浅谈某产品在Windows环境下自定义策略

日志的基本走向

image

某产品策略示例

策略名称 策略细节 策略来源 注释
T1003.005.RULE OS Credential Dumping: Cached Domain Credentials This is rule based on Sysmon configuration. Following options should be enable: In section add following lines: HKLM\SECURITY\CACHE Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rule https://attack.mitre.org/tactics/TA0006/ 策略是通过定义Sysmon的配置文件自定义策略匹配收集日志
WIN.T1052.001.RULE Exfiltration Over Physical Medium: Exfiltration over USB No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1052/001/ 此处和下面列举的策略都是No action required,表示没有动作只有事件产生,所以可以根据Windows生成的事件进行检测
WIN.T1053.002.RULE Scheduled Task/Job: At (Windows) No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1053/002/ 基于事件ID检测
WIN.T1053.005.RULE Scheduled Task/Job: Scheduled Task No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1053/005/ 基于事件ID检测
WIN.T1070.001.RULE Indicator Removal on Host: Clear Windows Event Logs No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1070/001/ 基于事件ID检测
WIN.T1200.RULE Hardware Additions No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1200/ 基于事件ID检测
WIN.T1222.001.RULE File and Directory Permissions Modification: Windows File and Directory Permissions Modification No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1222/001/ 基于事件ID检测
WIN.T1489.RULE Service Stop No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1489/ 没有事件ID,但是Mitre官方给出的检测方式都是监控命令参数,文件,进程,服务和注册表
WIN.T1490.RULE Inhibit System Recovery No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1490/ 基于事件ID检测
WIN.T1529.RULE System Shutdown/Reboot No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1529/ 基于事件ID检测
WIN.T1558.001.RULE Steal or Forge Kerberos Tickets: Golden Ticket No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1558/001/ 基于事件ID检测
WIN.T1558.002.RULE Steal or Forge Kerberos Tickets: Silver Ticket No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1558/002/ 基于事件ID检测
WIN.T1558.003.RULE Steal or Forge Kerberos Tickets: Kerberoasting No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules https://attack.mitre.org/techniques/T1558/003/ 基于事件ID检测

基于关键字匹配策略来源细节诠释

image

In section <ProcessCreate onmatch="include"> add following lines: <CommandLine name="T1003.005" condition="contains">HKLM\SECURITY\CACHE</CommandLine>

根据上述策略细节显示,可知是通过Sysmon的配置准确定义检测注册表HKLM\SECURITY\CACHE的变化进行研判是否触发策略,从而生成对应的日志事件,将其转发至Agent,再解析日志格式推送至SIEM

事件ID匹配策略诠释

表格中列举出来的基于事件ID匹配策略,某产品文档中给出的就是No action required,大概意思就是不用基于某些关键字操作行为的关键字进行监控,而是直接使用Windows生成的事件ID号进行策略匹配;

不过发现个别策略Mitre官方并未给出检测的策略事件ID,但是某产品给出了,目前我尚未查询到对应事件ID

总结

此产品流量走向和策略匹配是基于Windows环境下Sysmon工具为基础进行收集生成,然后某产品通过Agent解析日志格式并推送至SIEM中,最终在SIEM中配置定义触发的条件,进行关联分析;其中在策略部分简单点理解就是使用Mitre里面告知的检测方式进行定义Sysmon配置文件,通过Sysmon生成的日志,然后使用Agent将其解析最终推送至SIME的过程;

引用参考链接:

Sysmon官方下载地址:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
 
Sysmon安装使用:
https://blog.csdn.net/qq237696047/article/details/108886184
https://www.cnblogs.com/SzSecNote/p/14203360.html
https://www.jianshu.com/p/43bf5aadfd28
https://blog.csdn.net/qq_34367997/article/details/94749805
 
配置模板及Windows环境下恶意行为日志:
https://github.com/SwiftOnSecurity/sysmon-config
https://www.malwarearchaeology.com/cheat-sheets
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5eb3687f39d69d48c403a42a/1588816000014/Windows+Sysmon+Logging+Cheat+Sheet_Jan_2020.pdf
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5b8f091c0ebbe8644d3a886c/1536100639356/Windows+ATT%26CK_Logging+Cheat+Sheet_ver_Sept_2018.pdf
https://github.com/MalwareArchaeology/ATTACK
https://github.com/olafhartong/sysmon-modular
https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
 
Mitre官方:
https://attack.mitre.org/techniques/T1003/005/
posted @   皇帽讲绿帽带法技巧  阅读(113)  评论(0编辑  收藏  举报
编辑推荐:
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
阅读排行:
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
历史上的今天:
2020-12-02 HTB-靶机-Nibbles
2020-12-02 HTB-靶机-CrimeStoppers
点击右上角即可分享
微信分享提示
AI FOR CODE 大赛