Eli nqaku yinxalenye yokuqala kuthotho kuhlalutyo isisongelo Sysmon. Zonke ezinye iindawo zolu thotho:
Icandelo 1: Intshayelelo ye-Sysmon Log Analysis (silapha)
Icandelo 2: Ukusebenzisa iDatha yeSigigaba seSysmon ukuchonga iingozi
Icandelo 3. Uhlalutyo olunzulu lwezoyikiso zeSysmon kusetyenziswa iigrafu
Ukuba usebenza kukhuseleko lolwazi, mhlawumbi uhlala uqonda uhlaselo oluqhubekayo. Ukuba sele unalo iliso eliqeqeshiweyo, unokukhangela umsebenzi ongekho mgangathweni kwiilog “eluhlaza” ezingalungiswanga - yithi, iskripthi sePowerShell siyasebenza. okanye iskripthi se-VBS esifihliweyo njengefayile ye-Word - ngokuskrola nje kwimisebenzi yamva nje kwilog yeziganeko WindowsKodwa oku kubuhlungu kakhulu. Ngethamsanqa, iMicrosoft yenze iSysmon, eyenza uhlalutyo lohlaselo lube lula kakhulu.
Ngaba uyafuna ukuqonda iingcamango ezisisiseko emva kwezoyikiso eziboniswe kwilog yeSysmon? Khuphela isikhokelo sethu kwaye uyayiqonda indlela abantu bangaphakathi abanokubajonga ngayo ngasese abanye abasebenzi. Ingxaki ephambili yokusebenza nge-log yeziganeko Windows Ingxaki kukunqongophala kolwazi malunga neenkqubo zabazali, nto leyo ethetha ukuba akunakwenzeka ukuqonda uluhlu lweenkqubo. Kwelinye icala, ii-Sysmon log entries ziqulathe i-parent process ID, igama layo, kunye nomgca womyalelo oqhutywayo. Enkosi, Microsoft.
Kwinxalenye yokuqala yothotho lwethu, siza kujonga into onokuyenza ngolwazi olusisiseko oluvela kwiSysmon. KwiSigaba sesi-XNUMX, siya kuxhamla ngokupheleleyo kulwazi lwenkqubo yabazali ukwenza iinkqubo zokuthobela ezintsonkothileyo ezaziwa ngokuba ziigrafu ezisongelayo. Kwinxalenye yesithathu, siya kujonga i-algorithm elula ehlola igrafu yosongo ukukhangela umsebenzi ongaqhelekanga ngokuhlalutya "ubunzima" begrafu. Kwaye ekugqibeleni, uya kuvuzwa ngendlela ecocekileyo (kwaye iyaqondakala) probabilistic isoyikiso ubhaqo indlela.
Icandelo 1: Intshayelelo ye-Sysmon Log Analysis
Yintoni enokukunceda uqonde ubunzima belog yesiganeko? Ekugqibeleni - SIEM. Yenza iziganeko eziqhelekileyo kwaye ilula uhlalutyo lwazo olulandelayo. Kodwa akuyomfuneko ukuba siye kude kangako, ubuncinane ekuqaleni. Ekuqaleni, ukuqonda imigaqo ye-SIEM, kuya kwanela ukuzama into eluncedo yeSysmon yasimahla. Kwaye kulula ngokumangalisayo ukusebenza naye. Qhubeka, Microsoft!
Zeziphi iimpawu anazo uSysmon?
Ngamafutshane, inika ulwazi oluluncedo nolufundekayo malunga neenkqubo (jonga imifanekiso engezantsi). Uza kufumana iinkcukacha ezininzi eziluncedo ezingafumanekiyo kwi-event log. Windows, kodwa ezona zibalulekileyo zezi zilandelayo:
- Isazisi senkqubo (kwidesimali, hayi i-hex!)
- Isazisi senkqubo yomzali
- Inkqubo yomgca womyalelo
- Umgca womyalelo wenkqubo yomzali
- Umfanekiso wefayile hash
- Amagama emifanekiso yeefayile
I-Sysmon ifakwe zombini njengomqhubi wesixhobo kwaye njengenkonzo - iinkcukacha ezininzi Inzuzo yayo ephambili kukukwazi ukuhlalutya izingodo ukusuka ezininzi imithombo, ulungelelwaniso lolwazi kunye nesiphumo samaxabiso anesiphumo kwifolda yelog yesiganeko esibekwe ecaleni kwendlela IMicrosoft -> Windows -> ISysmon -> UkusebenzaKuphando lwam lwerekhodi WindowsIimpazamo zokuphakamisa iinwele ezinje ngezi zindenze ndanyanzeleka ukuba nditshintshe rhoqo phakathi, masithi, ifolda yeelogi zePowerShell kunye nefolda yoKhuseleko, ndiskrola kwiilogi zeziganeko ngendlela yobugorha ukuze ngandlela ithile ndidibanise amaxabiso phakathi kwazo. Oku akuyonto ilula, kwaye njengoko ndaqondayo kamva, bekuya kuba ngcono ukugcina i-aspirin kwangoko.
I-Sysmon ithatha i-quantum leap phambili ngokubonelela luncedo (okanye njengoko abathengisi bathanda ukutsho, intshukumo) ulwazi ukunceda ukuqonda iinkqubo ezisisiseko. Ngokomzekelo, ndaqalisa iseshoni eyimfihlo , ukulinganisa intshukumo yomntu ongaphakathi okrelekrele ngaphakathi kwinethiwekhi. Oku uza kukubona kwingxelo yeziganeko. Windows:
Kwimagazini Windows Olunye ulwazi lwenkqubo luyabonakala, kodwa aluluncedo kangako. Kwakhona, ii-ID zenkqubo zikwimo ye-hexadecimal?
Kumsebenzi we-IT oqeqeshiweyo onokuqonda izinto ezisisiseko zokuqhekeza, umgca womyalelo kufuneka ukrokre. Ukusebenzisa i-cmd.exe ukwenza omnye umyalelo kwaye uqondise kwakhona imveliso kwifayile enegama elingaqhelekanga ifana ngokucacileyo nezenzo zokubeka iliso kunye nokulawula isoftware. : Ngale ndlela, i-pseudo-shell yenziwa kusetyenziswa iinkonzo ze-WMI.
Ngoku makhe sijonge kwi-Sysmon yokungena elinganayo, siqaphela ukuba lungakanani ulwazi olongezelelweyo olusinika lona:
Iimpawu zeSysmon kwisikrini esinye: ulwazi oluneenkcukacha malunga nenkqubo kwifomu efundekayo
Awuboni nje kuphela umgca womyalelo, kodwa negama lefayile, indlela eya kwisicelo esisebenzisekayo, esi Windows uyazi ngayo ("Windows "Iprosesa yoMyalelo", isihlonzi yabazali inkqubo, umgca womyalelo umzali, eyazisa iqokobhe le cmd, kunye negama lokwenyani lefayile yenkqubo yomzali. Yonke into kwindawo enye, ekugqibeleni!
Ukusuka kwi-log ye-Sysmon sinokugqiba ukuba ngeqondo eliphezulu elinokwenzeka lo mgca womyalelo okrokrelayo esiwubonile kwiilogi "eziluhlaza" ayisosiphumo somsebenzi oqhelekileyo womqeshwa. Ngokuchasene noko, yaveliswa yinkqubo efana ne-C2 - wmiexec, njengoko benditshilo ngaphambili - kwaye yaveliswa ngokuthe ngqo yinkqubo yenkonzo ye-WMI (WmiPrvSe). Ngoku sinesalathiso sokuba umhlaseli okude okanye umntu ongaphakathi uvavanya isiseko senkampani.
Ukwazisa i-Get-Sysmonlogs
Ewe kuhle xa iSysmon ibeka iinkuni kwindawo enye. Kodwa kuya kuba ngcono ngakumbi ukuba sinokufikelela kwiindawo zokungena ngokwenkqubo-umzekelo, ngemiyalelo yePowerShell. Kule meko, ungabhala iskripthi esincinci se-PowerShell esiya kuthi sizenzele ukukhangela izoyikiso ezinokubakho!
Ndandingengomntu wokuqala ukuba nombono onjalo. Kwaye kulungile ukuba kwezinye izithuba zeforum kunye neGitHub Sele icacisiwe indlela yokusebenzisa iPowerShell ukwahlula ilog yeSysmon. Kwimeko yam, bendifuna ukunqanda ukubhala imigca eyahlukeneyo yesikripthi sokwahlulahlula kwindawo nganye yeSysmon. Ngoko ndasebenzisa umgaqo wevila kwaye ndicinga ukuba ndize nento enomdla njengesiphumo.
Inqaku lokuqala elibalulekileyo likhono leqela funda iilog zeSysmon, hluza iziganeko eziyimfuneko kwaye ukhuphe isiphumo kuguqulo lwePS, njengalapha:
$events = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | where { $_.id -eq 1 -or $_.id -eq 11}
Ukuba ufuna ukuvavanya umyalelo ngokwakho, ngokubonisa umxholo kwindawo yokuqala ye-$ uluhlu lweziganeko, i-$ iziganeko[0] .Umyalezo, imveliso inokuba luluhlu lweentambo zokubhaliweyo ezinefomathi elula kakhulu: Intsimi yeSysmon, ikholoni, kwaye ke ixabiso ngokwalo.
Uxolo! Ukukhutshwa kwelogi yeSysmon kwifomati elungele i-JSON
Ngaba ucinga into efanayo nam? Ngomzamo omncinci ngakumbi, unokuguqula imveliso ibe ngumtya ofomatiweyo we-JSON kwaye emva koko uyilayishe ngokuthe ngqo kwinto ye-PS usebenzisa umyalelo onamandla. .
Ndiza kubonisa ikhowudi ye-PowerShell yokuguqulwa-ilula kakhulu-kwicandelo elilandelayo. Okwangoku, makhe sibone ukuba yintoni umyalelo wam omtsha obizwa ngokuba yi-get-sysmonlogs, endiyifake njengemodyuli ye-PS, enokuyenza.
Endaweni yokuntywila nzulu kuhlalutyo lwelog yeSysmon ngokusebenzisa ujongano lwelog yesiganeko esingathandekiyo, singakwazi ukukhangela umsebenzi owongezelelweyo ngokuthe ngqo kwiseshoni yePowerShell, kunye nokusebenzisa umyalelo wePS. (igama elingelilo – “?”) ukwenza mfutshane iziphumo zophendlo:
Uluhlu lwamaqokobhe e-cmd aqaliswe nge-WMI. Uhlahlelo lwezoyikiso ngexabiso eliphantsi kunye neQela lethu le-Get-Sysmonlogs
Iyamangalisa! Ndenze isixhobo sokuvota kwilog yeSysmon ngokungathi sisiseko sedatha. Kwinqaku lethu malunga kuye kwaqatshelwa ukuba lo msebenzi uza kwenziwa ngumsebenzi opholileyo ochazwe kuyo, nangona ngokusesikweni nangoku ujongano olufana nolwenyani lweSQL. Ewe, EQL ubuhle, kodwa siya kuyichukumisa kwinxalenye yesithathu.
I-Sysmon kunye nohlalutyo lwegrafu
Masibuye umva sicinge ngento esisandula ukuyenza. Ngokusisiseko, ngoku sinesisele sedatha yeziganeko. Windows, ifikeleleka ngePowerShell. Njengoko benditshilo ngaphambili, kukho unxibelelwano okanye ubudlelwane phakathi kweerekhodi—ngeParentProcessId—ukuze ukwazi ukufumana uluhlu olupheleleyo lweenkqubo.
Ukuba ufunde uthotho uyazi ukuba abahlaseli bathanda ukwenza uhlaselo oluntsonkothileyo lwamanqanaba amaninzi, apho inkqubo nganye idlala indima yayo encinci kwaye ilungiselela i-springboard yenyathelo elilandelayo. Kunzima kakhulu ukubamba izinto ezinjalo ngokulula kwilog “ekrwada”.
Kodwa ngomyalelo wam we-Get-Sysmonlogs kunye nolwakhiwo lwedatha olongezelelweyo siza kujonga kamva kwisicatshulwa (igrafu, kunjalo), sinendlela esebenzayo yokubona izoyikiso - ezifuna ukwenza uphendlo olululo lwevertex.
Njengesiqhelo ngeeprojekthi zethu zebhlog ye-DYI, okukhona usebenza ngakumbi ekuhlalutyeni iinkcukacha zezoyikiso kwinqanaba elincinci, kokukhona uya kuqonda ukuba kuntsonkothile kangakanani ukufumanisa isoyikiso kwinqanaba leshishini. Kwaye olu lwazi lukhulu kakhulu inqaku elibalulekileyo.
Siza kuhlangabezana neengxaki zokuqala ezinomdla kwinxalenye yesibini yenqaku, apho siya kuqala ukudibanisa imicimbi yeSysmon kunye neyodwa kwizakhiwo ezinzima kakhulu.
umthombo: www.habr.com
