sysmon+nxlog 构建简单的安全监控系统

Sysmon + NXlog构建简单的windows安全监控



转载weixin_30394333 最后发布于2017-01-21 17:43:00 阅读数 115                         收藏
发布于2017-01-21 17:43:00

原文链接：http://www.cnblogs.com/xiaoxiaoleo/p/6337423.html展开 [p]


工具：Sysmon （sysmon 5.0） ,NXlog（nxlog-ce-2.9.1716.msi） .
Sysmon监控系统并生成windows event log，   NXlog将windows event log传输到syslog服务器。Sysmon可以监控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。
配置：NXlog配置：

1. ## This is a sample configuration file. See the nxlog reference manual about the
2. ## configuration options. It should be installed locally and is also available
3. ## online at http://nxlog.org/docs/
5. ## Please set the ROOT to the folder your nxlog was installed into,
6. ## otherwise it will not start.
8. #define ROOT C:\Program Files\nxlog
9. define ROOT C:\Program Files (x86)\nxlog
11. Moduledir %ROOT%\modules
12. CacheDir %ROOT%\data
13. Pidfile %ROOT%\data\nxlog.pid
14. SpoolDir %ROOT%\data
15. LogFile %ROOT%\data\nxlog.log
17. <Extension _syslog>
18. Module      xm_syslog
19. </Extension>
21. <Input in>
22. Module im_msvistalog
23. Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
24. </Input>
26. <Output out>
27. Module      om_udp
28. Host        security-log.syslogserver.com
29. Port 639
30. Exec        to_syslog_snare();
31. </Output>
33. <Route 1>
34. Path in => out
35. </Route>

Sysmon配置：

1. <Sysmon schemaversion="3.20">
3. <!-- Capture all hashes -->
5. <HashAlgorithms>*</HashAlgorithms>
7. <EventFiltering>
9. <!-- Log all drivers except if the signature -->
11. <!-- contains Microsoft or Windows -->
13. <DriverLoad onmatch="exclude">
15. <Signature condition="contains">Microsoft</Signature>
17. <Signature condition="contains">Windows</Signature>
19. </DriverLoad>
21. <ProcessTerminate onmatch="include" >
23. <Image condition="end with">MsMpEng.exe</Image>
25. </ProcessTerminate>
27. <!-- Log network connection if the destination port equal 443 -->
29. <!-- or 80, and process isn't InternetExplorer -->
31. <!--NetworkConnect onmatch="include">
33. <DestinationPort>443</DestinationPort>
35. <DestinationPort>80</DestinationPort >
37. </NetworkConnect -->
39. <FileCreateTime onmatch="exclude" >
41. <Image condition="end with">chrome.exe</Image>
43. </FileCreateTime>
45. <ImageLoad onmatch="include">
47. <Signed condition="is">false</Signed>
49. </ImageLoad>
51. <!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION -->
53. <ProcessAccess onmatch="exclude">
55. <GrantedAccess condition="is">0x1400</GrantedAccess>
57. </ProcessAccess>
59. <ProcessAccess onmatch="include">
61. <TargetImage condition="end with">lsass.exe</TargetImage>
63. <TargetImage condition="end with">winlogon.exe</TargetImage>
65. </ProcessAccess>
67. <NetworkConnect onmatch="exclude">
69. <Image condition="end with">chrome.exe</Image>
71. <SourcePort condition="is">137</SourcePort>
73. <SourcePortName condition="is">llmnr</SourcePortName>
75. <DestinationPortName condition="is">llmnr</DestinationPortName>
77. </NetworkConnect>
79. <CreateRemoteThread onmatch="include">
81. <TargetImage condition="end with">explorer.exe</TargetImage>
83. <TargetImage condition="end with">svchost.exe</TargetImage>
85. <TargetImage condition="end with">winlogon.exe</TargetImage>
87. <SourceImage condition="end with">powershell.exe</SourceImage>
89. </CreateRemoteThread>
91. </EventFiltering>
93. </Sysmon>

  
测试案例：安装：
－ sysmon -i config.conf 。   － nxlog双击运行，记得启动服务。（NXlog可命令行安装 msiexec /i  nxlog-ce-2.9.1716.msi  AGREETOLIECENSE="yes"    ACCEPT=YES  /qr+）
 使用mimikatz抓取hash：
 
 
附NXlog完整配置样例：

1. 
   
   ## This is a basic configuration file for Windows Server 2008 * 2012
2. 
   
   ## to GrayLog2 with GELF support and filtering.
3. 
   
   ## See the nxlog reference manual about the configuration options.
4. 
   
   ## It should be installed locally and is also available
5. 
   
   ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
6. 
   
   
7. 
   
   ## Please set the ROOT to the folder your nxlog was installed into,
8. 
   
   ## otherwise it will not start.
9. 
   
   
10. 
    
    define ROOT C:\Program Files (x86)\nxlog
11. 
    
    # define ROOT C:\Program Files\nxlog
12. 
    
    
13. 
    
    Moduledir %ROOT%\modules
14. 
    
    CacheDir %ROOT%\data
15. 
    
    Pidfile %ROOT%\data\nxlog.pid
16. 
    
    SpoolDir %ROOT%\data
17. 
    
    LogFile %ROOT%\data\nxlog.log
18. 
    
    
19. 
    
    <Extension gelf>
20. 
    
    Module xm_gelf
21. 
    
    </Extension>
22. 
    
    
23. 
    
    <Input pr_mseventlog>
24. 
    
    Module      im_msvistalog
25. 
    
    ReadFromLast True
26. 
    
    # http://msdn.microsoft.com/en-us/library/aa385231.aspx
27. 
    
    # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
28. 
    
    # Level 1 (ID=30  Critical)     severity level events
29. 
    
    # Level 2 (ID=40  Error)        severity level events
30. 
    
    # Level 3 (ID=50  Warning)      severity level events
31. 
    
    # Level 4 (ID=80  Information)  severity level events
32. 
    
    # Level 5 (ID=100 Verbose)      severity level events
33. 
    
    # All channels are included by default which are listed in the registry under these:
34. 
    
    # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
35. 
    
    # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
36. 
    
    #
37. 
    
    # <Select Path='Key Management Service'>*</Select></Query>\
38. 
    
    # <Select Path='Internet Explorer'>*</Select></Query>\
39. 
    
    # <Select Path='HardwareEvents'>*</Select></Query>\
40. 
    
    #
41. 
    
    Query   <QueryList>\
42. 
    
    <Query Id="0">\
43. 
    
    <Select Path="Security">*</Select>\
44. 
    
    <Select Path="System">*[System/Level=4]</Select>\
45. 
    
    <Select Path="Application">*[Application/Level=2]</Select>\
46. 
    
    <Select Path="Setup">*[System/Level=3]</Select>\
47. 
    
    <Select Path='Windows PowerShell'>*</Select>\
48. 
    
    </Query>\
49. 
    
    </QueryList>
50. 
    
    
51. 
    
    # REGEX EXAMPLES:
52. 
    
    # "\s" equals one white space character, and ".*" equals any one char
53. 
    
    # Line Contains both "bubble" and "gum"
54. 
    
    #   Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
55. 
    
    # Line does Not Contain "boy"
56. 
    
    #   Search pattern: ^(?!.*boy).*
57. 
    
    # Line Contains "bubble" but Neither "gum" Nor "bath"
58. 
    
    #   Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*
59. 
    
    
60. 
    
    # Uncomment next line to view all logs, we can view output to help
61. 
    
    # create the regex, next line shows my $raw_event data to parse:
62. 
    
    # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
63. 
    
    # Exec   log_info($raw_event) ;
64. 
    
    Exec if ($raw_event =~ /INFO\s+62464/) drop();
65. 
    
    
66. 
    
    </Input>
67. 
    
    
68. 
    
    <Output out>
69. 
    
    Module      om_udp
70. 
    
    Host 10.247.x.x
71. 
    
    Port 12201
72. 
    
    OutputType  GELF
73. 
    
    </Output>
74. 
    
    
75. 
    
    <Route 1>
76. 
    
    Path    pr_mseventlog  => out
77. 
    
    </Route>

参考：
http://www.freebuf.com/sectool/122779.htmlhttps://technet.microsoft.com/en-us/sysinternals/dn798348
https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.htmlhttp://www.ilanni.com/?p=595
转载于:https://www.cnblogs.com/xiaoxiaoleo/p/6337423.html[/p]

当年那帮热火朝天的兄弟都哪里去了？全改行了吗？

感觉差不多改行了，哈哈。

都搞云和移动了吧

当年是哪年?