日志的基本走向
某产品策略示例
| 策略名称 | 策略细节 | 策略来源 | 注释 |
|---|---|---|---|
| T1003.005.RULE OS Credential Dumping: Cached Domain Credentials | This is rule based on Sysmon configuration. Following options should be enable: In section add following lines: HKLM\SECURITY\CACHE Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rule | https://attack.mitre.org/tactics/TA0006/ | 策略是通过定义Sysmon的配置文件自定义策略匹配收集日志 |
| WIN.T1052.001.RULE Exfiltration Over Physical Medium: Exfiltration over USB | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1052/001/ | 此处和下面列举的策略都是No action required,表示没有动作只有事件产生,所以可以根据Windows生成的事件进行检测 |
| WIN.T1053.002.RULE Scheduled Task/Job: At (Windows) | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1053/002/ | 基于事件ID检测 |
| WIN.T1053.005.RULE Scheduled Task/Job: Scheduled Task | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1053/005/ | 基于事件ID检测 |
| WIN.T1070.001.RULE Indicator Removal on Host: Clear Windows Event Logs | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1070/001/ | 基于事件ID检测 |
| WIN.T1200.RULE Hardware Additions | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1200/ | 基于事件ID检测 |
| WIN.T1222.001.RULE File and Directory Permissions Modification: Windows File and Directory Permissions Modification | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1222/001/ | 基于事件ID检测 |
| WIN.T1489.RULE Service Stop | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1489/ | 没有事件ID,但是Mitre官方给出的检测方式都是监控命令参数,文件,进程,服务和注册表 |
| WIN.T1490.RULE Inhibit System Recovery | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1490/ | 基于事件ID检测 |
| WIN.T1529.RULE System Shutdown/Reboot | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1529/ | 基于事件ID检测 |
| WIN.T1558.001.RULE Steal or Forge Kerberos Tickets: Golden Ticket | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1558/001/ | 基于事件ID检测 |
| WIN.T1558.002.RULE Steal or Forge Kerberos Tickets: Silver Ticket | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1558/002/ | 基于事件ID检测 |
| WIN.T1558.003.RULE Steal or Forge Kerberos Tickets: Kerberoasting | No action required. Get more Windows MITRE rules: https://www.scnsoft.com/services/security/siem/windows-mitre-attack-rules | https://attack.mitre.org/techniques/T1558/003/ | 基于事件ID检测 |
基于关键字匹配策略来源细节诠释
In section <ProcessCreate onmatch="include"> add following lines: <CommandLine name="T1003.005" condition="contains">HKLM\SECURITY\CACHE</CommandLine>
根据上述策略细节显示,可知是通过Sysmon的配置准确定义检测注册表HKLM\SECURITY\CACHE的变化进行研判是否触发策略,从而生成对应的日志事件,将其转发至Agent,再解析日志格式推送至SIEM
事件ID匹配策略诠释
表格中列举出来的基于事件ID匹配策略,某产品文档中给出的就是No action required,大概意思就是不用基于某些关键字操作行为的关键字进行监控,而是直接使用Windows生成的事件ID号进行策略匹配;
不过发现个别策略Mitre官方并未给出检测的策略事件ID,但是某产品给出了,目前我尚未查询到对应事件ID
总结
此产品流量走向和策略匹配是基于Windows环境下Sysmon工具为基础进行收集生成,然后某产品通过Agent解析日志格式并推送至SIEM中,最终在SIEM中配置定义触发的条件,进行关联分析;其中在策略部分简单点理解就是使用Mitre里面告知的检测方式进行定义Sysmon配置文件,通过Sysmon生成的日志,然后使用Agent将其解析最终推送至SIME的过程;
引用参考链接:
Sysmon官方下载地址:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon安装使用:
https://blog.csdn.net/qq237696047/article/details/108886184
https://www.cnblogs.com/SzSecNote/p/14203360.html
https://www.jianshu.com/p/43bf5aadfd28
https://blog.csdn.net/qq_34367997/article/details/94749805
配置模板及Windows环境下恶意行为日志:
https://github.com/SwiftOnSecurity/sysmon-config
https://www.malwarearchaeology.com/cheat-sheets
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5eb3687f39d69d48c403a42a/1588816000014/Windows+Sysmon+Logging+Cheat+Sheet_Jan_2020.pdf
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5b8f091c0ebbe8644d3a886c/1536100639356/Windows+ATT%26CK_Logging+Cheat+Sheet_ver_Sept_2018.pdf
https://github.com/MalwareArchaeology/ATTACK
https://github.com/olafhartong/sysmon-modular
https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Mitre官方:
https://attack.mitre.org/techniques/T1003/005/