安装 Microsoft Sysmon
某些 Tenable Identity Exposure 的攻击指标 (IoA) 需要激活 Microsoft System Monitor (Sysmon) 服务。
Sysmon 监控系统活动并将其记录到 Windows 事件日志中,以便在 Event Tracing for Windows (ETW) 基础设施中提供更多面向安全的信息。
因为安装其他 Windows 服务和驱动程序可能会影响托管 Active Directory 基础设施的域控制器的性能,因此,Tenable 不会自动部署 Microsoft Sysmon。您必须手动安装或使用专用 GPO。
以下 IoA 需要 Microsoft Sysmon。
|
名称 |
原因 |
|---|---|
|
OS 凭据转储:LSASS 内存 |
检测进程注入 |
如要安装 Sysmon,请执行以下操作:
-
从 Microsoft 网站下载 Sysmon。
-
在命令行界面中,运行以下命令以在本地计算机上安装 Microsoft Sysmon:
复制.\Sysmon64.exe -accepteula -i C:\TenableSysmonConfigFile.xml
注意:有关配置说明,请参阅带注释的 Sysmon 配置文件。
-
运行以下命令以添加注册表项,以指示 WMI 筛选器已安装 Sysmon:
复制reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Sysmon/Operational"
若要卸载 Sysmon:
-
打开 PowerShell 终端。
-
浏览到包含 Sysmon64.exe 的文件夹。
-
键入以下命令:
复制PS C:\> .\Sysmon64.exe -u
若要删除注册表项:
-
在命令行界面中,在运行 Sysmon 的所有计算机上输入以下命令:
复制reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Sysmon/Operational"
Sysmon 配置文件
<Sysmon schemaversion="4.40">
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!--NOTE: Using "exclude" with no rules means everything in this section will be logged-->
</ProcessCreate>
</RuleGroup>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreateTime>
</RuleGroup>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</NetworkConnect>
</RuleGroup>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="exclude">
<!--NOTE: Using "exclude" with no rules means everything in this section will be logged-->
</ProcessTerminate>
</RuleGroup>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
<RuleGroup name="" groupRelation="or">
<DriverLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</DriverLoad>
</RuleGroup>
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
<RuleGroup name="" groupRelation="or">
<CreateRemoteThread onmatch="include">
<TargetImage name="lsass" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</CreateRemoteThread>
</RuleGroup>
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</RawAccessRead>
</RuleGroup>
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<!-- Detect Access to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1FFFFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1010</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x143A</GrantedAccess>
</Rule>
<!-- Detect process hollowing to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x0800</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x800</GrantedAccess>
</Rule>
<!-- Detect process process injection to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x0820</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x820</GrantedAccess>
</Rule>
</ProcessAccess>
</RuleGroup>
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreate>
</RuleGroup>
<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</RegistryEvent>
</RuleGroup>
<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
<RuleGroup name="" groupRelation="or">
<FileCreateStreamHash onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreateStreamHash>
</RuleGroup>
<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
<RuleGroup name="" groupRelation="or">
<PipeEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</PipeEvent>
</RuleGroup>
<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
<RuleGroup name="" groupRelation="or">
<WmiEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</WmiEvent>
</RuleGroup>
<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</DnsQuery>
</RuleGroup>
<!--SYSMON EVENT ID 23 : FILE DELETED [FileDelete]-->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>