CN115001761A - Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis - Google Patents
Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis Download PDFInfo
- Publication number
- CN115001761A CN115001761A CN202210552538.8A CN202210552538A CN115001761A CN 115001761 A CN115001761 A CN 115001761A CN 202210552538 A CN202210552538 A CN 202210552538A CN 115001761 A CN115001761 A CN 115001761A
- Authority
- CN
- China
- Prior art keywords
- dns
- log
- command
- frequency command
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012544 monitoring process Methods 0.000 title claims abstract description 29
- 230000008447 perception Effects 0.000 title claims description 7
- 230000000007 visual effect Effects 0.000 claims abstract description 35
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012806 monitoring device Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 claims description 7
- 238000005096 rolling process Methods 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 2
- 238000012913 prioritisation Methods 0.000 claims 1
- 230000006870 function Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000008140 language development Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a monitoring method for remotely controlling a hacker by sensing a computer in real time based on DNS resolution, wherein the method comprises the following steps: acquiring a high-frequency command of an operating system, and establishing a DNS (domain name system) analysis server, wherein the high-frequency command is an operating system native command which is executed at high frequency after a hacker remotely controls a computer; inserting the stub into the high-frequency command, and sending a DNS analysis request to a DNS analysis server when the high-frequency command inserted into the stub is executed; responding to the analysis request through a DNS analysis server, and generating a DNS analysis log; and sending the DNS analysis log to a visual log server in real time, and displaying the DNS analysis log through the visual log server. According to the method and the device, the low-cost large-scale deployment can be realized in a short time through the script batch deployment, and the remote control behavior of a hacker on the computer is sensed in real time.
Description
Technical Field
The application relates to the technical field of network security monitoring and discovery, in particular to a monitoring method and a monitoring device for remotely controlling a hacker by sensing a computer in real time based on DNS analysis.
Background
The essence of network security is defense and attack. Hacker attacks cover various methods such as vulnerability exploitation, social phishing, supply chain attacks, and the like, and although the hacker attack methods are various, the hacker attack methods finally focus on remote control of a target computer to achieve sensitive data stealing and deep attack. For the anti-demould personnel, the remote control action of the hacker on the computer needs to be discovered in time, so that the hacker is prevented from stealing data on the computer on one hand, and the hacker is prevented from continuously attacking other computers by taking the computer as a springboard on the other hand, and the attack battle is enlarged. As defense and defense countermeasures become more and more intense, hackers have taken various approaches to circumvent the monitoring means of the defenders, and therefore new ideas are needed to change the current traditional, passive and lagging defense situation.
At present, the main techniques adopted by the defender to monitor the computer by the remote control of hackers include analysis based on network traffic and detection based on computer security client (EDR). The former needs to deploy a large number of flow acquisition probes in a network, the latter needs to install a secure client on each computer, and meanwhile, the two methods both need a large number of security rules to support so as to discover the remote control behavior of a hacker from mass data.
The limitations of these current mainstream monitoring techniques are: for the flow probe, the number of deployed monitoring blind areas is reduced, the deployment is increased, the safety cost is high, and in addition, the flow needs to be stored, and the safety cost is high. For a computer security terminal, the problem of deployment breadth also exists, and the problems of operating system adaptability and service compatibility also exist. Both also present the problem of setting security rules, which cannot be discovered once a hack attack can circumvent existing rules.
Disclosure of Invention
The present application is directed to solving, at least in part, one of the technical problems in the related art.
Therefore, a first objective of the present application is to provide a monitoring method for sensing a computer to be remotely controlled by a hacker in real time based on DNS resolution, which solves the technical problems of the existing method in terms of security policy and rule configuration, and also solves the technical problems of the existing method in terms of quantity requirements for monitoring points and operating system compatibility.
A second objective of the present application is to provide a monitoring device for real-time perception of computer being remotely controlled by hacker based on DNS resolution.
A third object of the present application is to propose a computer device.
A fourth object of the present application is to propose a non-transitory computer-readable storage medium.
In order to achieve the above object, an embodiment of a first aspect of the present application provides a monitoring method for remotely controlling a hacker by a real-time aware computer based on DNS resolution, including: acquiring a high-frequency command of an operating system, and establishing a DNS (domain name system) analysis server, wherein the high-frequency command is an operating system native command which is executed at high frequency after a hacker remotely controls a computer; inserting the stub into the high-frequency command, and sending a DNS analysis request to a DNS analysis server when the high-frequency command inserted into the stub is executed; responding to the analysis request through a DNS analysis server and generating a DNS analysis log; and sending the DNS analysis log to a visual log server in real time, and displaying the DNS analysis log through the visual log server.
Optionally, in an embodiment of the present application, inserting a high frequency command into the stud includes:
inserting a high frequency command into a stake using an alias technique, and/or
High frequency commands are inserted into the stubs using a program synchronous call and path priority technique.
Optionally, in one embodiment of the present application, inserting the stub for the high frequency command using an alias technique includes:
the high frequency commands are inserted into the stubs by configuring alias commands or using a registry and custom batch files.
Optionally, in an embodiment of the present application, inserting the stub into the high-frequency command by configuring an alias command or using a registry and a custom batch file includes:
executing a high frequency command and a command triggering a DNS resolution request by using the "&" symbol;
and carrying out redirection processing on the command triggering the DNS analysis request so as to ensure that the DNS analysis request after the redirection processing does not return an execution result.
Optionally, in an embodiment of the present application, inserting a stub for a high-frequency command using a program synchronous call and path priority technique includes:
simultaneously calling a high-frequency command and a command for triggering a DNS analysis request through a program, and controlling the program to only obtain an execution result of the high-frequency command;
the program that inserts the stub is set in the PATH environment variable to be at high priority using the PATH priority principle of the operating system.
Optionally, in an embodiment of the present application, executing the high-frequency command inserted into the stub includes executing the high-frequency command and executing a command triggering a DNS resolution request, and sending the DNS resolution request to a DNS resolution server when executing the high-frequency command inserted into the stub includes:
when a hacker executes a high frequency command for inserting the stub after remotely controlling the computer,
executing the high-frequency command and returning an execution result;
and sending a DNS analysis request to a DNS analysis server for analysis, and not returning an execution result.
Optionally, in an embodiment of the present application, sending the DNS resolution log to a visual log server in real time, and displaying the DNS resolution log through the visual log server includes:
configuring a syslog strategy, and sending a DNS analysis log to a visual log server in real time;
setting a special fictitious domain name as a DNS analysis anchor point through a DNS analysis server, filtering DNS analysis logs by taking the DNS analysis anchor point as a keyword through a visual log server, and performing real-time rolling display on the filtered DNS analysis logs.
In order to achieve the above object, a second aspect of the present application provides a monitoring device for sensing a computer being remotely controlled by a hacker in real time based on DNS resolution, including:
the acquisition module is used for acquiring a high-frequency command of the operating system, wherein the high-frequency command is an operating system native command which is executed at high frequency after a hacker remotely controls the computer;
the establishing module is used for establishing a DNS analysis server;
the inserting module is used for inserting the blind piles into the high-frequency commands;
the execution module is used for sending a DNS analysis request to a DNS analysis server when a high-frequency command inserted into the stub is executed;
the analysis module is used for responding to the analysis request through a DNS analysis server and generating a DNS analysis log;
and the log display module is used for sending the DNS analysis log to the visual log server in real time and displaying the DNS analysis log through the visual log server.
In order to achieve the above object, a computer device according to a third aspect of the present invention is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the computer program is executed by the processor, the monitoring method for remotely controlling a hacker based on DNS resolution and sensing real time is implemented.
In order to achieve the above object, a non-transitory computer readable storage medium is provided in a fourth aspect of the present application, and when executed by a processor, the instructions in the storage medium can perform a monitoring method for remotely controlling a hacker based on DNS resolution and sensing a computer in real time.
The monitoring method for remotely controlling the hacker based on the DNS analysis, the monitoring device for remotely controlling the hacker based on the DNS analysis, the computer equipment and the non-transitory computer readable storage medium solve the technical problems of safety strategy and rule configuration in the existing method, and also solve the technical problems of quantity requirement on monitoring points and operating system compatibility in the existing method.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of a monitoring method for remotely controlling a hacker to a real-time aware computer based on DNS resolution according to an embodiment of the present application;
FIG. 2 is another flowchart of a monitoring method for remotely controlling a computer by a hacker based on DNS resolution in real time according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a monitoring device for remotely controlling a hacker by sensing a computer in real time based on DNS resolution according to a second embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
The application draws on the reference of the attack thinking of hackers on the computer and introduces the concept of 'dark stub' (the DNS analysis request is synchronously executed), and the attack thinking of the hackers is as follows: hackers often utilize Remote Command Execution (RCE) vulnerabilities in attacks, the execution of some of the vulnerabilities does not show back results, in order to confirm the success of the command, a method for executing a DNS analysis command is adopted, and once analysis records can be seen on a platform such as dnsLog.
The application references and improves the attack thinking and is realized by technical means. When a hacker remotely controls a computer by technical or social means and collects information in preparation for privilege and lateral movement attacks, a series of information collection commands need to be executed, and a normal administrator is very infrequently executed because of the knowledge of the information. Therefore, a 'dark stub' can be inserted into the information collection commands which are executed by the hacker at high frequency, namely, when the hacker executes the high-frequency commands, the DNS resolution commands are implicitly executed and are sent to a specific DNS server to generate a resolution log, and the resolution log is sent to the visual log monitoring device in real time to discover the remote control behavior of the hacker on the computer.
The monitoring method and device for the remote control of the hacker by the real-time aware computer based on the DNS resolution according to the embodiments of the present application are described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a monitoring method for remotely controlling a hacker to perceive a computer in real time based on DNS resolution according to an embodiment of the present application.
As shown in fig. 1, the monitoring method for the remote control of a hacker by a DNS resolution-based real-time aware computer comprises the following steps:
and 104, sending the DNS analysis log to a visual log server in real time, and displaying the DNS analysis log through the visual log server.
According to the monitoring method for remotely controlling the hacker by the real-time perception computer based on DNS analysis, the high-frequency command of the operating system is obtained, and the DNS analysis server is established, wherein the high-frequency command is the native command of the operating system, which is executed at high frequency after the hacker remotely controls the computer; inserting the stub into the high-frequency command, and sending a DNS analysis request to a DNS analysis server when the high-frequency command inserted into the stub is executed; responding to the analysis request through a DNS analysis server and generating a DNS analysis log; and sending the DNS analysis log to a visual log server in real time, and displaying the DNS analysis log through the visual log server. Therefore, the technical problems of safety strategy and rule configuration existing in the existing method can be solved, the technical problems of quantity requirements on monitoring points and operating system compatibility existing in the existing method can be solved, the original commands of the operating system are utilized, the problems of system compatibility do not exist through script batch deployment, low-cost large-scale deployment can be achieved in a short time, and therefore remote control behaviors of hackers on computers are sensed in real time.
The method and the system can be deployed independently, can also form heterogeneous complementation with the existing enterprise-level security measures, and can further utilize a restful interface of an open source log system to realize automatic mail alarming and further improve the real-time perception capability of the system.
And acquiring a high-frequency command of the operating system, wherein the high-frequency command is a command which is executed by an administrator hardly for collecting information high-frequency execution after a hacker remotely controls the computer, and the typical command is whoma, the hacker needs to execute the command to know the current account authority, and the administrator does not need to execute the command.
Establishing a special DNS analysis server, setting a special fictitious domain name as a DNS analysis anchor point, and generating a DNS analysis log once receiving an analysis request of the domain name.
Further, in the embodiment of the present application, inserting the stud into the high frequency command includes:
inserting a high frequency command into a stake using an alias technique, and/or
High frequency commands are inserted into the stubs using a program synchronous call and path priority technique.
Further, in embodiments of the present application, inserting the stud for the high frequency command using an alias technique includes:
the high frequency commands are inserted into the stubs by configuring alias commands or using a registry and custom batch files.
For a Linux operating system, inserting a stub into a high-frequency command by configuring an alias command; for the Windows operating system, the high-frequency commands are inserted into the stubs by using the registry and the custom batch script.
Further, in this embodiment of the present application, inserting a stub into a high-frequency command by configuring an alias command or using a registry and a custom batch file includes:
executing a high frequency command and a command triggering a DNS resolution request by using the "&" symbol;
and redirecting the command triggering the DNS analysis request so that the DNS analysis request after the directional processing does not return an execution result to a hacker.
The use of alias technology to insert a stub into a high frequency command essentially utilizes the principle of simultaneous execution of operating system commands, both in Windows and Linux operating systems, by using the "& &" symbol. One command is a high-frequency command executed when the computer is attacked and is called command 1, and the other command is an nslookup command which triggers a DNS analysis request and is called command 2. Normally, both commands will return execution results, but this will alert the person attacking the computer, so command 2 needs to be redirected so that it can trigger the DNS nameresolution request and not return results to hackers.
The alias technology is used for executing the command 1, so that the effect of simultaneous execution of the command 1 and the command 2 is achieved, the Linux system can insert the stub into the high-frequency command by configuring alias in the environment variable, and the Windows system can insert the stub into the high-frequency command by the registry and the user-defined batch processing file.
Further, in the embodiment of the present application, inserting a stub for a high-frequency command by using a program synchronous call and path priority technique includes:
simultaneously calling a high-frequency command and a command for triggering a DNS analysis request through a program, and controlling the program to only obtain an execution result of the high-frequency command;
the program that inserts the stub is set in the PATH environment variable to be at high priority using the PATH priority principle of the operating system.
The method inserts the stub into the high-frequency command by using the program synchronous calling and path priority technology, and essentially realizes the effect of synchronous execution of the two commands by developing a program. Taking C language as an example, the command 1 and the DNS resolution command 2 are called simultaneously by the C language development program, and the control program only obtains the execution result of the command 1.
Taking the command whoami executed by hacker at high frequency as an example (the essence is to call whoami exe of Windows system or whoami of Linux system), the program developed by C language is compiled and named whoami exe (or whoami). Exe (or whoami) can be executed simultaneously, i.e. command 1 and command 2 are executed to trigger DNS resolution.
The operating system has a native command whoami.exe and a command whoami.exe containing a 'stub' compiled by C language, and how to call the command whoami.exe containing the 'stub' when a hacker executes whoami can utilize the concept of operating system execution path priority. In both Windows and Linux systems, there is a system environment variable PATH that holds the execution PATH, with the PATH first executing for the file with the same name. The command with "stub" whoami. exe is invoked preferentially by setting the program for inserting stub in PATH environment variable at high priority.
Using either alias techniques or program-synchronous calls and path-first techniques can enable a hacker to imperceptibly execute commands and trigger "stubs" to implement DNS resolution and generate DNS logs.
Further, in this embodiment of the present application, executing the high-frequency command inserted into the stub includes executing the high-frequency command and executing a command triggering a DNS resolution request, and when executing the high-frequency command inserted into the stub, sending the DNS resolution request to the DNS resolution server includes:
when a hacker executes a high frequency command for inserting the stub after remotely controlling the computer,
executing the high-frequency command and returning an execution result;
and sending a DNS analysis request to a DNS analysis server for analysis, and not returning an execution result to a hacker.
Further, in this embodiment of the application, sending the DNS resolution log to a visual log server in real time, and displaying the DNS resolution log through the visual log server includes:
configuring a syslog strategy, and sending a DNS analysis log to a visual log server in real time;
the DNS analysis server sets a special fictitious domain name as a DNS analysis anchor point, the visual log server filters the DNS analysis log by taking the DNS analysis anchor point as a keyword, and the filtered DNS analysis log is displayed in a rolling mode in real time.
Illustratively, by configuring a syslog policy, the DNS resolution log can be sent to the open source visual log analysis system syslog 2 (or ELK Stack) in real time, and then the syslog 2 can be configured to receive the syslog sent by the DNS resolution server, filter log information according to the DNS resolution anchor keywords, and set a real-time visual rolling display function to roll and display the filtered DNS resolution log in real time.
Fig. 2 is another flowchart of a monitoring method for remotely controlling a hacker to a real-time aware computer based on DNS resolution according to an embodiment of the present application.
As shown in fig. 2, the monitoring method for remotely controlling a hacker by real-time perception computer based on DNS resolution includes that the hacker obtains the control right of a server a by means of loopholes or social engineering, etc. (the server a has been implanted with a monitoring stub by a defender), and executes an information collection command on the server a so that the hacker can know information such as authority and network segment, and the hacker executes the information collection command and simultaneously triggers the stub to execute a DNS resolution command to a specific DNS server B, but does not display the resolution result; the DNS server B responds to the analysis request and generates a log; sending the DNS log to a visual log server C in syslog in real time; and the visual log server C displays the remote control information of the hackers through rolling update based on the anchor point information.
Fig. 3 is a schematic structural diagram of a monitoring device for remotely controlling a hacker by sensing a computer in real time based on DNS resolution according to a second embodiment of the present application.
As shown in fig. 3, the monitoring device for remotely controlling a hacker based on a DNS resolution real-time aware computer comprises:
the acquisition module 10 is configured to acquire a high-frequency command of an operating system, where the high-frequency command is an operating system native command that is executed at high frequency after a hacker remotely controls a computer;
an establishing module 20, configured to establish a DNS resolution server;
an insertion module 30 for inserting the stud for a high frequency command;
the execution module 40 is used for sending a DNS analysis request to a DNS analysis server when a high-frequency command inserted into the stub is executed;
a resolution module 50, configured to respond to the resolution request through the DNS resolution server and generate a DNS resolution log;
and the log display module 60 is configured to send the DNS resolution log to the visual log server in real time, and display the DNS resolution log through the visual log server.
The monitoring device for remotely controlling the computer by the hacker based on the DNS analysis comprises an acquisition module, a processing module and a control module, wherein the acquisition module is used for acquiring a high-frequency command of an operating system, and the high-frequency command is an operating system native command which is executed at high frequency after the hacker remotely controls the computer; the establishing module is used for establishing a DNS analysis server; the inserting module is used for inserting the blind piles into the high-frequency commands; the execution module is used for sending a DNS analysis request to a DNS analysis server when a high-frequency command inserted into the stub is executed; the analysis module is used for responding to the analysis request through a DNS analysis server and generating a DNS analysis log; and the log display module is used for sending the DNS analysis log to the visual log server in real time and displaying the DNS analysis log through the visual log server. Therefore, the technical problems of safety strategy and rule configuration existing in the existing method can be solved, the technical problems of quantity requirements on monitoring points and operating system compatibility existing in the existing method can be solved, the original commands of the operating system are utilized, the problems of system compatibility do not exist through script batch deployment, low-cost large-scale deployment can be achieved in a short time, and therefore remote control behaviors of hackers on computers are sensed in real time.
In order to implement the foregoing embodiments, the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the monitoring method for remotely controlling a hacker on a real-time sensing computer based on DNS resolution according to the foregoing embodiments is implemented.
In order to implement the above embodiments, the present application further proposes a non-transitory computer-readable storage medium having a computer program stored thereon, where the computer program, when executed by a processor, implements the monitoring method for the remote control of a hacker by a DNS resolution-based real-time awareness computer according to the above embodiments.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of the feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Further, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are exemplary and should not be construed as limiting the present application and that changes, modifications, substitutions and alterations in the above embodiments may be made by those of ordinary skill in the art within the scope of the present application.
Claims (10)
1. A monitoring method for real-time perception of computer controlled by hacker remotely based on DNS resolution is characterized in that,
acquiring a high-frequency command of an operating system, and establishing a DNS analysis server, wherein the high-frequency command is an operating system native command which is executed at high frequency after a hacker remotely controls a computer;
inserting the high-frequency command into a stub, and sending a DNS analysis request to the DNS analysis server when the high-frequency command inserted into the stub is executed;
responding to the resolution request through the DNS resolution server and generating a DNS resolution log;
and sending the DNS analysis log to a visual log server in real time, and displaying the DNS analysis log through the visual log server.
2. The method of claim 1, wherein said inserting a spud for the high frequency command comprises:
inserting the high frequency command into the stake using an alias technique, and/or
And inserting the high-frequency command into the stub by using a program synchronous calling and path priority technology.
3. The method of claim 2, wherein the inserting the high frequency command into the stub using an alias technique comprises:
and inserting the stub into the high-frequency command by configuring the alias command or using a registry and a custom batch file.
4. The method of claim 3, wherein said inserting a stub for said high frequency command by configuring an alias command or using a registry and custom batch files comprises:
executing the high frequency command and a command triggering a DNS resolution request with an "&" symbol;
and redirecting the command triggering the DNS analysis request so that the DNS analysis request after directional processing does not return an execution result.
5. The method of claim 2, wherein the inserting the high frequency command into the stub using a program-synchronized invocation and path-prioritization technique comprises:
simultaneously calling the high-frequency command and a command for triggering a DNS analysis request through a program, and controlling the program to only obtain an execution result of the high-frequency command;
the program for inserting the stub is set at a high priority in the PATH environment variables using the PATH priority principle of the operating system.
6. The method of claim 1, wherein executing the high frequency command to insert a stub comprises executing a high frequency command and executing a command that triggers a DNS resolution request, the sending of the DNS resolution request to the DNS resolution server upon execution of the high frequency command to insert a stub comprising:
when a hacker executes a high frequency command for inserting the stud after remotely controlling the computer,
executing the high-frequency command and returning an execution result;
and sending a DNS analysis request to a DNS analysis server for analysis, and not returning an execution result.
7. The method of claim 1, wherein the sending the DNS resolution log to a visual log server in real-time, the exposing the DNS resolution log by the visual log server comprises:
configuring a syslog strategy, and sending the DNS analysis log to the visual log server in real time;
setting a special fictitious domain name as a DNS analysis anchor point through a DNS analysis server, filtering the DNS analysis log by taking the DNS analysis anchor point as a keyword through the visual log server, and performing real-time rolling display on the filtered DNS analysis log.
8. A monitoring device for remotely controlling a computer by a hacker in real time based on DNS resolution, comprising:
the system comprises an acquisition module, a processing module and a control module, wherein the acquisition module is used for acquiring a high-frequency command of an operating system, and the high-frequency command is an operating system native command which is executed at high frequency after a hacker remotely controls a computer;
the establishing module is used for establishing a DNS analysis server;
the inserting module is used for inserting the blind piles into the high-frequency commands;
the execution module is used for sending a DNS analysis request to the DNS analysis server when a high-frequency command inserted into the stub is executed;
the analysis module is used for responding to an analysis request through the DNS analysis server and generating a DNS analysis log;
and the log display module is used for sending the DNS analysis log to a visual log server in real time and displaying the DNS analysis log through the visual log server.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1-7 when executing the computer program.
10. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210552538.8A CN115001761A (en) | 2022-05-20 | 2022-05-20 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210552538.8A CN115001761A (en) | 2022-05-20 | 2022-05-20 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115001761A true CN115001761A (en) | 2022-09-02 |
Family
ID=83026759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210552538.8A Pending CN115001761A (en) | 2022-05-20 | 2022-05-20 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001761A (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100805316B1 (en) * | 2007-07-26 | 2008-02-21 | 주식회사 나우콤 | Method and system of instruction validation control list base |
| CN102880471A (en) * | 2012-09-24 | 2013-01-16 | 中兴通讯股份有限公司 | Command execution method based on command line and command line operating system |
| US8869268B1 (en) * | 2007-10-24 | 2014-10-21 | Symantec Corporation | Method and apparatus for disrupting the command and control infrastructure of hostile programs |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN106685970A (en) * | 2016-12-29 | 2017-05-17 | 北京奇虎科技有限公司 | Reverse connection backdoor detecting method and device |
| CN107483567A (en) * | 2017-08-03 | 2017-12-15 | 广州华多网络科技有限公司 | A kind of method and system of distributed information log search |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113014573A (en) * | 2021-02-23 | 2021-06-22 | 杭州安恒信息技术股份有限公司 | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) |
| US20210297417A1 (en) * | 2020-03-23 | 2021-09-23 | Microsoft Technology Licensing, Llc | Secure remote troubleshooting of private cloud |
| CN113923192A (en) * | 2021-09-29 | 2022-01-11 | 深信服科技股份有限公司 | Flow auditing method, device, system, equipment and medium |
| CN114039943A (en) * | 2021-07-28 | 2022-02-11 | 中国建设银行股份有限公司 | Data processing method and device of domain name system |
| CN114168383A (en) * | 2021-12-01 | 2022-03-11 | 北京联创新天科技有限公司 | Application state monitoring restart tool, method, medium and equipment |
| CN114238978A (en) * | 2021-11-04 | 2022-03-25 | 广东电网有限责任公司广州供电局 | Vulnerability scanning system, vulnerability scanning method and computer equipment |
-
2022
- 2022-05-20 CN CN202210552538.8A patent/CN115001761A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100805316B1 (en) * | 2007-07-26 | 2008-02-21 | 주식회사 나우콤 | Method and system of instruction validation control list base |
| US8869268B1 (en) * | 2007-10-24 | 2014-10-21 | Symantec Corporation | Method and apparatus for disrupting the command and control infrastructure of hostile programs |
| CN102880471A (en) * | 2012-09-24 | 2013-01-16 | 中兴通讯股份有限公司 | Command execution method based on command line and command line operating system |
| CN105933268A (en) * | 2015-11-27 | 2016-09-07 | 中国银联股份有限公司 | Webshell detection method and apparatus based on total access log analysis |
| CN106685970A (en) * | 2016-12-29 | 2017-05-17 | 北京奇虎科技有限公司 | Reverse connection backdoor detecting method and device |
| CN107483567A (en) * | 2017-08-03 | 2017-12-15 | 广州华多网络科技有限公司 | A kind of method and system of distributed information log search |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| US20210297417A1 (en) * | 2020-03-23 | 2021-09-23 | Microsoft Technology Licensing, Llc | Secure remote troubleshooting of private cloud |
| CN113014573A (en) * | 2021-02-23 | 2021-06-22 | 杭州安恒信息技术股份有限公司 | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) |
| CN114039943A (en) * | 2021-07-28 | 2022-02-11 | 中国建设银行股份有限公司 | Data processing method and device of domain name system |
| CN113923192A (en) * | 2021-09-29 | 2022-01-11 | 深信服科技股份有限公司 | Flow auditing method, device, system, equipment and medium |
| CN114238978A (en) * | 2021-11-04 | 2022-03-25 | 广东电网有限责任公司广州供电局 | Vulnerability scanning system, vulnerability scanning method and computer equipment |
| CN114168383A (en) * | 2021-12-01 | 2022-03-11 | 北京联创新天科技有限公司 | Application state monitoring restart tool, method, medium and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 王九菊 , 郭学理: "如何防止黑客利用telnet或rlogin攻击Linux系统", 《微型机与应用》, no. 09, 30 October 2002 (2002-10-30) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112187825B (en) | Honeypot defense method, system, equipment and medium based on mimicry defense | |
| EP2887612A1 (en) | Systems and methods for incubating malware in a virtual organization | |
| US20030131256A1 (en) | Managing malware protection upon a computer network | |
| EP2843878A1 (en) | A monitoring arrangement | |
| US20060259775A2 (en) | Policy-protection proxy | |
| US20060230441A2 (en) | Real-time vulnerability monitoring | |
| CN109150848B (en) | Method and system for realizing honeypot based on Nginx | |
| US20060259946A2 (en) | Automated staged patch and policy management | |
| CN114257413A (en) | Application container engine-based anti-braking blocking method and device and computer equipment | |
| CN114826662B (en) | Custom rule protection method, device, equipment and readable storage medium | |
| CN111813627A (en) | Application auditing method, device, terminal, system and readable storage medium | |
| US20050022003A1 (en) | Client capture of vulnerability data | |
| CN108737421B (en) | Method, system, device and storage medium for discovering potential threats in network | |
| WO2022132831A1 (en) | Predictive vulnerability management analytics, orchestration, automation and remediation platform for computer systems. networks and devices | |
| CN115001761A (en) | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis | |
| CN105389511B (en) | Virus checking and killing method and device and electronic equipment | |
| CN115242461B (en) | ROS safety test system and method for robot operating system | |
| US11621972B2 (en) | System and method for protection of an ICS network by an HMI server therein | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| CN110784471A (en) | Blacklist collection management method and device, computer equipment and storage medium | |
| Kim et al. | Design and implementation of the honeypot system with focusing on the session redirection | |
| CN116956310B (en) | Vulnerability protection method, device, equipment and readable storage medium | |
| CN116225819A (en) | Mining behavior detection method, device, equipment and storage medium | |
| CN107733927B (en) | Botnet file detection method, cloud server, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |