自前EDR その9

Posted at 2020-12-14
#概要
vistaにedrを構築する。
時系列で取得なsysmonを入れた。
sysmonのlogを、フィルタリングしてみた。
#環境
windows vista 32bit
#使ったlog
Event[2063]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:42.218
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:11:42.208
ProcessGuid: {13165805-6A4E-5FD5-0000-001052900A00}
ProcessId: 1400
Image: C:\Windows\System32\SearchFilterHost.exe
CommandLine: "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 65536 628 
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: Medium
Hashes: SHA1=8784A4CED5BE17DAA69FC4CF1C25762B481900A2
ParentProcessGuid: {13165805-6858-5FD5-0000-0010B0610200}
ParentProcessId: 2072
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding

Event[2064]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:42.219
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:11:42.219
ProcessGuid: {13165805-6A4E-5FD5-0000-001052900A00}
ProcessId: 1400
Image: C:\Windows\System32\SearchFilterHost.exe
Device: \Device\HarddiskVolume1

Event[2065]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:47.104
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:11:47.104
ProcessGuid: {13165805-6A4E-5FD5-0000-00103F810A00}
ProcessId: 4036
Image: C:\Windows\System32\dllhost.exe

Event[2066]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:58.551
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:11:58.525
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe
CommandLine: consent.exe 1164 226 069FF268
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 1
IntegrityLevel: System
Hashes: SHA1=DB44766EF1F42380D5B83C94209105AFFAEC56DD
ParentProcessGuid: {13165805-6852-5FD5-0000-0010E57F0100}
ParentProcessId: 1164
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs

Event[2067]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:58.555
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:11:58.555
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe
Device: \Device\HarddiskVolume1

Event[2068]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.028
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.017
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 1
IntegrityLevel: System
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-6851-5FD5-0000-001048040100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch

Event[2069]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.029
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.018
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe
CommandLine: efsui.exe /efs /keybackup
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=4626E7D225B8BF5D5A8CE7B2500D060BE30E6AB5
ParentProcessGuid: {13165805-6850-5FD5-0000-001060EB0000}
ParentProcessId: 672
ParentImage: C:\Windows\System32\lsass.exe
ParentCommandLine: C:\Windows\system32\lsass.exe

Event[2070]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.031
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.030
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe
Device: \Device\HarddiskVolume1

Event[2071]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.092
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.092
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1

Event[2072]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.264
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:01.263
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe

Event[2073]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.291
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.272
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-6851-5FD5-0000-001048040100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch

Event[2074]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.305
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.297
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1

Event[2075]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.309
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:01.308
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe

Event[2076]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.341
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.330
ProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ProcessId: 3892
Image: C:\Windows\System32\cmd.exe
CommandLine: "C:\Windows\System32\cmd.exe" 
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=46372C2278B2E369A7CE3E0879A23D009CCB6340
ParentProcessGuid: {13165805-685E-5FD5-0000-00102ED60300}
ParentProcessId: 3468
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE

Event[2077]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.342
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.342
ProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ProcessId: 3892
Image: C:\Windows\System32\cmd.exe
Device: \Device\HarddiskVolume1

Event[2078]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.400
  Event ID: 8
  Task: CreateRemoteThread detected (rule: CreateRemoteThread)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
CreateRemoteThread detected:
UtcTime: 2020-12-13 01:12:01.399
SourceProcessGuid: {13165805-684F-5FD5-0000-001049E30000}
SourceProcessId: 588
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
TargetProcessId: 3892
TargetImage: C:\Windows\System32\cmd.exe
NewThreadId: 1804
StartAddress: 0x769EB043
StartModule: C:\Windows\system32\kernel32.dll
StartFunction: 

Event[2079]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.469
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.429
ProcessGuid: {13165805-6A61-5FD5-0000-00107DDE0A00}
ProcessId: 3240
Image: C:\Windows\System32\conime.exe
CommandLine: C:\Windows\system32\conime.exe
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=32A54F7CB5FAE9842851556A15375AFDDA36E0E3
ParentProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ParentProcessId: 3892
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

Event[2080]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.479
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.479
ProcessGuid: {13165805-6A61-5FD5-0000-00107DDE0A00}
ProcessId: 3240
Image: C:\Windows\System32\conime.exe
Device: \Device\HarddiskVolume1

Event[2081]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:06.170
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:06.169
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe

Event[2082]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:06.329
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:06.329
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe
#結果
pid	event	exe
1400	1	\Windows\System32\SearchFilterHost.exe
3268	1	\Windows\System32\consent.exe
3896	1	\Windows\System32\dllhost.exe
2588	1	\Windows\System32\efsui.exe
184	1	\Windows\System32\dllhost.exe
3892	1	\Windows\System32\cmd.exe
3240	1	\Windows\System32\conime.exe
#成果物
以上。
You get articles that match your needs
You can efficiently read back useful information
You can use dark theme
What you can do with signing up