Sysmon 是「行為監控」只負責記錄
用 Sysmon 抓取即時的攻擊(如行程注入)
先安裝sysmon,win11有內建,直接從舊版的控制台\開啟或關閉windows功能裡面啟動
如果是win10或以下,直接下載使用sysmon64,是執行檔不用安裝
下載跟說明參考微軟的文件https://learn.microsoft.com/zh-tw/sysinternals/downloads/sysmon
使用預設設定進行安裝(處理用 SHA1 雜湊的影像,且不監控網路)sysmon -accepteula -i #先執行這個因為有時候並沒有裝成功
sysmon -c c:\windows\config.xml #套用設定檔
sysmon設定檔要套用這個專案的
https://github.com/olafhartong/sysmon-modular #看你要哪一種
| Type | Config | Description |
|---|---|---|
| default | sysmonconfig.xml | This is the balanced configuration, most used, more information here |
| default+ | sysmonconfig-with-filedelete.xml | This is the balanced configuration, most used, more information including FileDelete file saves |
| verbose | sysmonconfig-excludes-only.xml | This is the very verbose configuration, all events are included, only the exclusion modules are applied. This should not be used in production without validation, will generate a significant amount of data and might impact performance. More information here |
| super verbose | sysmonconfig-research.xml | A configuration with extreme verbosity. The log volume expected from this file is significantly high, really DO NOT USE IN PRODUCTION! This config is only for research, this will use way more CPU/Memory. Only enable prior to running the to be investigated technique, when done load a lighter config. |
| MDE augment | sysmonconfig-mde-augmentation.xml | A configuration to augment Defender for Endpoint, intended to augment the information and have as little overlap as possible. This is based on the default/balanced config and will not generate all events for Sysmon, there are comments in the config. In the benefit of IR, consider using the excludes only config and only ingest the enriching events. (Blog with more rationale soon) |
https://github.com/grafana/alloy/releases #專案網址
用戶端的alloy.config
-------------------------------------------------------------------------------------------------------------
logging {
level = "info"
}
// ==========================================
// Sysmon Windows Event Log
// ==========================================
loki.source.windowsevent "sysmon" {
eventlog_name = "Microsoft-Windows-Sysmon/Operational"
use_incoming_timestamp = true
forward_to = [loki.process.endpoint.receiver]
}
// ==========================================
// Pipeline Processing
// ==========================================
// 3.1 Sysmon 的加工管道
loki.process "endpoint" {
forward_to = [loki.write.loki_receiver.receiver]
// Windows Event Log 的 JSON 欄位
stage.json {
expressions = {
message = "message",
source = "source",
eventRecordID = "event_id",
channel = "channel",
execution_processId = "execution.process_id",
execution_processName = "execution.process_name",
}
}
// (Structured Metadata)
stage.structured_metadata {
values = {
eventRecordID = "eventRecordID",
channel = "channel",
execution_processId = "execution_processId",
execution_processName = "execution_processName",
}
}
// (Labels)
stage.labels {
values = {
job = "source",
service_name = "source", }
}
// message
stage.output {
source = "message"
}
}
// ==========================================
// (Loki Write)
// ==========================================
loki.write "loki_receiver" {
endpoint {
url = "localhost:3100/loki/api/v1/push" //loki主機的IP
}
}
-----------------------------------------------------------------------------------------------------------------------
docker-compose.yml
-----------------------------------------------------------------------------------------------------------------------
services:
# Loki: 日誌資料庫
loki:
image: "grafana/loki:latest"
ports:
- "3100:3100"
command: -config.file=/etc/loki/local-config.yaml
restart: always
# Grafana: 可視化面板
grafana:
image: "grafana/grafana:latest"
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
restart: always
# Alloy: 採集器 (確保這裡對齊 grafana)
alloy:
image: "grafana/alloy:latest"
volumes:
- "./config.alloy:/etc/alloy/config.alloy"
command: "run --storage.path=/var/lib/alloy/data /etc/alloy/config.alloy"
ports:
- "12345:12345"
restart: "always"
-------------------------------------------------------------------------------------------------------------
config.alloy 跟alloy-windows的設定檔一樣
-------------------------------------------------------------------------------------------------------------
logging {
level = "info"
}
// ==========================================
// Sysmon Windows Event Log
// ==========================================
loki.source.windowsevent "sysmon" {
eventlog_name = "Microsoft-Windows-Sysmon/Operational"
use_incoming_timestamp = true
forward_to = [loki.process.endpoint.receiver]
}
// ==========================================
// Pipeline Processing
// ==========================================
// 3.1 Sysmon 的加工管道
loki.process "endpoint" {
forward_to = [loki.write.loki_receiver.receiver]
// Windows Event Log 的 JSON 欄位
stage.json {
expressions = {
message = "message",
source = "source",
eventRecordID = "event_id",
channel = "channel",
execution_processId = "execution.process_id",
execution_processName = "execution.process_name",
}
}
// (Structured Metadata)
stage.structured_metadata {
values = {
eventRecordID = "eventRecordID",
channel = "channel",
execution_processId = "execution_processId",
execution_processName = "execution_processName",
}
}
// (Labels)
stage.labels {
values = {
job = "source",
service_name = "source", }
}
// message
stage.output {
source = "message"
}
}
// ==========================================
// (Loki Write)
// ==========================================
loki.write "loki_receiver" {
endpoint {
url = "localhost:3100/loki/api/v1/push" //loki主機的IP
}
}
沒有留言:
張貼留言