Có lý do nào đó mà CTO MS (Mark Russinovich) tạo ra sysmon để audit/monitor Windows instances. Mình cũng tập tài cài, collect lưu về SIEM. MS Windows cũng đã có log nên hiển nhiên 1 số events sẽ trùng lắp:
* EventCode=4688 của Wineventlog và EventCode=1 của Sysmon. Các events lệch nhau 1 chút, khoảng 1 2 giây tối đa.
Sysmon đã bổ sung lưu cả parameters của 1 process command line (Wineventlog thì không) nên chiếu theo luật log thừa, có lẽ sẽ nên blacklist các events 4688 và 4689. 1 eventcode=1 của sysmon thường có thông tin như sau:
............... UtcTime: 2021-10-11 08:55:31.791 ProcessGuid: {BE5D7639-FC03-6163-5B75-030000001400} ProcessId: 4396 Image: C:\Windows\System32\reg.exe FileVersion: 10.0.14393.0 (rs1_release.160715-1616) Description: Registry Console Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573" CurrentDirectory: C:\Windows\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {BE5D7639-BBCE-6149-E703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: MD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352 ..........
Đã tin tưởng Sysinternals tools, cộng với việc Sysmon sẽ làm được nhiều trò trống, nhất là việc mon//giám sát. Nên quyết định chiến với sysmon thôi.
Happy monitoring!!!
1 comment:
Bài hay nói về 1 số Windows Event ID chuyên để Threat Hunt
https://www.socinvestigation.com/threat-hunting-using-windows-security-log/
Tóm tắt:
1. Event ID 4771 – Failed Kerberos Pre-Authentication - kèm code 0x18 (sai user pass) / 0x12 (account locked out)
2. Event ID 4625 – Failed Logins
(3. Event ID 4794 – An attempt was made to set the Directory Services Restore Mode administrator password)
4. Event ID’s – 4793/643, 4713/617, 4719/612 – Policy Changes
..
7. Event ID’s – 4728, 4732 & 4756 – Users being added to security-enabled groups
8. Event ID – 4697 – A service was installed in the system
9. Event ID – 4672 – Special privileges assigned to new logon
10. Event ID – 4688 – A new process has been created
11. Event ID – 4723 – An attempt was made to change an account’s password
13. Event ID – 4720 – A Local user account was created
14. Event ID – 4698 & 4702 – Scheduled task creation/modification
>>> 17. Event ID – 1102 – The audit log was cleared <<<
>>> Event ID - 7045 - New Service was installed <<<
hoặc sysmon registry updated // created events
Post a Comment