1. Attack Classification

To conduct an incident response, you must first understand what type of attack you are dealing with.

Common attack categories include:

1. System Intrusion: Viruses, Trojans, ransomware, remote control backdoors.
2. Web Intrusion: Web page malware, homepage tampering, Webshell.
3. Network Attacks: DDoS attacks, DNS hijacking, ARP spoofing.

Classification is relatively straightforward. For example, if your website has been compromised with malware or images altered, it's clearly a web intrusion. If you are hit by ransomware or cryptomining, or a virus, it's system intrusion since it operates at the system level. Network attacks can be identified through traffic analysis and network monitoring.

2. System Intrusion Response

First, understand that the attacker may have already gained partial system privileges.

(1) Account Checking

Open a command prompt and use:

net user

to see if there are any extra user accounts.

If no extra accounts appear, the attacker might have created hidden accounts. To check, navigate to the registry editor with administrator privileges to:

Computer\HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names

Compare the number of entries in the Users subkey with the output of net user. If they differ, a hidden account may exist.

For example, if net user shows five accounts but the registry shows six names, the extra one (e.g., admin$) is suspicious.

To detect cloned accounts, use tools like D-Sword for clone detection.

If no extra accounts are found, proceed to process inspection.

(2) Task Manager Process Inspection

Example: A friend's charging cable turned yellow due to overheating. Task Manager showed CPU usage near 80%, even after closing all applications. An executable process with high CPU usage was found; killing it dropped CPU to ~10%. However, the issue returned within minutes, indicating a cryptominer. After checking high-risk folders and deleting them, the processs reappeared, suggesting persistence. Even Windows Defender missed it. Finally, using 360 Total Security resolved the issue.

Key steps for process inspection:

1. Check Task Manager for anomalous processes (e.g., high CPU/memory usage).
2. Investigate suspicious processes (e.g., search on line for the executable name).
3. Use security tools like Huorong, 360, etc.

(3) Startup Items Check

List scheduled tasks:

schtasks /query /fo LIST /v

List startup programs:

wmic startup get command,caption

Check system uptime:

net statistics workstation

List services:

wmic service list brief

Monitor startup items to detect persistence mechanisms.

(4) Port Checking

View active connections:

netstat -ano

Find PID for a specific port:

netstat -ano | findstr "port"

Use tools like TCPView to inspect remote addresses and check them against threat intelligence platforms.

(5) Auto-Start Registry Check

Common autostart registry paths:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Malware often uses these to persist. Regular checking helps detect unauthorized programs.

(6) Windows Event Log Analysis

Open Event Viewer and review security logs. Key event IDs:

• 4624 – Successful logon.
• 4625 – Failed logon.
• 4672 – Admin privilege operation.
• 4768 – Kerberos ticket request.
• 7045 – Service state change.
• 4732 – Security group member added.
• 5058 – Security setting changed.

For example, to find when a hidden account logged in, search for Event ID 4624 and filter for the hidden account name.

3. Web Intrusion Response

Before proceeding, isolate the network and limit user access.

(1) Webshell Detection

Use tools like D-Sword to scan server directories for Webshell files.

(2) File Modification Inspection

Check file access and modification times to determine when the attack occurred.

(3) D-Eye Trojan Scanning

D-Eye is popular among blue teams for identifying malware through powerful data analysis.

(4) Code Comparison (for larger systems)

If backups are available, compare current code with originals using tools like Beyond Compare to highlight differences.

(5) MD5 Hash Comparison

Compare current file MD5 hashes with original hashes. Any discrepancy indicates tampering.

4. Network Attack Response

(1) Ransomware

Huorong provides a ransomware decryption tool: http://bbs.huorong.cn/thread-65355-1-1.html

Backup important data regularly to mitigate impact.

(2) DDoS Attack Response

Use BGP blackhole routing: Configure BGP routers to route attack traffic to a null interface, discarding it quickly.

Also monitor DDoS protection services like firewalls and CDN.

(3) ARP Spoofing Response

• Analyze logs for abnormal ARP requests.
• Clear ARP cache on affected devices.
• Restart network devices if necessary.

I hope this guide proves helpful.