Eli nqaku yinxalenye yokuqala kuthotho kuhlalutyo isisongelo Sysmon. Zonke ezinye iindawo zolu thotho:
Icandelo 1: Intshayelelo ye-Sysmon Log Analysis (silapha)
Icandelo 2: Ukusebenzisa iDatha yeSigigaba seSysmon ukuchonga iingozi
Icandelo 3. Uhlalutyo olunzulu lwezoyikiso zeSysmon kusetyenziswa iigrafu
Ukuba usebenza kukhuseleko lolwazi, mhlawumbi uhlala uqonda uhlaselo oluqhubekayo. Ukuba sele unalo iliso eliqeqeshiweyo, unokukhangela umsebenzi ongekho mgangathweni kwiilog “eluhlaza” ezingalungiswanga - yithi, iskripthi sePowerShell siyasebenza. okanye iskripthi seVBS esizenza ifayile yeWord - skrola ngokulula kwimisebenzi yamva nje kwilog yesiganeko sikaWindows. Kodwa le yintloko enkulu ngenene. Ngethamsanqa, iMicrosoft yenza iSysmon, eyenza uhlahlelo lohlaselo lube lula kakhulu.
Ngaba uyafuna ukuqonda iingcamango ezisisiseko emva kwezoyikiso eziboniswe kwilog yeSysmon? Khuphela isikhokelo sethu kwaye uyaqonda ukuba abangaphakathi banokujonga njani abanye abasebenzi ngokufihlakeleyo. Ingxaki ephambili yokusebenza kunye nelog yesiganeko seWindows kukungabikho kolwazi malunga neenkqubo zabazali, okt. akunakwenzeka ukuqonda ulawulo lweenkqubo ukusuka kuyo. Amangeno elogi yeSysmon, kwelinye icala, aqulathe inkqubo ye-ID yomzali, igama layo, kunye nomgca womyalelo oza kusungulwa. Enkosi, Microsoft.
Kwinxalenye yokuqala yothotho lwethu, siza kujonga into onokuyenza ngolwazi olusisiseko oluvela kwiSysmon. KwiSigaba sesi-XNUMX, siya kuxhamla ngokupheleleyo kulwazi lwenkqubo yabazali ukwenza iinkqubo zokuthobela ezintsonkothileyo ezaziwa ngokuba ziigrafu ezisongelayo. Kwinxalenye yesithathu, siya kujonga i-algorithm elula ehlola igrafu yosongo ukukhangela umsebenzi ongaqhelekanga ngokuhlalutya "ubunzima" begrafu. Kwaye ekugqibeleni, uya kuvuzwa ngendlela ecocekileyo (kwaye iyaqondakala) probabilistic isoyikiso ubhaqo indlela.
Icandelo 1: Intshayelelo ye-Sysmon Log Analysis
Yintoni enokukunceda uqonde ubunzima belog yesiganeko? Ekugqibeleni - SIEM. Yenza iziganeko eziqhelekileyo kwaye ilula uhlalutyo lwazo olulandelayo. Kodwa akuyomfuneko ukuba siye kude kangako, ubuncinane ekuqaleni. Ekuqaleni, ukuqonda imigaqo ye-SIEM, kuya kwanela ukuzama into eluncedo yeSysmon yasimahla. Kwaye kulula ngokumangalisayo ukusebenza naye. Qhubeka, Microsoft!
Zeziphi iimpawu anazo uSysmon?
Ngamafutshane - ulwazi oluluncedo nolufundekayo malunga neenkqubo (jonga imifanekiso engezantsi). Uya kufumana iqela leenkcukacha eziluncedo ezingekho kwi-Windows Event Log, kodwa eyona nto ibalulekileyo yile mimandla ilandelayo:
- Isazisi senkqubo (kwidesimali, hayi i-hex!)
- Isazisi senkqubo yomzali
- Inkqubo yomgca womyalelo
- Umgca womyalelo wenkqubo yomzali
- Umfanekiso wefayile hash
- Amagama emifanekiso yeefayile
I-Sysmon ifakwe zombini njengomqhubi wesixhobo kwaye njengenkonzo - iinkcukacha ezininzi Inzuzo yayo ephambili kukukwazi ukuhlalutya izingodo ukusuka ezininzi imithombo, ulungelelwaniso lolwazi kunye nesiphumo samaxabiso anesiphumo kwifolda yelog yesiganeko esibekwe ecaleni kwendlela IMicrosoft -> Windows -> Sysmon -> Iyasebenza. Kuphando lwam lokunyusa iinwele kwiilog zeWindows, ndiye ndazifumana ndihlala nditshintsha phakathi, ndithi, ifolda ye-PowerShell yelog kunye nefolda yoKhuseleko, ndishukuma kwizigodo zesiganeko kumzamo wobugorha wokulungelelanisa amaxabiso phakathi kwezi zimbini. . Lo ayisokuze ibe ngumsebenzi olula, kwaye njengoko ndaqondayo kamva, bekungcono ukuba ndikhuphe i-aspirin kwangoko.
I-Sysmon ithatha i-quantum leap phambili ngokubonelela luncedo (okanye njengoko abathengisi bathanda ukutsho, intshukumo) ulwazi ukunceda ukuqonda iinkqubo ezisisiseko. Ngokomzekelo, ndaqalisa iseshoni eyimfihlo , ukulinganisa ukuhamba komntu ongaphakathi ngaphakathi kwinethiwekhi. Nantsi into oza kuyibona kwilog yesiganeko seWindows:
Ilog yeWindows ibonisa ulwazi malunga nenkqubo, kodwa ayisebenzi kangako. I-ID yenkqubo eDityanisiweyo ngehexadecimal???
Kumsebenzi we-IT oqeqeshiweyo onokuqonda izinto ezisisiseko zokuqhekeza, umgca womyalelo kufuneka ukrokre. Ukusebenzisa i-cmd.exe ukwenza omnye umyalelo kwaye uqondise kwakhona imveliso kwifayile enegama elingaqhelekanga ifana ngokucacileyo nezenzo zokubeka iliso kunye nokulawula isoftware. : Ngale ndlela, i-pseudo-shell yenziwa kusetyenziswa iinkonzo ze-WMI.
Ngoku makhe sijonge kwi-Sysmon yokungena elinganayo, siqaphela ukuba lungakanani ulwazi olongezelelweyo olusinika lona:
Iimpawu zeSysmon kwisikrini esinye: ulwazi oluneenkcukacha malunga nenkqubo kwifomu efundekayo
Awuboni kuphela umgca womyalelo, kodwa kunye negama lefayile, indlela eya kwisicelo esiphunyeziweyo, yintoni iWindows eyaziyo ngayo ("iWindows Command Processor"), isazisi. yabazali inkqubo, umgca womyalelo umzali, eyazisa iqokobhe le cmd, kunye negama lokwenyani lefayile yenkqubo yomzali. Yonke into kwindawo enye, ekugqibeleni!
Ukusuka kwi-log ye-Sysmon sinokugqiba ukuba ngeqondo eliphezulu elinokwenzeka lo mgca womyalelo okrokrelayo esiwubonile kwiilogi "eziluhlaza" ayisosiphumo somsebenzi oqhelekileyo womqeshwa. Ngokuchasene noko, yaveliswa yinkqubo efana ne-C2 - wmiexec, njengoko benditshilo ngaphambili - kwaye yaveliswa ngokuthe ngqo yinkqubo yenkonzo ye-WMI (WmiPrvSe). Ngoku sinesalathiso sokuba umhlaseli okude okanye umntu ongaphakathi uvavanya isiseko senkampani.
Ukwazisa i-Get-Sysmonlogs
Ewe kuhle xa iSysmon ibeka iinkuni kwindawo enye. Kodwa kuya kuba ngcono ngakumbi ukuba sinokufikelela kwiindawo zokungena ngokwenkqubo-umzekelo, ngemiyalelo yePowerShell. Kule meko, ungabhala iskripthi esincinci se-PowerShell esiya kuthi sizenzele ukukhangela izoyikiso ezinokubakho!
Ndandingengomntu wokuqala ukuba nombono onjalo. Kwaye kulungile ukuba kwezinye izithuba zeforum kunye neGitHub Sele icacisiwe indlela yokusebenzisa iPowerShell ukwahlula ilog yeSysmon. Kwimeko yam, bendifuna ukunqanda ukubhala imigca eyahlukeneyo yesikripthi sokwahlulahlula kwindawo nganye yeSysmon. Ngoko ndasebenzisa umgaqo wevila kwaye ndicinga ukuba ndize nento enomdla njengesiphumo.
Inqaku lokuqala elibalulekileyo likhono leqela funda iilog zeSysmon, hluza iziganeko eziyimfuneko kwaye ukhuphe isiphumo kuguqulo lwePS, njengalapha:
$events = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | where { $_.id -eq 1 -or $_.id -eq 11}
Ukuba ufuna ukuvavanya umyalelo ngokwakho, ngokubonisa umxholo kwindawo yokuqala ye-$ uluhlu lweziganeko, i-$ iziganeko[0] .Umyalezo, imveliso inokuba luluhlu lweentambo zokubhaliweyo ezinefomathi elula kakhulu: Intsimi yeSysmon, ikholoni, kwaye ke ixabiso ngokwalo.
Uxolo! Ukukhutshwa kwelogi yeSysmon kwifomati elungele i-JSON
Ngaba ucinga into efanayo nam? Ngomzamo omncinci ngakumbi, unokuguqula imveliso ibe ngumtya ofomatiweyo we-JSON kwaye emva koko uyilayishe ngokuthe ngqo kwinto ye-PS usebenzisa umyalelo onamandla. .
Ndiza kubonisa ikhowudi ye-PowerShell yokuguqulwa-ilula kakhulu-kwicandelo elilandelayo. Okwangoku, makhe sibone ukuba yintoni umyalelo wam omtsha obizwa ngokuba yi-get-sysmonlogs, endiyifake njengemodyuli ye-PS, enokuyenza.
Endaweni yokuntywila nzulu kuhlalutyo lwelog yeSysmon ngokusebenzisa ujongano lwelog yesiganeko esingathandekiyo, singakwazi ukukhangela umsebenzi owongezelelweyo ngokuthe ngqo kwiseshoni yePowerShell, kunye nokusebenzisa umyalelo wePS. (igama elingelilo – “?”) ukwenza mfutshane iziphumo zophendlo:
Uluhlu lwamaqokobhe e-cmd aqaliswe nge-WMI. Uhlahlelo lwezoyikiso ngexabiso eliphantsi kunye neQela lethu le-Get-Sysmonlogs
Iyamangalisa! Ndenze isixhobo sokuvota kwilog yeSysmon ngokungathi sisiseko sedatha. Kwinqaku lethu malunga kuye kwaqatshelwa ukuba lo msebenzi uza kwenziwa ngumsebenzi opholileyo ochazwe kuyo, nangona ngokusesikweni nangoku ujongano olufana nolwenyani lweSQL. Ewe, EQL ubuhle, kodwa siya kuyichukumisa kwinxalenye yesithathu.
I-Sysmon kunye nohlalutyo lwegrafu
Masikhe sibuye umva sicinge ngale nto sigqiba kuyidala. Ngokusisiseko, ngoku sinesiseko sedatha ye-Windows efikelelekayo ngePowerShell. Njengoko bendiphawulile ngaphambili, kukho unxibelelwano okanye ubudlelwane phakathi kweerekhodi - ngeParentProcessId - ngoko ke uluhlu olupheleleyo lweenkqubo lunokufumaneka.
Ukuba ufunde uthotho uyazi ukuba abahlaseli bathanda ukwenza uhlaselo oluntsonkothileyo lwamanqanaba amaninzi, apho inkqubo nganye idlala indima yayo encinci kwaye ilungiselela i-springboard yenyathelo elilandelayo. Kunzima kakhulu ukubamba izinto ezinjalo ngokulula kwilog “ekrwada”.
Kodwa ngomyalelo wam we-Get-Sysmonlogs kunye nolwakhiwo lwedatha olongezelelweyo siza kujonga kamva kwisicatshulwa (igrafu, kunjalo), sinendlela esebenzayo yokubona izoyikiso - ezifuna ukwenza uphendlo olululo lwevertex.
Njengesiqhelo ngeeprojekthi zethu zebhlog ye-DYI, okukhona usebenza ngakumbi ekuhlalutyeni iinkcukacha zezoyikiso kwinqanaba elincinci, kokukhona uya kuqonda ukuba kuntsonkothile kangakanani ukufumanisa isoyikiso kwinqanaba leshishini. Kwaye olu lwazi lukhulu kakhulu inqaku elibalulekileyo.
Siza kuhlangabezana neengxaki zokuqala ezinomdla kwinxalenye yesibini yenqaku, apho siya kuqala ukudibanisa imicimbi yeSysmon kunye neyodwa kwizakhiwo ezinzima kakhulu.
umthombo: www.habr.com
