Sysmon + NXlog构建简单的windows安全监控
工具:
Sysmon (sysmon 5.0) ,NXlog(nxlog-ce-2.9.1716.msi) .
Sysmon监控系统并生成windows event log, NXlog将windows event log传输到syslog服务器。
Sysmon可以监控Process create, Process terminate, Driver loaded, File creation time changed, RawAccessRead, CreateRemoteThread, Sysmon service state changed。
配置:
NXlog配置:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start. #define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log <Extension _syslog>
Module xm_syslog
</Extension> <Input in>
Module im_msvistalog
Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
</Input> <Output out>
Module om_udp
Host security-log.syslogserver.com
Port 639
Exec to_syslog_snare();
</Output> <Route 1>
Path in => out
</Route>
Sysmon配置:
<Sysmon schemaversion="3.20">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">Microsoft</Signature>
<Signature condition="contains">Windows</Signature>
</DriverLoad>
<ProcessTerminate onmatch="include" >
<Image condition="end with">MsMpEng.exe</Image>
</ProcessTerminate>
<!-- Log network connection if the destination port equal 443 -->
<!-- or 80, and process isn't InternetExplorer -->
<!--NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort >
</NetworkConnect -->
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
</FileCreateTime>
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed>
</ImageLoad>
<!-- Log access rights for lsass.exe or winlogon.exe is not PROCESS_QUERY_INFORMATION -->
<ProcessAccess onmatch="exclude">
<GrantedAccess condition="is">0x1400</GrantedAccess>
</ProcessAccess>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">lsass.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
</ProcessAccess>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourcePortName condition="is">llmnr</SourcePortName>
<DestinationPortName condition="is">llmnr</DestinationPortName>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
测试案例:
安装:
- sysmon -i config.conf 。
- nxlog双击运行,记得启动服务。(NXlog可命令行安装 msiexec /i nxlog-ce-2.9.1716.msi AGREETOLIECENSE="yes" ACCEPT=YES /qr+)
使用mimikatz抓取hash:


附NXlog完整配置样例:
## This is a basic configuration file for Windows Server 2008 * 2012
## to GrayLog2 with GELF support and filtering.
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start. define ROOT C:\Program Files (x86)\nxlog
# define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log <Extension gelf>
Module xm_gelf
</Extension> <Input pr_mseventlog>
Module im_msvistalog
ReadFromLast True
# http://msdn.microsoft.com/en-us/library/aa385231.aspx
# http://msdn.microsoft.com/en-us/library/ff604025(v=office.14).aspx
# Level 1 (ID=30 Critical) severity level events
# Level 2 (ID=40 Error) severity level events
# Level 3 (ID=50 Warning) severity level events
# Level 4 (ID=80 Information) severity level events
# Level 5 (ID=100 Verbose) severity level events
# All channels are included by default which are listed in the registry under these:
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System
#
# <Select Path='Key Management Service'>*</Select></Query>\
# <Select Path='Internet Explorer'>*</Select></Query>\
# <Select Path='HardwareEvents'>*</Select></Query>\
#
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Select Path="System">*[System/Level=4]</Select>\
<Select Path="Application">*[Application/Level=2]</Select>\
<Select Path="Setup">*[System/Level=3]</Select>\
<Select Path='Windows PowerShell'>*</Select>\
</Query>\
</QueryList> # REGEX EXAMPLES:
# "\s" equals one white space character, and ".*" equals any one char
# Line Contains both "bubble" and "gum"
# Search pattern: ^(?=.*?\bbubble\b)(?=.*?\bgum\b).*
# Line does Not Contain "boy"
# Search pattern: ^(?!.*boy).*
# Line Contains "bubble" but Neither "gum" Nor "bath"
# Search pattern: ^(?=.*bubble)(?!.*gum)(?!.*bath).* # Uncomment next line to view all logs, we can view output to help
# create the regex, next line shows my $raw_event data to parse:
# 2013-11-18 15:23:02 INFO 2013-12-18 15:23:01 ahost.adomain.local INFO 62464 UVD Information
# Exec log_info($raw_event) ;
Exec if ($raw_event =~ /INFO\s+62464/) drop(); </Input> <Output out>
Module om_udp
Host 10.247.x.x
Port 12201
OutputType GELF
</Output> <Route 1>
Path pr_mseventlog => out
</Route>
参考:
http://www.freebuf.com/sectool/122779.html
https://technet.microsoft.com/en-us/sysinternals/dn798348
https://nxlog.co/docs/sysmon/audit-logging-on-windows-with-sysmon-and-nxlog.html
http://www.ilanni.com/?p=595
Sysmon + NXlog构建简单的windows安全监控的更多相关文章
- 使用Topshelf组件构建简单的Windows服务
很多时候都在讨论是否需要了解一个组件或者一个语言的底层原理这个问题,其实我个人觉得,对于这个问题,每个人都有自己的看法,个人情况不同,选择的方式也就会不同了.我个人觉得无论学习什么,都应该尝试着去了解 ...
- 使用webstorm+webpack构建简单入门级“HelloWorld”的应用&&引用jquery来实现alert
使用webstorm+webpack构建简单入门级"HelloWorld"的应用&&构建使用jquery来实现 1.首先你自己把webstorm安装完成. 请参考这 ...
- 构建简单的Maven工程,使用测试驱动的方式开发项目
构建简单的Maven工程很简单,这里写这篇随笔的原因是希望自己能记住几个小点. 一.安装Maven 1.下载maven:https://maven.apache.org/download.cgi 2. ...
- 【译】用boosting构建简单的目标分类器
用boosting构建简单的目标分类器 原文 boosting提供了一个简单的框架,用来构建鲁棒性的目标检测算法.这里提供了必要的函数来实现它:100% MATLAB实现,作为教学工具希望让它简单易得 ...
- 刚查了,Z3795不支持EPT,即WP8开发必须的SLAT,看来只能作为简单的WINDOWS备机了
刚查了,Z3795不支持EPT,即WP8开发必须的SLAT,看来只能作为简单的WINDOWS备机了,也就只能做做文档编辑,脚本编写之类的. 数据来源 http://ark.intel.com/zh-C ...
- 三、使用Maven构建简单的java项目
前边,我刚搭建了Maven环境,还有给大家推荐了学习资源,这个小节,我们来就来,,简单的玩玩maven. 1.所需工具: 1.Eclipse 2.apache-maven-3.3.9 3. ...
- 构建简单的 C++ 服务组件,第 1 部分: 服务组件体系结构 C++ API 简介
构建简单的 C++ 服务组件,第 1 部分: 服务组件体系结构 C++ API 简介 熟悉将用于 Apache Tuscany SCA for C++ 的 API.您将通过本文了解该 API 的主要组 ...
- Directx11学习笔记【一】 最简单的windows程序HelloWin
声明:本系列教程代码有部分来自dx11龙书及dx11游戏编程入门两本书,后面不再说明 首先,在vs2013中创建一个空的解决方案Dx11Demo,以后的工程都会放在这个解决方案下面.然后创建一个win ...
- Android 第三课 构建简单的用户界面
构建简单的用户界面 上一课下一课 该课程教你 创建线性布局 添加文本框 添加字符串资源 添加按钮 使输入框宽度充满整个屏幕 你也应该阅读 布局 Android的图形用户界面通过 View 和 View ...
随机推荐
- 字符串(string)与整型(int)、浮点型(float)等之间的转换
#include <stdlib.h> 1.int/float to string/array: C语言提供了几个标准库函数,可以将任意类型(整型.长整型.浮点型等)的数字转换为字符串,下 ...
- Java Junit测试框架
Java Junit测试框架 1.相关概念 Ø JUnit:是一个开发源代码的Java测试框架,用于编写和运行可重复的测试.它是用于单元测试框架体系xUnit的一个实例(用于java语言).主要 ...
- 每日一问(常用的集合接口和类有哪些【二】)—最常用的集合ArrayList类
本人在曾经的数年编程生涯中,使用的最多的就是ArrayList类了,原因也非常简单.ArrayList类可以是最直接符合集合这一概念的类了,当然这种说法只是我的个人之见.ArrayList可以说是一个 ...
- BZOJ5288 HNOI/AHOI2018游戏
首先将之间没有锁的房间合并.显然可达性具有传递性和反交换律(即若a能到达b,则b不能到达a). 考虑对每个房间找到其左右第一个(即与其最接近的)能作为起点到达它的房间.如果能求出这个,对此建两棵树,问 ...
- P3223 [HNOI2012]排队
题目描述 某中学有 n 名男同学,m 名女同学和两名老师要排队参加体检.他们排成一条直线,并且任意两名女同学不能相邻,两名老师也不能相邻,那么一共有多少种排法呢?(注意:任意两个人都是不同的) 输入输 ...
- Cryptography Reloaded UVALive - 4353(BigInteger)
写写式子就出来了方程.. 然后解方程..不过数很大..用Java就好啦.. 就不贴呃的代码了...贴别人的..https://blog.csdn.net/qq_15714857/article/det ...
- PHP Warning: strftime(): It is not safe to rely on the system's timezone set
当运行一些程序时,在httpd日志中会有如下警告日志: PHP Warning: strftime(): It is not safe to rely on the system's timezon ...
- 【agc001d】Arrays and Palindrome
Portal -->agc001D Description 给你一个\(m\)个数的排列\(A\),这个\(A\)中元素的顺序可以随便调换,\(A\)中的元素的和为\(n\),现在要你构造一个数 ...
- PCA主成分分析 R语言
1. PCA优缺点 利用PCA达到降维目的,避免高维灾难. PCA把所有样本当作一个整体处理,忽略了类别属性,所以其丢掉的某些属性可能正好包含了重要的分类信息 2. PCA原理 条件1:给定一个m*n ...
- django中django.conf.urls.url函数
在urls.py文件中,我们经常会看到类似于这样的代码: urlpatterns = [ url(r'^blog/(?P<year>[0-9]{4})/$', views.year_arc ...