znsoft
管理员
管理员
  • 注册日期2001-03-23
  • 最后登录2020-09-15
  • 粉丝207
  • 关注6
  • 积分812分
  • 威望14756点
  • 贡献值7点
  • 好评度2410点
  • 原创分5分
  • 专家分100分
  • 社区居民
  • 最爱沙发
  • 社区明星
阅读:375回复:2

sysmon+nxlog 构建简单的安全监控系统

楼主#
更多 发布于:2020-03-04 07:24


Sysmon + NXlog构建简单的windows安全监控



转载weixin_30394333 最后发布于2017-01-21 17:43:00 阅读数 115                         收藏
发布于2017-01-21 17:43:00

原文链接:http://www.cnblogs.com/xiaoxiaoleo/p/6337423.html展开 [p]


工具:Sysmon (sysmon 5.0) ,NXlog(nxlog-ce-2.9.1716.msi) .
Sysmon监控系统并生成windows event log,   NXlog将windows event log传输到syslog服务器。Sysmon可以监控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。
配置:NXlog配置:

  1. ## This is a sample configuration file. See the nxlog reference manual about the
  2. ## configuration options. It should be installed locally and is also available
  3. ## online at http://nxlog.org/docs/
  4. ## Please set the ROOT to the folder your nxlog was installed into,
  5. ## otherwise it will not start.
  6. #define ROOT C:\Program Files\nxlog
  7. define ROOT C:\Program Files (x86)\nxlog
  8. Moduledir %ROOT%\modules
  9. CacheDir %ROOT%\data
  10. Pidfile %ROOT%\data\nxlog.pid
  11. SpoolDir %ROOT%\data
  12. LogFile %ROOT%\data\nxlog.log
  13. <Extension _syslog>
  14. Module      xm_syslog
  15. </Extension>
  16. <Input in>
  17. Module im_msvistalog
  18. Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
  19. </Input>
  20. <Output out>
  21. Module      om_udp
  22. Host        security-log.syslogserver.com
  23. Port 639
  24. Exec        to_syslog_snare();
  25. </Output>
  26. <Route 1>
  27. Path in => out
  28. </Route>

Sysmon配置:

  1. <Sysmon schemaversion="3.20">
  2. <!-- Capture all hashes -->
  3. <HashAlgorithms>*</HashAlgorithms>
  4. <EventFiltering>
  5. <!-- Log all drivers except if the signature -->
  6. <!-- contains Microsoft or Windows -->
  7. <DriverLoad onmatch="exclude">
  8. <Signature condition="contains">Microsoft</Signature>
  9. <Signature condition="contains">Windows</Signature>
  10. </DriverLoad>
  11. <ProcessTerminate onmatch="include" >
  12. <Image condition="end with">MsMpEng.exe</Image>
  13. </ProcessTerminate>
  14. <!-- Log network connection if the destination port equal 443 -->
  15. <!-- or 80, and process isn't InternetExplorer -->
  16. <!--NetworkConnect onmatch="include">
  17. <DestinationPort>443</DestinationPort>
  18. <DestinationPort>80</DestinationPort >
  19. </NetworkConnect -->
  20. <FileCreateTime onmatch="exclude" >
  21. <Image condition="end with">chrome.exe</Image>
  22. </FileCreateTime>
  23. <ImageLoad onmatch="include">
  24. <Signed condition="is">false</Signed>
  25. </ImageLoad>
  26. <!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION -->
  27. <ProcessAccess onmatch="exclude">
  28. <GrantedAccess condition="is">0x1400</GrantedAccess>
  29. </ProcessAccess>
  30. <ProcessAccess onmatch="include">
  31. <TargetImage condition="end with">lsass.exe</TargetImage>
  32. <TargetImage condition="end with">winlogon.exe</TargetImage>
  33. </ProcessAccess>
  34. <NetworkConnect onmatch="exclude">
  35. <Image condition="end with">chrome.exe</Image>
  36. <SourcePort condition="is">137</SourcePort>
  37. <SourcePortName condition="is">llmnr</SourcePortName>
  38. <DestinationPortName condition="is">llmnr</DestinationPortName>
  39. </NetworkConnect>
  40. <CreateRemoteThread onmatch="include">
  41. <TargetImage condition="end with">explorer.exe</TargetImage>
  42. <TargetImage condition="end with">svchost.exe</TargetImage>
  43. <TargetImage condition="end with">winlogon.exe</TargetImage>
  44. <SourceImage condition="end with">powershell.exe</SourceImage>
  45. </CreateRemoteThread>
  46. </EventFiltering>
  47. </Sysmon>



  
测试案例:安装:
- sysmon -i config.conf 。   - nxlog双击运行,记得启动服务。(NXlog可命令行安装 msiexec /i  nxlog-ce-2.9.1716.msi  AGREETOLIECENSE="yes"    ACCEPT=YES  /qr+)
 使用mimikatz抓取hash:
 
 
附NXlog完整配置样例:


  1. ## This is a basic configuration file for Windows Server 2008 * 2012


  2. ## to GrayLog2 with GELF support and filtering.


  3. ## See the nxlog reference manual about the configuration options.


  4. ## It should be installed locally and is also available


  5. ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html




  6. ## Please set the ROOT to the folder your nxlog was installed into,


  7. ## otherwise it will not start.




  8. define ROOT C:\Program Files (x86)\nxlog


  9. # define ROOT C:\Program Files\nxlog




  10. Moduledir %ROOT%\modules


  11. CacheDir %ROOT%\data


  12. Pidfile %ROOT%\data\nxlog.pid


  13. SpoolDir %ROOT%\data


  14. LogFile %ROOT%\data\nxlog.log




  15. <Extension gelf>


  16. Module xm_gelf


  17. </Extension>




  18. <Input pr_mseventlog>


  19. Module      im_msvistalog


  20. ReadFromLast True


  21. # http://msdn.microsoft.com/en-us/library/aa385231.aspx


  22. # http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx


  23. # Level 1 (ID=30  Critical)     severity level events


  24. # Level 2 (ID=40  Error)        severity level events


  25. # Level 3 (ID=50  Warning)      severity level events


  26. # Level 4 (ID=80  Information)  severity level events


  27. # Level 5 (ID=100 Verbose)      severity level events


  28. # All channels are included by default which are listed in the registry under these:


  29. # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels


  30. # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System


  31. #


  32. # <Select Path='Key Management Service'>*</Select></Query>\


  33. # <Select Path='Internet Explorer'>*</Select></Query>\


  34. # <Select Path='HardwareEvents'>*</Select></Query>\


  35. #


  36. Query   <QueryList>\


  37. <Query Id="0">\


  38. <Select Path="Security">*</Select>\


  39. <Select Path="System">*[System/Level=4]</Select>\


  40. <Select Path="Application">*[Application/Level=2]</Select>\


  41. <Select Path="Setup">*[System/Level=3]</Select>\


  42. <Select Path='Windows PowerShell'>*</Select>\


  43. </Query>\


  44. </QueryList>




  45. # REGEX EXAMPLES:


  46. # "\s" equals one white space character, and ".*" equals any one char


  47. # Line Contains both "bubble" and "gum"


  48. #   Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*


  49. # Line does Not Contain "boy"


  50. #   Search pattern: ^(?!.*boy).*


  51. # Line Contains "bubble" but Neither "gum" Nor "bath"


  52. #   Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*




  53. # Uncomment next line to view all logs, we can view output to help


  54. # create the regex, next line shows my $raw_event data to parse:


  55. # 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information


  56. # Exec   log_info($raw_event) ;


  57. Exec if ($raw_event =~ /INFO\s+62464/) drop();




  58. </Input>




  59. <Output out>


  60. Module      om_udp


  61. Host 10.247.x.x


  62. Port 12201


  63. OutputType  GELF


  64. </Output>




  65. <Route 1>


  66. Path    pr_mseventlog  => out


  67. </Route>




参考:
http://www.freebuf.com/sectool/122779.htmlhttps://technet.microsoft.com/en-us/sysinternals/dn798348
https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.htmlhttp://www.ilanni.com/?p=595
转载于:https://www.cnblogs.com/xiaoxiaoleo/p/6337423.html[/p]
http://www.zndev.com 免费源码交换网 ----------------------------- 软件创造价值,驱动提供力量! 淡泊以明志,宁静以致远。 ---------------------------------- 勤用搜索,多查资料,先搜再问。
chengtao
驱动牛犊
驱动牛犊
  • 注册日期2002-11-30
  • 最后登录2020-03-25
  • 粉丝0
  • 关注0
  • 积分11分
  • 威望78点
  • 贡献值0点
  • 好评度17点
  • 原创分0分
  • 专家分0分
  • 社区居民
沙发#
发布于:2020-03-25 13:23
当年那帮热火朝天的兄弟都哪里去了?全改行了吗?
admin
管理员
管理员
  • 注册日期2005-06-18
  • 最后登录2020-05-07
  • 粉丝1
  • 关注0
  • 积分28分
  • 威望122点
  • 贡献值0点
  • 好评度1点
  • 原创分0分
  • 专家分0分
  • 社区居民
板凳#
发布于:2020-04-26 05:42
感觉差不多改行了,哈哈。
游客

返回顶部