工具:
Sysmon (sysmon 5.0) ,NXlog(nxlog-ce-2.9.1716.msi) .
Sysmon监控系统并生成windows event log, NXlog将windows event log传输到syslog服务器。
Sysmon可以监控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。
配置:
NXlog配置:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:Program Files
xlog
define ROOT C:Program Files (x86)
xlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%data
xlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%data
xlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
</Input>
<Output out>
Module om_udp
Host security-log.syslogserver.com
Port 639
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Sysmon配置:
<Sysmon schemaversion="3.20">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature>
<Signature condition="contains">Windows</Signature>
</DriverLoad>
<ProcessTerminate onmatch="include" >
<Image condition="end with">MsMpEng.exe</Image>
</ProcessTerminate>
<!-- Log network connection if the destination port equal 443 -->
<!-- or 80, and process isn't InternetExplorer -->
<!--NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort >
</NetworkConnect -->
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
</FileCreateTime>
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed>
</ImageLoad>
<!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION -->
<ProcessAccess onmatch="exclude">
<GrantedAccess condition="is">0x1400</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">lsass.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
</ProcessAccess>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourcePortName condition="is">llmnr</SourcePortName>
<DestinationPortName condition="is">llmnr</DestinationPortName>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
测试案例:
安装:
- sysmon -i config.conf 。
- nxlog双击运行,记得启动服务。(NXlog可命令行安装 msiexec /i nxlog-ce-2.9.1716.msi AGREETOLIECENSE="yes" ACCEPT=YES /qr+)
使用mimikatz抓取hash:
附NXlog完整配置样例:
## This is a basic configuration file for Windows Server 2008 * 2012
## to GrayLog2 with GELF support and filtering.
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:Program Files (x86)
xlog
# define ROOT C:Program Files
xlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%data
xlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%data
xlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input pr_mseventlog>
Module im_msvistalog
ReadFromLast True
# http://msdn.microsoft.com/en-us/library/aa385231.aspx
# http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
# Level 1 (ID=30 Critical) severity level events
# Level 2 (ID=40 Error) severity level events
# Level 3 (ID=50 Warning) severity level events
# Level 4 (ID=80 Information) severity level events
# Level 5 (ID=100 Verbose) severity level events
# All channels are included by default which are listed in the registry under these:
# HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannels
# HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlogSystem
#
# <Select Path='Key Management Service'>*</Select></Query>
# <Select Path='Internet Explorer'>*</Select></Query>
# <Select Path='HardwareEvents'>*</Select></Query>
#
Query <QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
<Select Path="System">*[System/Level=4]</Select>
<Select Path="Application">*[Application/Level=2]</Select>
<Select Path="Setup">*[System/Level=3]</Select>
<Select Path='Windows PowerShell'>*</Select>
</Query>
</QueryList>
# REGEX EXAMPLES:
# "s" equals one white space character, and ".*" equals any one char
# Line Contains both "bubble" and "gum"
# Search pattern: ^(?=.*?bubble)(?=.*?gum).*
# Line does Not Contain "boy"
# Search pattern: ^(?!.*boy).*
# Line Contains "bubble" but Neither "gum" Nor "bath"
# Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).*
# Uncomment next line to view all logs, we can view output to help
# create the regex, next line shows my $raw_event data to parse:
# 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
# Exec log_info($raw_event) ;
Exec if ($raw_event =~ /INFOs+62464/) drop();
</Input>
<Output out>
Module om_udp
Host 10.247.x.x
Port 12201
OutputType GELF
</Output>
<Route 1>
Path pr_mseventlog => out
</Route>
参考:
http://www.freebuf.com/sectool/122779.html
https://technet.microsoft.com/en-us/sysinternals/dn798348
https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.html
http://www.ilanni.com/?p=595