Ichi chinyorwa chikamu chekutanga chenhevedzano paSysmon kutyisidzira kuongororwa. Zvimwe zvikamu zvese zvenhevedzano:
Chikamu 1: Nhanganyaya yeSysmon Log Analysis (tiri pano)
Chikamu 2: Kushandisa Sysmon Chiitiko Dhata Kuziva Kutyisidzira
Chikamu 3. Kuongorora kwakadzama kweSysmon kutyisidzira uchishandisa magirafu
Kana iwe ukashanda mukuchengetedza ruzivo, iwe kazhinji unofanirwa kunzwisisa kurwiswa kunoenderera. Kana iwe uchinge uchinge uine ziso rakadzidziswa, unogona kutarisa isiri-yakajairwa chiitiko mu "mbishi" matanda asina kugadziriswa - toti, PowerShell script inomhanya. kana VBS script kuita kunge faira reIzwi - kungopuruzira kuburikidza neazvino chiitiko muWindows chiitiko log. Asi uyu musoro mukuru chaiwo. Neraki, Microsoft yakagadzira Sysmon, iyo inoita kuti kuongororwa kwekurwisa kuve nyore.
Unoda kunzwisisa mazano ekutanga kuseri kwekutyisidzira kunoratidzwa muSysmon log? Dhawunirodha gwara redu uye iwe unoziva kuti mukati vanogona sei kuona vamwe vashandi vachivanda. Dambudziko guru rekushanda neWindows event log ndeyekushaya ruzivo pamusoro pemaitiro evabereki, i.e. hazvibviri kunzwisisa hierarchy yemaitiro kubva mairi. Sysmon log entries, kune rumwe rutivi, ine mubereki process ID, zita rayo, uye mutsara wekuraira uchatangwa. Ndatenda, Microsoft.
Muchikamu chekutanga chenhevedzano yedu, isu tichatarisa izvo zvaunogona kuita neruzivo rwekutanga kubva kuSysmon. MuChikamu XNUMX, tichatora mukana wakazara weruzivo rwevabereki kugadzira zvimiro zvekuteedzera zvakaomarara zvinozivikanwa semagrafu ekutyisidzira. Muchikamu chechitatu, isu tichatarisa algorithm iri nyore inoongorora girafu yekutyisidzira kutsvaga chiitiko chisina kujairika nekuongorora "huremu" hwegirafu. Uye pakupedzisira, iwe uchapihwa mubairo neyakashambidzika (uye inonzwisisika) probabilistic yekutyisidzira nzira yekuona.
Chikamu 1: Nhanganyaya yeSysmon Log Analysis
Chii chinogona kukubatsira kuti unzwisise kuoma kweiyo log yechiitiko? Pakupedzisira - SIEM. Inogadzirisa zviitiko uye inorerutsa ongororo yavo inotevera. Asi isu hatifanirwe kuenda kure zvakadaro, kana kwete pakutanga. Pakutanga, kuti unzwisise misimboti yeSIEM, zvichave zvakakwana kuyedza inoshamisa yemahara Sysmon utility. Uye iye zvinoshamisa nyore kushanda naye. Ramba wakadaro, Microsoft!
Chii chinonzi Sysmon?
Muchidimbu - ruzivo runobatsira uye rwunoverengeka nezve maitiro (ona mifananidzo pazasi). Iwe uchawana boka rezvinyorwa zvinobatsira izvo zvisiri muWindows Chiitiko Log, asi chinonyanya kukosha ndeaya anotevera minda:
- Maitiro ID (mune decimal, kwete hex!)
- Mubereki process ID
- Process command line
- Raira mutsara wemaitiro evabereki
- Faira mufananidzo hashi
- Mazita emifananidzo yemafaira
Sysmon inoiswa zvese semutyairi wemudziyo uye sevhisi - zvimwe zvakawanda Kubatsira kwayo kukuru ndiko kugona kuongorora matanda kubva akati wandei masosi, kuwirirana kweruzivo uye kuburitsa kwezvinokonzeresa kukosha kune imwe chiitiko log folda iri munzira Microsoft -> Windows -> Sysmon -> Inoshanda. Mukuongorora kwangu kusimudza bvudzi mumatanda eWindows, ndakazviwana ndichigara ndichifanira kuchinja pakati, ndoti, PowerShell logs folda uye Chengetedzo folda, ndichipenengura mumatanda echiitiko mukuyedza kwakashinga kweimwe nzira kuenzanisa hunhu pakati pezviviri izvi. . Iri harisi basa riri nyore, uye sezvandakazoona gare gare, zvaive nani kuti nekukasika kuunganidza aspirin.
Sysmon inotora quantum kusvetukira kumberi nekupa zvinobatsira (kana sevatengesi vanoda kutaura, zvinogoneka) ruzivo rwekubatsira kunzwisisa zviri pasi pemaitiro. Semuenzaniso, ndakatanga musangano wepachivande , kuenzanisa kufamba kweakangwara mukati mukati me network. Izvi ndizvo zvauchaona muWindows chiitiko chinyorwa:
Iyo Windows log inoratidza rumwe ruzivo nezve maitiro, asi ari ekushandisa kushoma. Kuwedzera maID ID mune hexadecimal ???
Kune nyanzvi yeIT nyanzvi ine nzwisiso yezvakakosha zvekubira, mutsara wekuraira unofanirwa kufungidzira. Kushandisa cmd.exe kumhanyisa mumwe kuraira uye kudzosera zvabuda kune faira rine zita risinganzwisisike zvakajeka zvakafanana nezviito zvekutarisa uye kutonga software. : Nenzira iyi, pseudo-shell inogadzirwa uchishandisa WMI masevhisi.
Zvino ngatitarisei iyo Sysmon yekupinda yakaenzana, tichiona kuti yakawanda sei ruzivo rwainotipa:
Sysmon inoratidzira mune imwe skrini: ruzivo rwakadzama nezve maitiro mune inoverengwa fomu
Iwe hausi kungoona mutsara wekuraira, asiwo zita refaira, nzira yekushandiswa kunoitwa, izvo Windows inoziva nezvazvo ("Windows Command processor"), identifier. mubereki process, command line mubereki, iyo yakatanga cmd shell, pamwe chete neiyo chaiyo faira zita revabereki maitiro. Zvese munzvimbo imwechete, pakupedzisira!
Kubva pane iyo Sysmon log tinogona kugumisa kuti nehupamhi hwepamusoro mukana uyu unofungidzira mutsara wekuraira watakaona mu "mbishi" matanda haisi mhedzisiro yebasa rakajairika remushandi. Zvakapesana, yakagadzirwa neC2-senge maitiro - wmiexec, sezvandambotaura - uye yakanangana neiyo WMI sevhisi maitiro (WmiPrvSe). Iye zvino tave nechiratidzo chekuti munhu ari kure anorwisa kana ari mukati ari kuyedza zvivakwa zvekambani.
Kusuma Get-Sysmonlogs
Ehe zvakanaka kana Sysmon inoisa matanda munzvimbo imwechete. Asi zvingangove zvirinani kana tikakwanisa kuwana ega ega minda programmatically - semuenzaniso, kuburikidza nemirairo yePowerShell. Mune ino kesi, iwe unogona kunyora diki PowerShell script iyo yaizoita otomatiki kutsvaga kwekutyisidzira kungangoita!
Handina kutanga kuva nepfungwa yakadai. Uye zvakanaka kuti mune mamwe maforamu maficha uye GitHub Izvo zvakatotsanangurwa mashandisiro ePowerShell kuparura iyo Sysmon log. Mune yangu, ini ndaida kudzivirira kunyora mitsara yakaparadzana yekunyora script kune yega yega Sysmon ndima. Saka ndakashandisa nheyo yemurume ane usimbe uye ndinofunga kuti ndakauya nechimwe chinhu chinonakidza semugumisiro.
Chinhu chekutanga chakakosha kugona kwechikwata verenga Sysmon matanda, sefa zviitiko zvinodiwa uye buritsa mhedzisiro kune iyo PS inosiyana, senge pano:
$events = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | where { $_.id -eq 1 -or $_.id -eq 11}
Kana iwe uchida kuedza murairo iwe pachako, nekuratidza zviri muchikamu chekutanga che $events array, $events[0].Mharidzo, inobuda inogona kuva mutsara wezvinyorwa zvinyorwa zvine chimiro chakareruka: zita re Sysmon munda, colon, uyezve kukosha kwayo.
Hooray! Kuburitsa Sysmon pinda muJSON-yakagadzirira fomati
Uri kufunga zvakafanana neni here? Nekuedza zvishoma, unogona kushandura chinobuda kuita JSON tambo yakafomatidzwa wobva waiisa yakananga muchinhu chePS uchishandisa murairo une simba. .
Ini ndicharatidza PowerShell kodhi yekushandura - iri nyore kwazvo - muchikamu chinotevera. Parizvino, ngationei izvo murairo wangu mutsva unonzi get-sysmonlogs, wandakaisa sePS module, unogona kuita.
Panzvimbo pekunyura zvakadzika muSysmon logi yekuongorora kuburikidza neisingaite chiitiko log interface, isu tinokwanisa kuyedza kutsvaga chiitiko chekuwedzera zvakananga kubva kuchikamu chePowerShell, pamwe nekushandisa murairo wePS. (rimwe zita - "?") kupfupisa mibairo yekutsvaga:
Rondedzero yecmd shells yakatangwa kuburikidza neWMI. Kutyisidzira Ongororo pane Yakachipa neYedu Tora-Sysmonlogs Chikwata
Zvinoshamisa! Ini ndakagadzira chishandiso chekuvhota iyo Sysmon log sekunge yaive dhatabhesi. Muchinyorwa chedu nezve zvakacherechedzwa kuti basa iri richaitwa neinotonhorera utility inotsanangurwa mairi, kunyangwe zviri pamutemo zvichiri kuburikidza neiyo chaiyo SQL-senge interface. Ehe, EQL elegant, asi tichabata pairi muchikamu chechitatu.
Sysmon uye girafu kuongorora
Ngatidzoke kumashure tifunge zvatabva kugadzira. Chaizvoizvo, isu tava neWindows chiitiko dhatabhesi inowanikwa kuburikidza nePowerShell. Sezvandakamboona, kune hukama kana hukama pakati pemarekodhi - kuburikidza neParentProcessId - saka hurongwa hwakakwana hwemaitiro hunogona kuwanikwa.
Kana iwe wakaverenga series iwe unoziva kuti hackers vanoda kugadzira yakaoma-akawanda-nhanho kurwiswa, umo imwe neimwe nzira inotamba yayo yega diki uye inogadzirira chitubu chedanho rinotevera. Zvakanyanya kuoma kubata zvinhu zvakadaro kubva pane "mbishi" danda.
Asi neyangu Get-Sysmonlogs murairo uye imwe yekuwedzera data chimiro isu tichatarisa gare gare mune zvinyorwa (girafu, hongu), isu tine nzira inoshanda yekuona kutyisidzira - izvo zvinongoda kuita chaiyo vertex kutsvaga.
Senguva dzose nemapurojekiti edu eBYI blog, paunonyanya kushanda pakuongorora ruzivo rwekutyisidzira pamwero diki, ndipo paunoona zvakanyanya kuoma kwekutyisidzira kuri padanho rebhizinesi. Uye kuziva uku kwakanyanya pfungwa inokosha.
Tichasangana nematambudziko ekutanga anonakidza muchikamu chechipiri chechinyorwa, kwatinozotanga kubatanidza zviitiko zveSysmon kune mumwe nemumwe mune zvakanyanya kuomarara zvimiro.
Source: www.habr.com