Sysmon
- 作者: c4bbage
- 时间: 2017.8.17
- 链接: http://dobest1.com/sysmon_note/
Sysmon 功能:
- 完整的记录当前进程的及其父进程的命令行和参数
- 使用 SHA1(默认)、MD5、SHA256 或IMPHASH来记录进程的文件hash
- 多个hash可以用于同一记录中
- 在进程创建事件中,包括进程 GUID,GUID可以便于进行上下文关联,不用担心进程ID的变更
- 在加载驱动或DLL时,会记录其签名和hash
- 记录打开磁盘和卷的原始访问
- 可选地记录网络连接,包括每个连接的源进程、IP地址、端口号、主机名和端口名称。
- 检测文件创建时间的变化,以了解文件何时真正的被创建。文件创建时间戳的修改是恶意软件通常用于覆盖其行径的技术。
- 如果在注册表中更改,则自动重新加载配置。
- 过滤规则支持动态包含或排除某些事件。
- 在进程启动前生成事件,以捕获甚至复杂的内核模式恶意软件所产生的活动。
Sysmon 事件ID
| Category | EventID | Tag |
|---|---|---|
| Process Create | 1 | ProcessCreate |
| File Creation Time Changed | 2 | FileCreateTime |
| Process Terminated | 5 | ProcessTerminate |
| Driver Loaded | 6 | DriverLoad |
| Image Loaded | 7 | ImageLoad |
| Network Connection | 3 | NetworkConnect |
| CreateRemoteThread | 8 | CreateRemoteThread |
| RawAccessRead | 9 | RawAccessRead |
| Sysmon Service State Change | 4 | |
| Process Access | 10 | ProcessAccess |
| File Create | 11 | FileCreate |
| Registry Object Create Delete | 12 | RegistryEvent |
| Registry Value Create | 13 | RegistryEvent |
| Registry Object Rename | 14 | RegistryEvent |
| File Create Stream Hash | 15 | FileCreateStreamHash |
| Sysmon Configuration Changed | 16 | |
| Pipe Created | 17 | PipeEvent |
| Pipe Connected | 18 | PipeEvent |
| WmiEventFilter activity detected | 19 | WmiEvent |
| WmiEventConsumer activity detected | 20 | WmiEvent |
| WmiEventConsumerToFilter activity detected | 21 | WmiEvent |
| Error | 255 |
Logs anything
<Sysmon schemaversion="3.4">
<!-- Capture All Hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- EventID: 1 -->
<!-- Log all process creation -->
<ProcessCreate onmatch="exclude"/>
<!-- EventID: 2 -->
<!-- Log all file creation time stamps -->
<FileCreateTime onmatch="exclude"/>
<!-- EventID: 3 -->
<!-- Log all network connections -->
<NetworkConnect onmatch="exclude"/>
<!-- EventID: 5 -->
<!-- Log all process termination -->
<ProcessTerminate onmatch="exclude" />
<!-- EventID: 6 -->
<!-- Log all Drivers Loaded -->
<DriverLoad onmatch="exclude" />
<!-- EventID: 7 -->
<!-- Log all image loaded-->
<ImageLoad onmatch="exclude" />
<!-- EventID: 8 -->
<!-- Log all RemoteThread created -->
<CreateRemoteThread onmatch="exclude" />
<!-- EventID: 9 -->
<!-- Log all -->
<RawAccessRead onmatch="exclude" />
<!-- EventID: 10 -->
<!-- Log all -->
<ProcessAccess onmatch="exclude" />
<!-- EventID: 11 -->
<!-- Log all -->
<FileCreate onmatch="exclude" />
<!-- EventID: 12/13/14 -->
<!-- Log all registry operations -->
<RegistryEvent onmatch="exclude" />
<!-- EventID: 15 -->
<!-- Log all -->
<FileCreateStreamHash onmatch="exclude" />
<!-- EventID: 17/18 -->
<!-- Log all -->
<PipeEvent onmatch="exclude" />
<!-- EventID: 19/20/21 -->
<!-- Log all -->
<WmiEvent onmatch="exclude" />
</EventFiltering>
</Sysmon>
使用
输出当前配置
sysmon -c
使用默认配置
sysmon.exe -i --
更改配置以使用Lsass中的所有散列,无网络监控和DLL监控
sysmon –c –h * –l lsass.exe
TODO List
- 守护进程
- 前端展示(kibana 不能满足调用过程展示)