Sysmon (sysmon 5.0) ,NXlog(nxlog-ce-2.9.1716.msi) .
Sysmon监控系统并生成windows event log,, NXlog将windows event log传输到syslog服务器。
Sysmon可以监控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。
配置:
NXlog配置:
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog Query <QueryList> <Query> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList> </Input> <Output out> Module om_udp Host security-log.syslogserver.com Port 639 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>
Sysmon配置:
<Sysmon schemaversion="3.20"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">Microsoft</Signature> <Signature condition="contains">Windows</Signature> </DriverLoad> <ProcessTerminate onmatch="include" > <Image condition="end with">MsMpEng.exe</Image> </ProcessTerminate> <!-- Log network connection if the destination port equal 443 --> <!-- or 80, and process isn‘t InternetExplorer --> <!--NetworkConnect onmatch="include"> <DestinationPort>443</DestinationPort> <DestinationPort>80</DestinationPort > </NetworkConnect --> <FileCreateTime onmatch="exclude" > <Image condition="end with">chrome.exe</Image> </FileCreateTime> <ImageLoad onmatch="include"> <Signed condition="is">false</Signed> </ImageLoad> <!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION --> <ProcessAccess onmatch="exclude"> <GrantedAccess condition="is">0x1400</GrantedAccess> </ProcessAccess> <ProcessAccess onmatch="include"> <TargetImage condition="end with">lsass.exe</TargetImage> <TargetImage condition="end with">winlogon.exe</TargetImage> </ProcessAccess> <NetworkConnect onmatch="exclude"> <Image condition="end with">chrome.exe</Image> <SourcePort condition="is">137</SourcePort> <SourcePortName condition="is">llmnr</SourcePortName> <DestinationPortName condition="is">llmnr</DestinationPortName> </NetworkConnect> <CreateRemoteThread onmatch="include"> <TargetImage condition="end with">explorer.exe</TargetImage> <TargetImage condition="end with">svchost.exe</TargetImage> <TargetImage condition="end with">winlogon.exe</TargetImage> <SourceImage condition="end with">powershell.exe</SourceImage> </CreateRemoteThread> </EventFiltering> </Sysmon>
测试案例:
安装:
- sysmon -i config.conf 。
- nxlog双击运行,记得启动服务。
使用mimikatz抓取hash:
参考:
https://technet.microsoft.com/en-us/sysinternals/dn798348
https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.html
?p=595
Sysmon + NXlog构建简单的windows安全监控