Sysmon + NXlog構建簡單的windows安全監控

標籤：cal   process   shell   html   mon   server   oca   for   svi   

工具：

Sysmon （sysmon 5.0） ,NXlog（nxlog-ce-2.9.1716.msi） .

Sysmon監控系統並產生windows event log，   NXlog將windows event log傳輸到syslog伺服器。

Sysmon可以監控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。

配置：

NXlog配置：

## This is a sample configuration file. See the nxlog reference manual about the## configuration options. It should be installed locally and is also available## online at http://nxlog.org/docs/## Please set the ROOT to the folder your nxlog was installed into,## otherwise it will not start.#define ROOT C:\Program Files\nxlogdefine ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension _syslog>    Module      xm_syslog</Extension><Input in>    Module im_msvistalog    Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList></Input><Output out>    Module      om_udp    Host        security-log.syslogserver.com    Port        639    Exec        to_syslog_snare();</Output><Route 1>    Path        in => out</Route>

　Sysmon配置：

<Sysmon schemaversion="3.20">  <!-- Capture all hashes -->  <HashAlgorithms>*</HashAlgorithms>  <EventFiltering>    <!-- Log all drivers except if the signature -->    <!-- contains Microsoft or Windows -->    <DriverLoad onmatch="exclude">      <Signature condition="contains">Microsoft</Signature>      <Signature condition="contains">Windows</Signature>    </DriverLoad>    <ProcessTerminate onmatch="include" >      <Image condition="end with">MsMpEng.exe</Image>    </ProcessTerminate>    <!-- Log network connection if the destination port equal 443 -->    <!-- or 80, and process isn‘t InternetExplorer -->    <!--NetworkConnect onmatch="include">      <DestinationPort>443</DestinationPort>      <DestinationPort>80</DestinationPort >    </NetworkConnect -->    <FileCreateTime onmatch="exclude" >      <Image condition="end with">chrome.exe</Image>    </FileCreateTime>    <ImageLoad onmatch="include">      <Signed condition="is">false</Signed>    </ImageLoad>    <!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION -->    <ProcessAccess onmatch="exclude">      <GrantedAccess condition="is">0x1400</GrantedAccess>    </ProcessAccess>    <ProcessAccess onmatch="include">      <TargetImage condition="end with">lsass.exe</TargetImage>      <TargetImage condition="end with">winlogon.exe</TargetImage>    </ProcessAccess>    <NetworkConnect onmatch="exclude">      <Image condition="end with">chrome.exe</Image>      <SourcePort condition="is">137</SourcePort>      <SourcePortName condition="is">llmnr</SourcePortName>      <DestinationPortName condition="is">llmnr</DestinationPortName>    </NetworkConnect>    <CreateRemoteThread onmatch="include">      <TargetImage condition="end with">explorer.exe</TargetImage>      <TargetImage condition="end with">svchost.exe</TargetImage>      <TargetImage condition="end with">winlogon.exe</TargetImage>      <SourceImage condition="end with">powershell.exe</SourceImage>    </CreateRemoteThread>  </EventFiltering></Sysmon>

　　

 

 

測試案例：

安裝：

－ sysmon -i config.conf 。   

－ nxlog雙擊運行，記得啟動服務。

 

使用mimikatz抓取hash：

 

 

參考：

http://www.freebuf.com/sectool/122779.html

https://technet.microsoft.com/en-us/sysinternals/dn798348

https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.html

http://www.ilanni.com/?p=595

Sysmon + NXlog構建簡單的windows安全監控