背景:公司已有青藤edr,但是在实际使用中,很多webshell能过它的检测,因为有时webshell上传到服务器执行命令了青藤云都不告警,这是不能接受的,因为我们需要加入对webshell的命令执行的检测。
当我在测试sysmon的时候,我发现,在不同的地方执行web命令的时候,日志中的详细信息是由很大的不同的。
1、windows
在windows上的cmd上执行一个whoami命令的时候,我在sysmon上抓到的日志记录是这样的:
Aug 11 13:42:07 TEST-SAFE-AP01 MSWinEventLog 1 Microsoft-Windows-Sysmon/Operational 409 Thu Aug 11 13:42:07 2022 1 Microsoft-Windows-Sysmon SYSTEM User Information TEST-SAFE-AP01 Process Create (rule: ProcessCreate) Process Create: RuleName: - UtcTime: 2022-08-11 05:42:07.672 ProcessGuid: {9789903a-96af-62f4-da37-030000001900} ProcessId: 8324 Image: C:\Windows\System32\whoami.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: whoami - displays logged on user information Product: Microsoft? Windows? Operating System Company: Microsoft Corporation OriginalFileName: whoami.exe CommandLine: whoami CurrentDirectory: C:\Users\Administrator\ User: TEST-SAFE-AP01\osadmin LogonGuid: {9789903a-20e1-62d0-304b-0c0000000000} LogonId: 0xC4B30 TerminalSessionId: 2 IntegrityLevel: High Hashes: MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 ParentProcessGuid: {9789903a-6a65-62f4-4c34-030000001900} ParentProcessId: 1548 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" ParentUser: TEST-SAFE-AP01\osadmin 447
当我在webshell上执行whoami命令的时候,记录是这样的(php和java环境):
Aug 11 10:43:38 TEST-SAFE-AP01 MSWinEventLog 1 Microsoft-Windows-Sysmon/Operational 80 Thu Aug 11 10:43:38 2022 1 Microsoft-Windows-Sysmon SYSTEM User Information TEST-SAFE-AP01 Process Create (rule: ProcessCreate) Process Create: RuleName: - UtcTime: 2022-08-11 02:43:38.994 ProcessGuid: {9789903a-6cda-62f4-e334-030000001900} ProcessId: 7424 Image: C:\Windows\System32\whoami.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: whoami - displays logged on user information Product: Microsoft? Windows? Operating System Company: Microsoft Corporation OriginalFileName: whoami.exe CommandLine: whoami CurrentDirectory: D:\JspStudy\WWW\jsp\ User: TEST-SAFE-AP01\osadmin LogonGuid: {9789903a-20e1-62d0-304b-0c0000000000} LogonId: 0xC4B30 TerminalSessionId: 2 IntegrityLevel: High Hashes: MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88 ParentProcessGuid: {9789903a-6cda-62f4-e134-030000001900} ParentProcessId: 9924 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: cmd.exe /c "whoami" ParentUser: TEST-SAFE-AP01\osadmin 118
Aug 11 14:37:26 TEST-SAFE-AP01 MSWinEventLog 1 Microsoft-Windows-Sysmon/Operational 539 Thu Aug 11 14:37:26 2022 1 Microsoft-Windows-Sysmon SYSTEM User Information TEST-SAFE-AP01 Process Create (rule: ProcessCreate) Process Create: RuleName: - UtcTime: 2022-08-11 06:37:26.429 ProcessGuid: {9789903a-a3a6-62f4-f338-030000001900} ProcessId: 10032 Image: C:\Windows\SysWOW64\whoami.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: whoami - displays logged on user information Product: Microsoft? Windows? Operating System Company: Microsoft Corporation OriginalFileName: whoami.exe CommandLine: whoami CurrentDirectory: D:\JspStudy\tomcat\bin\ User: TEST-SAFE-AP01\osadmin LogonGuid: {9789903a-20e1-62d0-304b-0c0000000000} LogonId: 0xC4B30 TerminalSessionId: 2 IntegrityLevel: High Hashes: MD5=B17EB327F33729DB69E97F0A09839EE7,SHA256=075FA41E449213910F6D45F5713FEF8ED71EA913C1EBE594407894141F103D64,IMPHASH=E91037BB26500603D5EE8666BA6C2510 ParentProcessGuid: {9789903a-a3a6-62f4-f238-030000001900} ParentProcessId: 7620 ParentImage: C:\Windows\SysWOW64\cmd.exe ParentCommandLine: cmd /c whoami ParentUser: TEST-SAFE-AP01\osadmin 577
上面标红的部分就是具体的区别,经过多次的测试,发现在webshell上执行whoami的时候,一定会带上 /c 这个参数。
经查询,cmd /c xx 是执行完xx命令后关闭命令窗口。
那就应该是在webshell中,由于非gui界面,所以默认带入了/c这个参数,那么很明显,我们可以根据这些不同来判断是否有人在webshell执行whoami命令。
只要有 /c whoami ,我们就认为是有人利用webshell在执行whoami命令。
此处我们利用公司已有的青藤云edr,微调一下写入新的检测规则。
具体的规则:
进程名包含:cmd.exe
进程命令行:cmd(\.exe){0,1}\s{0,1}\/c\s{0,1}(\"){0,1}whoami.*
2、linux
linux上还是一样安装个sysmon,安装教程:
https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md
规则参考这篇文章:
https://in.security/2021/10/18/getting-started-with-sysmon-for-linux/
或者:github搜索 sysmon-linux-sample-config.xml 也是一样的
实际测试的时候我们只需要检测 ProcessCreate 行为即可。
利用以下命令:
sudo sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1
在terminal执行命令whoami的时候:
terminal执行whoami:
Event SYSMONEVENT_CREATE_PROCESS
RuleName: -
UtcTime: 2022-08-12 07:32:28.210
ProcessGuid: {350c6fd8-020c-62f6-c066-4fdf85550000}
ProcessId: 13058
Image: /usr/bin/whoami
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: whoami
CurrentDirectory: /home/masker
User: masker
LogonGuid: {350c6fd8-0000-0000-e803-000000000000}
LogonId: 1000
TerminalSessionId: 3
IntegrityLevel: no level
Hashes: -
ParentProcessGuid: {350c6fd8-fd02-62f5-48c4-ce3c92550000}
ParentProcessId: 12911
ParentImage: /bin/bash
ParentCommandLine: bash
ParentUser: masker
Event SYSMONEVENT_CREATE_PROCESS
RuleName: -
UtcTime: 2022-08-12 07:30:56.866
ProcessGuid: {350c6fd8-01b0-62f6-6882-372083550000}
ProcessId: 13056
Image: /bin/dash
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: sh -c whoami
CurrentDirectory: /home/wwwroot/default
User: www
LogonGuid: {350c6fd8-0000-0000-e903-000000000000}
LogonId: 1001
TerminalSessionId: 3
IntegrityLevel: no level
Hashes: -
ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
ParentProcessId: 12310
ParentImage: -
ParentCommandLine: -
ParentUser: -
没有评论:
发表评论