LoginSignup
0
0

More than 3 years have passed since last update.

マルウェア解析・検知・分類Advent Calendar 2020Day 13
@ohisama@github

自前EDR その9

Posted at

概要

vistaにedrを構築する。
時系列で取得なsysmonを入れた。
sysmonのlogを、フィルタリングしてみた。

環境

windows vista 32bit

使ったlog

Event[2063]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:42.218
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:11:42.208
ProcessGuid: {13165805-6A4E-5FD5-0000-001052900A00}
ProcessId: 1400
Image: C:\Windows\System32\SearchFilterHost.exe
CommandLine: "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 65536 628 
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: Medium
Hashes: SHA1=8784A4CED5BE17DAA69FC4CF1C25762B481900A2
ParentProcessGuid: {13165805-6858-5FD5-0000-0010B0610200}
ParentProcessId: 2072
ParentImage: C:\Windows\System32\SearchIndexer.exe
ParentCommandLine: C:\Windows\system32\SearchIndexer.exe /Embedding

Event[2064]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:42.219
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:11:42.219
ProcessGuid: {13165805-6A4E-5FD5-0000-001052900A00}
ProcessId: 1400
Image: C:\Windows\System32\SearchFilterHost.exe
Device: \Device\HarddiskVolume1

Event[2065]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:47.104
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:11:47.104
ProcessGuid: {13165805-6A4E-5FD5-0000-00103F810A00}
ProcessId: 4036
Image: C:\Windows\System32\dllhost.exe

Event[2066]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:58.551
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:11:58.525
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe
CommandLine: consent.exe 1164 226 069FF268
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 1
IntegrityLevel: System
Hashes: SHA1=DB44766EF1F42380D5B83C94209105AFFAEC56DD
ParentProcessGuid: {13165805-6852-5FD5-0000-0010E57F0100}
ParentProcessId: 1164
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs

Event[2067]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:11:58.555
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:11:58.555
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe
Device: \Device\HarddiskVolume1

Event[2068]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.028
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.017
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 1
IntegrityLevel: System
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-6851-5FD5-0000-001048040100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch

Event[2069]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.029
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.018
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe
CommandLine: efsui.exe /efs /keybackup
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=4626E7D225B8BF5D5A8CE7B2500D060BE30E6AB5
ParentProcessGuid: {13165805-6850-5FD5-0000-001060EB0000}
ParentProcessId: 672
ParentImage: C:\Windows\System32\lsass.exe
ParentCommandLine: C:\Windows\system32\lsass.exe

Event[2070]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.031
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.030
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe
Device: \Device\HarddiskVolume1

Event[2071]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.092
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.092
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1

Event[2072]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.264
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:01.263
ProcessGuid: {13165805-6A5E-5FD5-0000-00104CB40A00}
ProcessId: 3268
Image: C:\Windows\System32\consent.exe

Event[2073]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.291
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.272
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe
CommandLine: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {13165805-6850-5FD5-0000-0020E7030000}
LogonId: 0x3e7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=58C379B077944D2BA79C0251977E8EDE3DFBC829
ParentProcessGuid: {13165805-6851-5FD5-0000-001048040100}
ParentProcessId: 836
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch

Event[2074]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.305
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.297
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe
Device: \Device\HarddiskVolume1

Event[2075]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.309
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:01.308
ProcessGuid: {13165805-6A61-5FD5-0000-00108BD20A00}
ProcessId: 2588
Image: C:\Windows\System32\efsui.exe

Event[2076]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.341
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.330
ProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ProcessId: 3892
Image: C:\Windows\System32\cmd.exe
CommandLine: "C:\Windows\System32\cmd.exe" 
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=46372C2278B2E369A7CE3E0879A23D009CCB6340
ParentProcessGuid: {13165805-685E-5FD5-0000-00102ED60300}
ParentProcessId: 3468
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE

Event[2077]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.342
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.342
ProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ProcessId: 3892
Image: C:\Windows\System32\cmd.exe
Device: \Device\HarddiskVolume1

Event[2078]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.400
  Event ID: 8
  Task: CreateRemoteThread detected (rule: CreateRemoteThread)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
CreateRemoteThread detected:
UtcTime: 2020-12-13 01:12:01.399
SourceProcessGuid: {13165805-684F-5FD5-0000-001049E30000}
SourceProcessId: 588
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
TargetProcessId: 3892
TargetImage: C:\Windows\System32\cmd.exe
NewThreadId: 1804
StartAddress: 0x769EB043
StartModule: C:\Windows\system32\kernel32.dll
StartFunction: 

Event[2079]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.469
  Event ID: 1
  Task: Process Create (rule: ProcessCreate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process Create:
UtcTime: 2020-12-13 01:12:01.429
ProcessGuid: {13165805-6A61-5FD5-0000-00107DDE0A00}
ProcessId: 3240
Image: C:\Windows\System32\conime.exe
CommandLine: C:\Windows\system32\conime.exe
CurrentDirectory: C:\Windows\system32\
User: ore-PC0\ore
LogonGuid: {13165805-685D-5FD5-0000-00205A4E0300}
LogonId: 0x34e5a
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=32A54F7CB5FAE9842851556A15375AFDDA36E0E3
ParentProcessGuid: {13165805-6A61-5FD5-0000-0010F5DC0A00}
ParentProcessId: 3892
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\System32\cmd.exe" 

Event[2080]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:01.479
  Event ID: 9
  Task: RawAccessRead detected (rule: RawAccessRead)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
RawAccessRead detected:
UtcTime: 2020-12-13 01:12:01.479
ProcessGuid: {13165805-6A61-5FD5-0000-00107DDE0A00}
ProcessId: 3240
Image: C:\Windows\System32\conime.exe
Device: \Device\HarddiskVolume1

Event[2081]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:06.170
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:06.169
ProcessGuid: {13165805-6A61-5FD5-0000-001067D20A00}
ProcessId: 3896
Image: C:\Windows\System32\dllhost.exe

Event[2082]:
  Log Name: Microsoft-Windows-Sysmon/Operational
  Source: Microsoft-Windows-Sysmon
  Date: 2020-12-13T10:12:06.329
  Event ID: 5
  Task: Process terminated (rule: ProcessTerminate)
  Level: 情報
  Opcode: 情報
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: ore-PC0
  Description: 
Process terminated:
UtcTime: 2020-12-13 01:12:06.329
ProcessGuid: {13165805-6A61-5FD5-0000-00104BDA0A00}
ProcessId: 184
Image: C:\Windows\System32\dllhost.exe

結果

pid event exe
1400 1 \Windows\System32\SearchFilterHost.exe
3268 1 \Windows\System32\consent.exe
3896 1 \Windows\System32\dllhost.exe
2588 1 \Windows\System32\efsui.exe
184 1 \Windows\System32\dllhost.exe
3892 1 \Windows\System32\cmd.exe
3240 1 \Windows\System32\conime.exe

成果物

以上。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0