安裝 Microsoft Sysmon
有些 Tenable Identity Exposure 攻擊指標 (IoA) 需要 Microsoft 系統監視器 (Sysmon) 服務才能啟動。
Sysmon 會監視系統活動並將其記錄到 Windows 事件記錄中,以便在 Windows 事件追蹤 (ETW) 基礎架構中提供更多面向安全性的資訊。
因為安裝額外的 Windows 服務和驅動程式可能會影響代管 Active Directory 基礎架構的網域控制器的效能。Tenable 未自動部署 Microsoft Sysmon。您必須手動安裝或使用專用的 GPO。
下列攻擊指標 (IoA) 需要 Microsoft Sysmon。
|
名稱 |
原因 |
|---|---|
|
OS 憑證傾印:LSASS 記憶體 |
偵測處理程序插入 |
注意:如果您選擇安裝 Sysmon,則必須在所有網域控制器上安裝,而不僅僅是在 PDC 上安裝,如此才能收集所有必要的事件。
注意:在完整部署 Tenable Identity Exposure 之前,請先測試您的 Sysmon 安裝是否有相容性問題。
提示:請務必在安裝後定期更新 Sysmon,以利用可解決潛在弱點的任何修補程式。與 Tenable Identity Exposure 相容的最舊版本是 Sysmon 12.0。
如要安裝 Sysmon:
-
從 Microsoft 網站下載 Sysmon。
-
在命令列介面中,執行以下命令以在本機電腦上安裝 Microsoft Sysmon:
複製.\Sysmon64.exe -accepteula -i C:\TenableSysmonConfigFile.xml
注意:如需設定說明,請參閱註解的 Sysmon 設定檔。
-
執行下列命令以新增登錄機碼,向 WMI 篩選器指示已安裝 Sysmon:
複製reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Sysmon/Operational"
如要解除安裝 Sysmon:
-
開啟 PowerShell 終端機。
-
瀏覽至包含 Sysmon64.exe 的資料夾。
-
輸入下列命令:
複製PS C:\> .\Sysmon64.exe -u
如要刪除登錄機碼:
-
在命令列介面中,在所有執行 Sysmon 的電腦上輸入以下命令:
複製reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Sysmon/Operational"
Sysmon 設定檔
Sysmon 設定檔
複製
<Sysmon schemaversion="4.40">
<EventFiltering>
<!--SYSMON EVENT ID 1 : PROCESS CREATION [ProcessCreate]-->
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="exclude">
<!--NOTE: Using "exclude" with no rules means everything in this section will be logged-->
</ProcessCreate>
</RuleGroup>
<!--SYSMON EVENT ID 2 : FILE CREATION TIME RETROACTIVELY CHANGED IN THE FILESYSTEM [FileCreateTime]-->
<RuleGroup name="" groupRelation="or">
<FileCreateTime onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreateTime>
</RuleGroup>
<!--SYSMON EVENT ID 3 : NETWORK CONNECTION INITIATED [NetworkConnect]-->
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</NetworkConnect>
</RuleGroup>
<!--SYSMON EVENT ID 4 : RESERVED FOR SYSMON SERVICE STATUS MESSAGES-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 5 : PROCESS ENDED [ProcessTerminate]-->
<RuleGroup name="" groupRelation="or">
<ProcessTerminate onmatch="exclude">
<!--NOTE: Using "exclude" with no rules means everything in this section will be logged-->
</ProcessTerminate>
</RuleGroup>
<!--SYSMON EVENT ID 6 : DRIVER LOADED INTO KERNEL [DriverLoad]-->
<RuleGroup name="" groupRelation="or">
<DriverLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</DriverLoad>
</RuleGroup>
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS [ImageLoad]-->
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>
<!--SYSMON EVENT ID 8 : REMOTE THREAD CREATED [CreateRemoteThread]-->
<RuleGroup name="" groupRelation="or">
<CreateRemoteThread onmatch="include">
<TargetImage name="lsass" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</CreateRemoteThread>
</RuleGroup>
<!--SYSMON EVENT ID 9 : RAW DISK ACCESS [RawAccessRead]-->
<RuleGroup name="" groupRelation="or">
<RawAccessRead onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</RawAccessRead>
</RuleGroup>
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]-->
<RuleGroup name="" groupRelation="or">
<ProcessAccess onmatch="include">
<!-- Detect Access to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1FFFFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1F1FFF</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x1010</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x143A</GrantedAccess>
</Rule>
<!-- Detect process hollowing to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x0800</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1003,technique_name=Credential Dumping" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x800</GrantedAccess>
</Rule>
<!-- Detect process process injection to LSASS-->
<Rule groupRelation="and">
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x0820</GrantedAccess>
</Rule>
<Rule groupRelation="and">
<TargetImage name="technique_id=T1055,technique_name=Process Injection" condition="is">C:\Windows\system32\lsass.exe</TargetImage>
<GrantedAccess>0x820</GrantedAccess>
</Rule>
</ProcessAccess>
</RuleGroup>
<!--SYSMON EVENT ID 11 : FILE CREATED [FileCreate]-->
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreate>
</RuleGroup>
<!--SYSMON EVENT ID 12 & 13 & 14 : REGISTRY MODIFICATION [RegistryEvent]-->
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</RegistryEvent>
</RuleGroup>
<!--SYSMON EVENT ID 15 : ALTERNATE DATA STREAM CREATED [FileCreateStreamHash]-->
<RuleGroup name="" groupRelation="or">
<FileCreateStreamHash onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileCreateStreamHash>
</RuleGroup>
<!--SYSMON EVENT ID 16 : SYSMON CONFIGURATION CHANGE-->
<!--Cannot be filtered.-->
<!--SYSMON EVENT ID 17 & 18 : PIPE CREATED / PIPE CONNECTED [PipeEvent]-->
<RuleGroup name="" groupRelation="or">
<PipeEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</PipeEvent>
</RuleGroup>
<!--SYSMON EVENT ID 19 & 20 & 21 : WMI EVENT MONITORING [WmiEvent]-->
<RuleGroup name="" groupRelation="or">
<WmiEvent onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</WmiEvent>
</RuleGroup>
<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
<RuleGroup name="" groupRelation="or">
<DnsQuery onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</DnsQuery>
</RuleGroup>
<!--SYSMON EVENT ID 23 : FILE DELETED [FileDelete]-->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>