Lesi sihloko siyingxenye yokuqala yochungechunge lokuhlaziya usongo lwe-Sysmon. Zonke ezinye izingxenye zochungechunge:
Ingxenye 1: Isingeniso Sokuhlaziywa Kwelogi ye-Sysmon (sikhona)
Ingxenye 2: Ukusebenzisa Idatha Yomcimbi we-Sysmon ukuze Uhlonze Izinsongo
Ingxenye 3. Ukuhlaziywa okujulile kwezinsongo ze-Sysmon kusetshenziswa amagrafu
Uma usebenza ekuvikelekeni kolwazi, ngokuvamile kufanele uqonde ukuhlasela okuqhubekayo. Uma usuvele unalo iso eliqeqeshiwe, ungabheka umsebenzi ongajwayelekile kumalogi “aluhlaza” angacutshunguliwe - yithi, umbhalo we-PowerShell osebenzayo noma umbhalo we-VBS ozenza ifayela le-Word - umane upheqa umsebenzi wakamuva kulogi yomcimbi we-Windows. Kodwa leli yikhanda elikhulu ngempela. Ngenhlanhla, iMicrosoft idale iSysmon, eyenza ukuhlaziya ukuhlasela kube lula kakhulu.
Ingabe ufuna ukuqonda imibono eyisisekelo ngemuva kwezinsongo eziboniswa kulogi ye-Sysmon? Landa umhlahlandlela wethu futhi uyabona ukuthi abangaphakathi bangabona kanjani ngokufihla abanye abasebenzi. Inkinga enkulu ngokusebenza nelogi yomcimbi we-Windows ukuntuleka kolwazi mayelana nezinqubo zabazali, i.e. akunakwenzeka ukuqonda isigaba sezinqubo ezivela kuso. Ngakolunye uhlangothi, okufakiwe kwelogi ye-Sysmon, kuqukethe i-ID yenqubo yomzali, igama layo, nomugqa womyalo ozokwethulwa. Ngiyabonga, Microsoft.
Engxenyeni yokuqala yochungechunge lwethu, sizobheka ukuthi yini ongayenza ngolwazi oluyisisekelo oluvela ku-Sysmon. Engxenyeni yesi-XNUMX, sizosebenzisa ngokugcwele ulwazi lwenqubo yomzali ukuze sakhe izakhiwo zokuthobela eziyinkimbinkimbi ezaziwa ngokuthi amagrafu asongelayo. Engxenyeni yesithathu, sizobheka i-algorithm elula eskena igrafu yokusongela ukuze ifune umsebenzi ongavamile ngokuhlaziya "isisindo" segrafu. Futhi ekugcineni, uzoklonyeliswa ngendlela ehlanzekile (futhi eqondakalayo) yokutholwa kosongo lokusongela.
Ingxenye 1: Isingeniso Sokuhlaziywa Kwelogi ye-Sysmon
Yini engakusiza uqonde ubunkimbinkimbi bokungena komcimbi? Ekugcineni - SIEM. Kwenza izehlakalo zibe lula futhi zenze kube lula ukuhlaziya kwazo okwalandela. Kodwa akufanele sihambe ibanga elide kangako, okungenani ekuqaleni. Ekuqaleni, ukuqonda imigomo ye-SIEM, kuzokwanela ukuzama insiza yamahhala ye-Sysmon. Futhi kulula ngokumangalisayo ukusebenza naye. Qhubeka, Microsoft!
Yiziphi izici u-Sysmon anazo?
Ngamafuphi - ulwazi oluwusizo nolufundekayo mayelana nezinqubo (bheka izithombe ngezansi). Uzothola inqwaba yemininingwane ewusizo engekho ku-Windows Event Log, kodwa ebaluleke kakhulu yilezi zinkambu ezilandelayo:
- I-ID yenqubo (ngedesimali, hhayi i-hex!)
- I-ID yenqubo yomzali
- Cubungula umugqa womyalo
- Umugqa womyalo wenqubo yomzali
- Isithombe sefayela hashi
- Amagama ezithombe zefayela
I-Sysmon ifakwe kokubili njengomshayeli wedivayisi futhi njengesevisi - imininingwane eyengeziwe Inzuzo yayo eyinhloko yikhono lokuhlaziya izingodo kusuka eziningana imithombo, ukuhlotshaniswa kolwazi nokuphuma kwamanani angumphumela kufolda yelogi yomcimbi eyodwa etholakala endleleni IMicrosoft -> Windows -> Sysmon -> Iyasebenza. Ophenyweni lwami lokukhulisa izinwele ezingodweni zeWindows, ngizithole ngilokhu kufanele ngishintshe phakathi, ngithi, ifolda yamalogi ye-PowerShell kanye nefolda Yezokuphepha, ngiphenya izingodo zomcimbi ngomzamo wesibindi wokuhlobanisa amanani ngandlela thize phakathi kwalokhu okubili. . Lona akuwona neze umsebenzi olula, futhi njengoba ngabona kamuva, kwakungcono ukuqoqa ngokushesha ama-aspirin.
I-Sysmon ithatha igxathu eliya phambili ngokunikeza ulwazi oluwusizo (noma njengoba abathengisi bethanda ukusho, okungenziwa) ukuze basize ukuqonda izinqubo eziwumsuka. Ngokwesibonelo, ngaqala iseshini eyimfihlo , elingisa ukunyakaza komuntu wangaphakathi ohlakaniphile ngaphakathi kwenethiwekhi. Nakhu ozokubona kulogi lomcimbi weWindows:
Ilogi yeWindows ikhombisa imininingwane ethile mayelana nenqubo, kepha ayisebenzi kangako. Kanye nama-ID okucubungula nge-hexadecimal???
Kuchwepheshe we-IT ochwepheshe oqonda izisekelo zokugebenga, umugqa womyalo kufanele usolise. Ukusebenzisa i-cmd.exe ukuze uqalise omunye umyalo futhi uqondise kabusha okukhiphayo efayeleni elinegama elingajwayelekile kufana ngokusobala nezenzo zokuqapha nokulawula isoftware. : Ngale ndlela, igobolondo-mbumbulu lenziwa kusetshenziswa izinsiza ze-WMI.
Manje ake sibheke okulingana nokufakiwe kwe-Sysmon, siqaphela ukuthi lungakanani ulwazi olwengeziwe olusinika lona:
I-Sysmon ifaka esithombeni-skrini esisodwa: imininingwane enemininingwane mayelana nenqubo ngendlela efundekayo
Awuboni kuphela umugqa womyalo, kodwa futhi negama lefayela, indlela eya kuhlelo olusebenzisekayo, lokho iWindows ekwaziyo ngakho (“Windows Command Processor”), isihlonzi. umzali inqubo, umugqa womyalo umzali, eyethule igobolondo le-cmd, kanye negama lefayela langempela lenqubo yomzali. Konke endaweni eyodwa, ekugcineni!
Kusukela kulogi ye-Sysmon singaphetha ngokuthi ngokwezinga eliphezulu lokungenzeka lo mugqa womyalo osolisayo esiwubone kulogi “oluhlaza” akuwona umphumela womsebenzi ojwayelekile wesisebenzi. Ngokuphambene nalokho, yakhiqizwa inqubo efana ne-C2 - i-wmiexec, njengoba ngishilo ekuqaleni - futhi yabangelwa inqubo yesevisi ye-WMI (WmiPrvSe). Manje sinenkomba yokuthi umhlaseli okude noma umuntu wangaphakathi uhlola ingqalasizinda yebhizinisi.
Sethula i-Get-Sysmonlogs
Yebo kuhle uma u-Sysmon ebeka izingodo endaweni eyodwa. Kodwa mhlawumbe kungaba ngcono nakakhulu uma singafinyelela izinkambu zelogi ngayinye ngokohlelo - isibonelo, ngemiyalo ye-PowerShell. Kulokhu, ungabhala iskripthi esincane se-PowerShell esingase ngokuzenzakalela ukusesha kwezinsongo ezingaba khona!
Ngangingeyena owokuqala ukuba nombono onjalo. Futhi kuhle ukuthi kwezinye izinkundla okuthunyelwe kanye GitHub Sekuchazile kakade ukuthi isetshenziswa kanjani i-PowerShell ukuze uhlukanise ilogi ye-Sysmon. Endabeni yami, bengifuna ukugwema ukubhala imigqa ehlukene yesikripthi sokuhlaziya senkambu ngayinye ye-Sysmon. Ngakho-ke ngasebenzisa isimiso sendoda evilaphayo futhi ngicabanga ukuthi ngathola okuthile okuthakazelisayo ngenxa yalokho.
Iphuzu lokuqala elibalulekile yikhono leqembu funda izingodo ze-Sysmon, hlunga imicimbi edingekayo futhi ukhiphe umphumela kokuguquguqukayo kwe-PS, njengalapha:
$events = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | where { $_.id -eq 1 -or $_.id -eq 11}
Uma ufuna ukuzihlolela umyalo ngokwakho, ngokubonisa okuqukethwe engxenyeni yokuqala yohlu lwemicimbi ye-$, $imicimbi[0].Umlayezo, okukhiphayo kungaba uchungechunge lwezintambo zombhalo ezinefomethi elula kakhulu: igama le Inkambu ye-Sysmon, ikholoni, bese kuba inani ngokwalo.
Hooray! Ikhipha ukungena kwe-Sysmon kufomethi elungele i-JSON
Ingabe ucabanga into efanayo nami? Ngomzamo owengeziwe, ungakwazi ukuguqula okukhiphayo kube iyunithi yezinhlamvu efomethiwe ye-JSON bese uyilayisha ngokuqondile entweni ye-PS usebenzisa umyalo onamandla. .
Ngizobonisa ikhodi ye-PowerShell yokuguqulwa - ilula kakhulu - engxenyeni elandelayo. Okwamanje, ake sibone ukuthi umyalo wami omusha obizwa ngokuthi get-sysmonlogs, engiwufake njengemojula ye-PS, ungayenza ini.
Esikhundleni sokungena sijule ekuhlaziyweni kwelogi ye-Sysmon ngokusebenzisa isixhumi esibonakalayo selogi yomcimbi, singakwazi ukusesha kalula umsebenzi okhulayo ngokuqondile kuseshini ye-PowerShell, futhi sisebenzise umyalo we-PS. (isibizo – “?”) ukuze unciphise imiphumela yosesho:
Uhlu lwamagobolondo e-cmd luqaliswe nge-WMI. Ukuhlaziywa Kosongo Ngokushibhile Ngethimba Lethu Elithi Thola-Sysmonlogs
Kuyamangalisa! Ngidale ithuluzi lokuvota ilogi ye-Sysmon njengokungathi isizindalwazi. Esihlokweni sethu mayelana kwaphawulwa ukuthi lo msebenzi uzokwenziwa insiza epholile echazwe kuyo, nakuba ngokusemthethweni kusasetshenziswa isixhumi esibonakalayo esifana ne-SQL. Yebo, i-EQL nenhle, kodwa sizokuthinta engxenyeni yesithathu.
Ukuhlaziywa kwe-Sysmon negrafu
Ake sibuyele emuva sicabange ngalokho esisanda kukudala. Empeleni, manje sinesizindalwazi somcimbi we-Windows esifinyeleleka nge-PowerShell. Njengoba ngiphawulile ekuqaleni, kukhona ukuxhumana noma ubudlelwano phakathi kwamarekhodi - nge-ParentProcessId - ukuze kutholakale isigaba esiphelele sezinqubo.
Uma ufunde uchungechunge uyazi ukuthi abaduni bathanda ukudala ukuhlasela okuyinkimbinkimbi kwezigaba eziningi, lapho inqubo ngayinye idlala indima yayo encane futhi ilungiselela ibhodi lesinyathelo esilandelayo. Kunzima kakhulu ukubamba izinto ezinjalo kusuka kulogi "eluhlaza".
Kodwa ngomyalo wami we-Get-Sysmonlogs kanye nesakhiwo sedatha eyengeziwe sizobheka kamuva embhalweni (igrafu, kunjalo), sinendlela engokoqobo yokuthola izinsongo - okudinga nje ukwenza ukusesha kwe-vertex okulungile.
Njengenjwayelo ngamaphrojekthi ethu ebhulogi ye-DYI, lapho usebenza kakhulu ekuhlaziyeni imininingwane yezinsongo ngezinga elincane, yilapho uzobona khona ukuthi ukutholwa kwezinsongo kuyinkimbinkimbi kangakanani ezingeni lebhizinisi. Futhi lokhu kuqwashisa kukhulu kakhulu iphuzu elibalulekile.
Sizohlangabezana nezinkinga zokuqala ezithakazelisayo engxenyeni yesibili ye-athikili, lapho sizoqala khona ukuxhuma imicimbi ye-Sysmon komunye nomunye zibe izakhiwo eziyinkimbinkimbi kakhulu.
Source: www.habr.com