Nkhaniyi ndi gawo loyamba la mndandanda wa kusanthula kwa chiwopsezo cha Sysmon. Magawo ena onse amndandanda:
Gawo 1: Mau oyamba a Sysmon Log Analysis (tili pano)
Gawo 2: Kugwiritsa Ntchito Sysmon Event Data Kuzindikira Zowopsa
Gawo 3. Kusanthula mozama za ziwopsezo za Sysmon pogwiritsa ntchito ma graph
Ngati mumagwira ntchito yoteteza zidziwitso, nthawi zambiri mumayenera kumvetsetsa zomwe zikuchitika. Ngati muli ndi diso lophunzitsidwa kale, mutha kuyang'ana zochitika zomwe sizinali zamtundu uliwonse pamitengo "yaiwisi" yosakonzedwa - nenani, PowerShell script ikuyenda. kapena script ya VBS yodzinamizira ngati fayilo ya Mawu - kungoyang'ana zochitika zaposachedwa mu chipika cha Windows. Koma uwu ndi mutu waukulu kwenikweni. Mwamwayi, Microsoft idapanga Sysmon, zomwe zimapangitsa kuti kusanthula kukhale kosavuta.
Mukufuna kumvetsetsa malingaliro oyambira kumbuyo kwa ziwopsezo zomwe zikuwonetsedwa mu chipika cha Sysmon? Tsitsani kalozera wathu ndipo mumazindikira momwe omwe ali mkati angayang'anire antchito ena mobisa. Vuto lalikulu logwira ntchito ndi chipika cha zochitika za Windows ndi kusowa kwa chidziwitso chokhudza njira za makolo, i.e. n'kosatheka kumvetsa utsogoleri wa ndondomeko kuchokera kwa izo. Zolemba za Sysmon, kumbali ina, zili ndi ID ya makolo, dzina lake, ndi mzere wolamula kuti ukhazikitsidwe. Zikomo, Microsoft.
Mu gawo loyamba la mndandanda wathu, tiwona zomwe mungachite ndi chidziwitso choyambirira cha Sysmon. Mu Gawo XNUMX, tidzagwiritsa ntchito zonse mwanzeru zambiri zamachitidwe a makolo kuti tipange njira zovuta kutsatira zomwe zimadziwika kuti ma graph owopsa. Mu gawo lachitatu, tiwona algorithm yosavuta yomwe imayang'ana chithunzi chowopseza kuti tifufuze zochitika zachilendo posanthula "kulemera" kwa graph. Ndipo pamapeto pake, mudzalandira mphotho yaukhondo (komanso yomveka) yodziwira ziwopsezo.
Gawo 1: Mau oyamba a Sysmon Log Analysis
Ndi chiyani chomwe chingakuthandizeni kumvetsetsa zovuta za chipikacho? Pomaliza - SIEM. Imasinthasintha zochitika ndikusintha kusanthula kwawo kotsatira. Koma sitiyenera kupita kutali choncho, mwina poyamba. Poyambirira, kuti mumvetsetse mfundo za SIEM, zidzakhala zokwanira kuyesa chida chaulere cha Sysmon. Ndipo n'zodabwitsa kuti ndi wosavuta kugwira naye ntchito. Pitirizani, Microsoft!
Kodi Sysmon ali ndi zinthu ziti?
Mwachidule - zothandiza komanso zowerengeka zokhudzana ndi njirazi (onani zithunzi pansipa). Mupeza zambiri zothandiza zomwe sizili mu Windows Event Log, koma zofunika kwambiri ndi izi:
- ID ya ndondomeko (mu decimal, osati hex!)
- ID ya ndondomeko ya makolo
- Njira yolamula mzere
- Lamulo la ndondomeko ya makolo
- Fayilo chithunzi hashi
- Mayina azithunzi zamafayilo
Sysmon imayikidwa ngati dalaivala wa chipangizo komanso ngati ntchito - zambiri Ubwino wake waukulu ndikutha kusanthula zipika kuchokera ochepa magwero, kulumikizana kwachidziwitso ndi kutulutsa kwazotsatira ku chikwatu chimodzi cha chipika chomwe chili panjira Microsoft -> Windows -> Sysmon -> Yogwira ntchito. Pakufufuza kwanga komwe ndikukweza tsitsi pazipika za Windows, ndidadzipeza ndekha ndikusintha pakati, kunena, chikwatu cha zipika za PowerShell ndi chikwatu cha Chitetezo, ndikudumphira pazipikazo ndikuyesera kuti ndigwirizane ndi zomwe zili pakati pa ziwirizi. . Iyi si ntchito yophweka, ndipo monga ndinazindikira pambuyo pake, kunali bwino kuti nthawi yomweyo mutengere aspirin.
Sysmon imadumphira patsogolo popereka chidziwitso chothandiza (kapena monga mavenda akufuna kunena, chotheka) kuti athandizire kumvetsetsa zomwe zikuchitika. Mwachitsanzo, ndinayamba gawo lachinsinsi , kuyerekezera kuyenda kwa munthu wanzeru mkati mwa netiweki. Izi ndi zomwe mudzawona mu chipika cha zochitika za Windows:
Chipika cha Windows chikuwonetsa zambiri za njirayi, koma sizothandiza kwenikweni. Kuphatikiza ma ID a process mu hexadecimal???
Kwa katswiri wa IT yemwe amadziwa zoyambira kubera, mzere wolamula uyenera kukhala wokayikitsa. Kugwiritsa ntchito cmd.exe kuti muthamangitse lamulo lina ndikuwongolera zomwe zatuluka ku fayilo yokhala ndi dzina lachilendo ndizofanana ndi machitidwe oyang'anira ndi kuwongolera mapulogalamu. : Mwanjira iyi, chipolopolo chachinyengo chimapangidwa pogwiritsa ntchito ntchito za WMI.
Tsopano tiyeni tiwone zofananira za Sysmon, ndikuwona kuchuluka kowonjezera komwe kumatipatsa:
Sysmon imakhala mu chithunzi chimodzi: zambiri zatsatanetsatane za njirayi mu mawonekedwe owerengeka
Simumangowona mzere wolamula, komanso dzina la fayilo, njira yopititsira patsogolo, zomwe Windows ikudziwa za izo ("Windows Command processor"), chizindikiritso. makolo process, command line kholo, yomwe inayambitsa chipolopolo cha cmd, komanso dzina lenileni la fayilo la ndondomeko ya makolo. Chilichonse pamalo amodzi, potsiriza!
Kuchokera pa chipika cha Sysmon titha kunena kuti ndi mwayi waukulu mzere wokayikitsa wa lamuloli womwe tidawona mumitengo "yaiwisi" sichifukwa cha ntchito yanthawi zonse ya wogwira ntchito. M'malo mwake, idapangidwa ndi njira yonga C2 - wmiexec, monga ndanenera kale - ndipo idapangidwa mwachindunji ndi ntchito ya WMI (WmiPrvSe). Tsopano tili ndi chizindikiro kuti wowukira kutali kapena wamkati akuyesa zomangamanga zamakampani.
Kuyambitsa Get-Sysmonlogs
Zachidziwikire ndizabwino kwambiri Sysmon akayika zipikazo pamalo amodzi. Koma mwina zingakhale bwinoko ngati titha kupeza malo olowera mwadongosolo - mwachitsanzo, kudzera mu malamulo a PowerShell. Pankhaniyi, mutha kulemba zolemba zazing'ono za PowerShell zomwe zingapangitse kusaka komwe kungawopseza!
Sindine woyamba kukhala ndi lingaliro lotere. Ndipo ndizabwino kuti muzolemba zina za forum ndi GitHub Zafotokozedwa kale momwe mungagwiritsire ntchito PowerShell kuti muwerenge chipika cha Sysmon. Kwa ine, ndimafuna kupewa kulemba mizere yosiyana ya script pagawo lililonse la Sysmon. Chifukwa chake ndidagwiritsa ntchito mfundo yaulesi ndipo ndikuganiza kuti ndidapeza chinthu chosangalatsa.
Mfundo yofunika kwambiri ndi luso la timu werengani zipika za Sysmon, sefa zochitika zofunika ndikutulutsa zotsatira kumitundu ya PS, monga apa:
$events = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | where { $_.id -eq 1 -or $_.id -eq 11}
Ngati mukufuna kuyesa lamulo nokha, powonetsa zomwe zili mu gawo loyamba la $events array, $events[0] .Uthenga, zotsatira zake zikhoza kukhala mndandanda wa zingwe zolembera ndi mawonekedwe ophweka kwambiri: dzina la Munda wa Sysmon, colon, ndiyeno mtengo womwewo.
Uwu! Kutulutsa Sysmon lowani mumtundu wokonzeka wa JSON
Kodi mukuganiza zomwezo ngati ine? Ndi kuyesetsa pang'ono, mutha kusintha zomwe zatuluka kukhala chingwe chojambulidwa ndi JSON ndikuchiyika mwachindunji mu chinthu cha PS pogwiritsa ntchito lamulo lamphamvu. .
Ndiwonetsa kachidindo ka PowerShell pakusintha - ndikosavuta - mu gawo lotsatira. Pakadali pano, tiyeni tiwone zomwe lamulo langa latsopano lotchedwa get-sysmonlogs, lomwe ndidayika ngati gawo la PS, lingachite.
M'malo modumphira mozama pakuwunika kwa chipika cha Sysmon kudzera pamawonekedwe osokonekera a zochitika, titha kusaka mosavutikira zochulukirapo kuchokera pagawo la PowerShell, komanso kugwiritsa ntchito lamulo la PS. (zina - "?") kufupikitsa zotsatira:
Mndandanda wa zipolopolo za cmd zoyambitsidwa kudzera pa WMI. Kuwunika Zowopsa pa Zotsika mtengo ndi Gulu Lathu Lomwe Pezani-Sysmonlogs
Zodabwitsa! Ndinapanga chida chofufuzira chipika cha Sysmon ngati kuti ndi database. M'nkhani yathu za zidadziwika kuti ntchitoyi idzachitidwa ndi zida zoziziritsa kukhosi zomwe zafotokozedwamo, ngakhale kuti zikadalibe kudzera mu mawonekedwe enieni a SQL. Inde, EQL zokongola, koma tikhudzapo gawo lachitatu.
Sysmon ndi graph kusanthula
Tiyeni tibwerere mmbuyo ndikuganiza zomwe tangopanga kumene. Kwenikweni, tsopano tili ndi nkhokwe ya Windows yopezeka kudzera pa PowerShell. Monga ndanena kale, pali kulumikizana kapena maubale pakati pa zolembedwa - kudzera pa ParentProcessId - kotero kuti mndandanda wathunthu wanjira ukhoza kupezeka.
Ngati mwawerenga mndandanda mukudziwa kuti obera amakonda kupanga zovuta zamagulu angapo, momwe njira iliyonse imagwira ntchito yake yaying'ono ndikukonzekeretsa poyambira sitepe yotsatira. Ndizovuta kwambiri kugwira zinthu zotere kuchokera pachipika "yaiwisi".
Koma ndi lamulo langa la Get-Sysmonlogs komanso mawonekedwe owonjezera a data omwe tiwona pambuyo pake m'mawuwo (graph, inde), tili ndi njira yodziwira zowopseza - zomwe zimangofunika kufufuza vertex yoyenera.
Monga nthawi zonse ndi ma projekiti athu a blog a DYI, mukamayesetsa kusanthula zambiri zowopseza pang'ono, m'pamenenso mudzazindikira momwe kuzindikira ziwopsezo kumakhalira pamabizinesi. Ndipo kudziwa izi ndizovuta kwambiri mfundo yofunika.
Tidzakumana ndi zovuta zoyambirira mu gawo lachiwiri la nkhaniyi, pomwe tiyamba kulumikiza zochitika za Sysmon wina ndi mnzake kukhala zovuta kwambiri.
Source: www.habr.com