows 7 of the planned task function of the Microsoft Windows operating system is different from the version used by Windows XP, the function used by the planned task function of different versions is different, if the version of the planned task function used by the version above Windows 7 is called a new version, the version of the planned task function used by Windows XP is called an old version, the planned task service interface of the new version is an ITask SchedulService interface, the old version is an IAtSvc interface, the planned task creating function of the ITask SchedulService interface of the new version is a SchRpc RegisterTask function, and the planned task creating function of the IAtSvc interface of the old version is a NetJobAdd function. Since the version above Windows 7 includes Windows 7, and Windows 7 can be compatible with both versions simultaneously in order to realize the transition between the old and new versions.
Because the version above Windows 7 is widely used at present, in the embodiment of the invention, a monitoring module firstly judges whether the version information of an operating system is the version above Windows 7, if the version information of the operating system is the version above Windows 7, the identifier of a planned task service interface is determined to be a first identifier, the memory address of an ITask SchedulService interface is determined in a planned task core function file according to the first identifier, and a HOOK function is arranged in a RpcRegisterTask function of the ITask SchedulService interface by modifying the code of the function according to the memory address of the ITask SchedulService interface; if the version information of the operating system is not the version more than Windows 7, judging whether the version information of the operating system is Windows XP or not, if the version information of the operating system is Windows XP, determining that the identifier of the planned task service interface is a second identifier, determining the memory address of the IAtSvc interface in the planned task core function file according to the second identifier, and setting the HOOK function in the NetJobAdd function of the IAtSvc interface by modifying the code of the function in the NetJobAdd function according to the memory address of the IAtSvc interface.
Referring to fig. 6, fig. 6 is a schematic flow chart of acquiring creation data of a planning task according to the present invention, and as shown in fig. 6, acquiring the creation data of the planning task at least includes:
601, calling an application program interface function to obtain return data for creating a planning task.
In the embodiment of the present invention, the HOOK function may obtain the return data of the created plan task by calling an application program interface function rpcserverinqcalattributes.
And 602, acquiring the creation type of the planning task from the acquired return data for creating the planning task.
In the embodiment of the present invention, since the return data of the created scheduled task includes the name of the scheduled task, the execution data of the scheduled task, the creation type of the scheduled task, the IP address of the device that initiated the creation of the scheduled task, and other information, the HOOK function may directly acquire the creation type of the scheduled task from the acquired return data of the created scheduled task by identifying the acquired return data of the created scheduled task. For example, the return data for creating the planning task is the name of the planning task: gate, scheduled task execution data: cmd.exe/c calc.exe, project task remote, IP: 192.168.44.138, the creation type of the planning task can be directly obtained as the remote invocation type by remotely identifying the planning task.
603, judging whether the creation type of the acquired planning task is a remote calling type.
If the creation type of the acquired planning task is a remote invocation type, the operation is executed 604, otherwise, the operation is ended.
604, the address of the target device in the intranet initiating the creation of the planning task is obtained from the obtained return data for creating the planning task.
In the embodiment of the present invention, after the creation type of the planned task is obtained, the HOOK function may determine whether the creation type of the obtained planned task is the remote invocation type, and when it is determined that the creation type of the obtained planned task is the remote invocation type, may directly obtain, from the obtained return data of the created planned task, the IP address of the target device in the intranet from which the creation of the planned task is initiated. For example, the return data for creating the planning task is the name of the planning task: gate, scheduled task execution data: cmd.exe/c calc.exe, project task remote, IP: 192.168.44.138, the IP address 192.168.44.138 of the target device in the intranet from which the scheduled task was created can be directly obtained.
Referring to fig. 7, fig. 7 is a schematic flowchart of an application scenario of the remote horizontal penetration monitoring method for a planned task intranet according to the present invention, as shown in fig. 7, in an embodiment of the present invention, a planned task service process of an operating system is first searched, and a monitoring module is installed in the planned task service process; then judging whether the scheduled task service process calls a Schedsvc.dll or Taskcomp.dll file or not through a monitoring module; if the scheduled task service process calls the Schedsvc.dll or the Taskcomp.dll file, further judging whether the version of the operating system is Windows XP or Windows 7 and higher versions through the monitoring module; if the version of the operating system is Windows XP or Windows 7, searching and positioning the memory address of the IAtSvc interface in a Schedsvc.dll or Taskcomp.dll file according to the GUID of the IAtSvc interface, and setting a HOOK function in a NertJobAdd function of the IAtSvc interface; if the version of the operating system is Windows 7 or higher, searching and positioning the memory address of the ITask SchedulService interface in a Schedsvc.dll or Taskcomp.dll file according to the GUID of the ITask SchedulService interface, and setting a HOOK function in a SchRpcRegisterTask function of the ITask SchedulService interface; then, monitoring the created plan task through a HOOK function, acquiring created data of the plan task by the HOOK function when a plan task service process calls a NetrJobAdd function or a SchRpc register task function to create the plan task, identifying and judging whether the created data of the plan task is an RPC remote call type, and further acquiring the IP address of equipment in the intranet initiating the created behavior of the plan task if the created data of the plan task is the RPC remote call type; and finally, sending the acquired creating data and the IP address of the planned task to a threat behavior recognition engine for safety identification, and intercepting the behavior of creating the planned task according to the final identification result.
The remote transverse infiltration monitoring device for the planned task intranet provided by the invention is described below, and the remote transverse infiltration monitoring device for the planned task intranet described below and the remote transverse infiltration monitoring method for the planned task intranet described above can be referred to correspondingly.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a remote transverse infiltration monitoring device for a planned task intranet according to the present invention, and the remote transverse infiltration monitoring device for a planned task intranet shown in fig. 8 is applied to an apparatus in an intranet, as shown in fig. 8, the remote transverse infiltration monitoring device for a planned task intranet at least includes:
a data obtaining module 810, configured to call a scheduled task creating function to create a scheduled task in response to a scheduled task service process of the operating system, and obtain creating data of the scheduled task;
an address obtaining module 820, configured to obtain, based on the obtained creation data of the planned task, an address of a target device in the intranet, where the planned task creation is initiated, if it is determined that the creation type of the planned task is a remote invocation type.
The information sending module 830 is configured to send the acquired address of the target device in the intranet and the creation data of the planned task to the threat behavior identification engine, so as to monitor whether the operation of creating the planned task includes a transverse infiltration behavior.
Optionally, the remote lateral infiltration monitoring device for planned task intranet is arranged in a planned task creation function of a device in intranet, and is arranged with a HOOK function, and further comprises:
and the monitoring installation module is used for searching a planned task service process of the operating system and installing the monitoring module in the planned task service process.
And the HOOK function setting module is used for setting the HOOK function in the planned task creating function of the planned task service process through the monitoring module.
Optionally, the HOOK function setting module includes:
and the core file determining unit is used for determining the planned task core function file called by the planned task service process.
And the service interface determining unit is used for determining the planned task service interface in the planned task core function file based on the identifier of the planned task service interface.
And the HOOK function setting unit is used for setting the HOOK function in the determined planning task creating function of the planning task service interface.
Optionally, the service interface determining unit includes:
and the identifier determining subunit is used for determining the identifier of the planned task service interface based on the version information of the operating system.
And the service interface determining subunit is used for determining the planned task service interface in the planned task core function file based on the determined identifier of the planned task service interface.
Optionally, the core file determining unit is configured to determine a memory address of a schedule svc.
Optionally, the identifier determining subunit is configured to:
judging whether the version information of the operating system is a version above Windows 7;
if the version information of the operating system is a version above Windows 7, determining that the identifier of the planned task service interface is a first identifier;
otherwise, judging whether the version information of the operating system is Windows XP;
and if the version information of the operating system is Windows XP, determining that the identifier of the planned task service interface is a second identifier.
A service interface determining subunit for:
determining a memory address of an ITask SchedulService interface in the planned task core function file based on the first identifier; alternatively, the first and second electrodes may be,
determining the memory address of an IAtSvc interface in the planned task core function file based on the second identifier;
a HOOK function setting unit configured to:
setting a HOOK function in a SchRpcRegisterTask function of the ITask SchedulService interface based on the memory address of the ITask SchedulService interface; alternatively, the first and second electrodes may be,
and setting a HOOK function in the NetJobAdd function of the IAtSvc interface based on the memory address of the IAtSvc interface.
Optionally, the data obtaining module 810 is configured to call an application program interface function to obtain the return data of the creation planning task.
An address fetch module 820, comprising:
and the creation type acquisition unit is used for acquiring the creation type of the planning task from the acquired return data of the creation planning task.
And the type judging unit is used for judging whether the acquired creation type of the planning task is a remote calling type.
And the address acquisition unit is used for acquiring the address of the target equipment in the intranet initiating the creation of the planned task from the acquired return data of the created planned task if the creation type of the acquired planned task is a remote calling type according to the judgment result of the type judgment unit.
Fig. 9 illustrates a physical structure diagram of an electronic device, and as shown in fig. 9, the electronic device may include: a processor (processor)910, a communication Interface (Communications Interface)920, a memory (memory)930, and a communication bus 940, wherein the processor 910, the communication Interface 920, and the memory 930 communicate with each other via the communication bus 940. Processor 910 may invoke logic instructions in memory 930 to perform the following method: calling the plan task creating function to create a plan task in response to a plan task service process of an operating system, and acquiring creating data of the plan task; based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote calling type, acquiring an address of a target device in the intranet initiating the creation of the planned task; and sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
Furthermore, the logic instructions in the memory 930 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including: a plan task service process responding to an operating system calls a plan task creating function to create a plan task and obtains creating data of the plan task; based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote calling type, acquiring an address of a target device in the intranet initiating creation of the planned task; and sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A remote transverse infiltration monitoring method for a planned task intranet is characterized in that equipment applied to the intranet comprises the following steps:
a plan task service process responding to an operating system calls a plan task creating function to create a plan task and obtains creating data of the plan task;
based on the acquired creation data of the planned task, if the creation type of the planned task is determined to be a remote calling type, acquiring an address of a target device in the intranet initiating creation of the planned task;
and sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
2. The remote lateral infiltration monitoring method for planned mission intranets according to claim 1, characterized in that it is performed by setting a HOOK function in the planned mission creation function of the devices in the intranet;
setting the HOOK function in the planned task creating function, including:
searching the planned task service process of the operating system, and installing a monitoring module in the planned task service process;
and setting the HOOK function in the planned task creating function of the planned task service process through the monitoring module.
3. The remote transversal infiltration monitoring method for planned task intranet according to claim 2, wherein the setting of the HOOK function in the planned task creation function of the planned task service process includes:
determining a planned task core function file called by the planned task service process;
determining a planned task service interface in the planned task core function file based on an identifier of the planned task service interface;
setting the HOOK function in the planned task creating function of the determined planned task service interface.
4. The remote infiltration monitoring method for mission-planned intranet according to claim 3, wherein the determining the address of the mission-planned service interface in the mission-planned core function file based on the identifier of the mission-planned service interface comprises:
determining an identifier of the planned task service interface based on version information of the operating system;
determining the planned task service interface in the planned task core function file based on the determined identifier of the planned task service interface.
5. The remote transverse infiltration monitoring method for the planned task intranet according to claim 4, wherein the determining of the planned task core function file called by the planned task service process comprises:
and determining the memory address of a Schedsvc.dll or Taskcomp.dll file called by the planning task service process.
6. The remote monitoring method for transversal infiltration of planned task intranet according to claim 5, wherein the determining the identifier of the planned task service interface based on the version information of the operating system comprises:
judging whether the version information of the operating system is a version above Windows 7;
if the version information of the operating system is a version above Windows 7, determining that the identifier of the planned task service interface is a first identifier;
otherwise, judging whether the version information of the operating system is Windows XP;
if the version information of the operating system is Windows XP, determining that the identifier of the planned task service interface is a second identifier;
the determining the planned task service interface in the planned task core function file based on the determined identifier of the planned task service interface comprises:
determining a memory address of an ITask SchedulService interface in the planned task core function file based on the first identifier; alternatively, the first and second electrodes may be,
determining the memory address of an IAtSvc interface in the planned task core function file based on the second identifier;
the setting the HOOK function in the scheduled task creating function of the determined scheduled task service interface includes:
setting the HOOK function in a SchRpcRegisterTask function of the ITaskSchedulService interface based on the memory address of the ITaskSchedulService interface; alternatively, the first and second electrodes may be,
and setting the HOOK function in the NetrJobAdd function of the IAtSvc interface based on the memory address of the IAtSvc interface.
7. The remote transverse infiltration monitoring method for the planned task intranet according to any one of claims 1 to 6, wherein the obtaining of the creation data of the planned task comprises:
calling an application program interface function to acquire return data for creating the plan task;
the acquiring, based on the acquired creation data of the planned task, an address of a target device in the intranet, which initiates creation of the planned task, if it is determined that the creation type of the planned task is a remote invocation type, includes:
acquiring the creation type of the planned task from the acquired return data for creating the planned task;
judging whether the acquired creation type of the plan task is a remote calling type;
and if the creation type of the acquired planned task is a remote calling type, acquiring the address of the target equipment in the intranet initiating the creation of the planned task from the acquired return data for creating the planned task.
8. A remote transverse infiltration monitoring device for a planned task intranet is characterized by being applied to equipment in the intranet and comprising:
the data acquisition module is used for responding to a plan task service process of an operating system, calling a plan task creating function to create a plan task and acquiring creating data of the plan task;
an address obtaining module, configured to obtain, based on the obtained creation data of the planned task, an address of a target device in the intranet, where the planned task is created, if it is determined that the creation type of the planned task is a remote invocation type;
and the information sending module is used for sending the acquired address of the target equipment in the intranet and the creation data of the planned task to a threat behavior identification engine so as to monitor whether the operation of creating the planned task contains transverse osmosis behavior.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the method for remote lateral infiltration monitoring of a mission-planned intranet according to any one of claims 1 to 7.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of a method for remote trans-infiltration monitoring of a mission intranet according to any one of claims 1 to 7.
CN202111520818.2A 2021-12-13 2021-12-13 Remote transverse penetration monitoring method and device for planned task intranet Pending CN114499929A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111520818.2A CN114499929A (en) 2021-12-13 2021-12-13 Remote transverse penetration monitoring method and device for planned task intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111520818.2A CN114499929A (en) 2021-12-13 2021-12-13 Remote transverse penetration monitoring method and device for planned task intranet

Publications (1)

Publication Number Publication Date
CN114499929A true CN114499929A (en) 2022-05-13

Family

ID=81492373

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111520818.2A Pending CN114499929A (en) 2021-12-13 2021-12-13 Remote transverse penetration monitoring method and device for planned task intranet

Country Status (1)

Country Link
CN (1) CN114499929A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244754A1 (en) * 2016-02-19 2017-08-24 Secureworks Corp. System and Method for Detecting and Monitoring Thread Creation
US10038711B1 (en) * 2017-01-30 2018-07-31 XM Ltd. Penetration testing of a networked system
CN110381045A (en) * 2019-07-09 2019-10-25 腾讯科技(深圳)有限公司 Treating method and apparatus, storage medium and the electronic device of attack operation
CN111191224A (en) * 2019-07-08 2020-05-22 腾讯科技(深圳)有限公司 Countermeasure method and device for virtual machine detection and computer readable storage medium
US10887337B1 (en) * 2020-06-17 2021-01-05 Confluera, Inc. Detecting and trail-continuation for attacks through remote desktop protocol lateral movement
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170244754A1 (en) * 2016-02-19 2017-08-24 Secureworks Corp. System and Method for Detecting and Monitoring Thread Creation
US10038711B1 (en) * 2017-01-30 2018-07-31 XM Ltd. Penetration testing of a networked system
CN111191224A (en) * 2019-07-08 2020-05-22 腾讯科技(深圳)有限公司 Countermeasure method and device for virtual machine detection and computer readable storage medium
CN110381045A (en) * 2019-07-09 2019-10-25 腾讯科技(深圳)有限公司 Treating method and apparatus, storage medium and the electronic device of attack operation
US10887337B1 (en) * 2020-06-17 2021-01-05 Confluera, Inc. Detecting and trail-continuation for attacks through remote desktop protocol lateral movement
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
KR101074624B1 (en) Method and system for protecting abusinng based browser
US8424090B2 (en) Apparatus and method for detecting obfuscated malicious web page
US20110154489A1 (en) System for analyzing malicious botnet activity in real time
US10476733B2 (en) Single sign-on system and single sign-on method
CN108989355B (en) Vulnerability detection method and device
US9940126B2 (en) Cluster update system
JP2017511923A (en) Virus processing method, apparatus, system, device, and computer storage medium
CN102254113A (en) Method and system for detecting and intercepting malicious code of mobile terminal
CN105631312B (en) The processing method and system of rogue program
CN104850779A (en) Safe application program installing method and safe application program installing device
US8813229B2 (en) Apparatus, system, and method for preventing infection by malicious code
CN110881051B (en) Security risk event processing method, device, equipment and storage medium
CN111431753A (en) Asset information updating method, device, equipment and storage medium
US20170061133A1 (en) Automated Security Vulnerability Exploit Tracking on Social Media
CN114417335A (en) Malicious file detection method and device, electronic equipment and storage medium
CN107766068B (en) Application system patch installation method and device, computer equipment and storage medium
US11503053B2 (en) Security management of an autonomous vehicle
CN109784035B (en) Installation process tracking processing method and device
CN114499929A (en) Remote transverse penetration monitoring method and device for planned task intranet
US7644316B2 (en) System, method and program for managing browser scripts sent from server to client
CN115913671A (en) Token injection access method and device based on zero-trust gateway, electronic equipment and storage medium
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
CN112039895B (en) Network cooperative attack method, device, system, equipment and medium
CN114499928A (en) Remote registry monitoring method and device
US10599845B2 (en) Malicious code deactivating apparatus and method of operating the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination