sysmon作为微软的系统监控软件(只监不控),记录比较详细,但是不会分析,有时候也许借助splunk将日志发送到远端保存并分析,效果才更好。
1、下载地址
Sysmon - Sysinternals | Microsoft Learn 最新版本:v15.1
sysmon-config | A Sysmon configuration file for everybody to fork
This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.
The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.
Because virtually every line is commented and sections are marked with explanations, it should also function as a tutorial for Sysmon and a guide to critical monitoring areas in Windows systems.
-
For a far more exhaustive and detailed approach to Sysmon configuration from a different approach, see also sysmon-modular by @olafhartong, which can act as a superset of sysmon-config.
-
Sysmon is a compliment to native Windows logging abilities, not a replacement for it. For valuable advice on these configurations, see MalwareArchaeology Logging Cheat Sheets by @HackerHurricane.
Note: Exact syntax and filtering choices in the configuration are highly deliberate in what they target, and to have as little performance impact as possible. Sysmon's filtering abilities are different than the built-in Windows auditing features, so often a different approach is taken than the normal static listing of paths.
分享:如果上述链接无法下载,请从我的云盘下载。
参数文件 sysmonconfig-export.xml
链接:https://pan.baidu.com/s/1b27ADcF7XNXQvEJS30LiAA
提取码:h6ks
言归正传:
安装:使用 CMD 或者 powershell
默认安装 后,网络是不监控的,如图所示
如果想 更详细的监控请更新配置文件:
系统会提示你:configuration file validated updated
运行:eventvwr 打开事件查看器,转到 应用程序和服务日志,Microsoft ,Windows ,sysmon
就可以看到,sysmon收集的日志了
下面我们做一下测试:使用 SSH 远程一台 linux 主机:
如图所示:很明显,sysmon监视到了 系统的远程连接,以及为该链接创建的新的进程
我操作一下数据库:sqlplus / as sysdba
如图所示:RuleName: InvDB-Compile TimeClaim
现在我们拷贝并安装一个软件:好压纯净版,看看sysmon的记录情况
如图所示:好压软件的存放位置一清二楚
双击安装:以管理员身份安装
如图所示:记录一清二楚。
如图所示安装过程动了注册表
sysmon的事件类型:
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: DNSEvent (DNS query)
Event ID 255: Error
Event ID 1: 创建进程
Event ID 2: 进程更改了文件创建时间
Event ID 3: 网络连接
Event ID 4: Sysmon 服务状态已更改
Event ID 5: 进程终止
Event ID 6: 驱动程序加载
Event ID 7: 镜像加载
Event ID 8: 创建远线程
Event ID 9: 驱动器读取
Event ID 10: 进程访问
Event ID 11: 文件创建
Event ID 12: 注册表事件(Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: 文件流创建
Event ID 17: 管道事件(Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: dns解析(DNS query)
Event ID 255: Error
谨以此片文章献给系统监控的人们。