一、进程实时监控

通过hook技术在windows和Linux操作系统的ring0级别进行监控进程和命令执行。

Windows:

NT式驱动服务开机自启动:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

net start pro

二、网络链接实时监控

通过pcap(gopcap)进行对网络链接进行实时抓包。

Windows:装WinPcap

Linux:装libpcap

三、文件操作实时监控

通过inotify(fsnotify)监控磁盘文件变化。

四、ES索引类型字段

索引:monitor2018_04

类型:connection、file、loginlog、process

字段:data.action、data.command、data.dir、data.hash、data.hostname、data.info、data.local、data.name、data.parentname、data.path、data.pid、data.ppid、data.protocol、data.remote、data.status、data.user、data.username、ip、time

举例:

_index _type _id _score ip data.remote data.status data.username time data.dir data.local data.name data.pid data.protocol data.action data.hash data.path data.user data.command data.info data.parentname data.ppid
monitor2018_04 loginlog AWKodaW5ZT0_Kn0N9YOy 1 192.168.1.1 0 true Administrator 2018-02-17T18:37:44+07:00
monitor2018_04 connection AWKpDlutZT0_Kn0N9Ydd 1 192.168.1.1 182.118.40.31 2018-04-09T14:18:06+08:00 out 192.168.1.1:54080 LiveUpdate360.exe 3524 tcp
monitor2018_04 file AWKo3gdkZT0_Kn0N9Ycu 1 192.168.1.1 2018-04-09T13:25:21+08:00 WRITE 899a5bf1669610cdb78d322ac8d9358b c:\windows\sysnative\Packet.dll Administrators
monitor2018_04 process AWKzeH6oZT0_Kn0N9Y0x 1 192.168.1.1 2018-04-11T14:49:43+08:00 cmd.exe 2380 sqlservr.exe 1392

五、MongoDB数据库

1
2
3
4
5
6
7
8
9
>show collections
client
config
file
info
notice
rules
server
statistics

字段数据举例:

client:

1
2
3
4
5
6
7
db.client.find()

 "_id" : ObjectId("5acf4cde5e2ba50ef19a6347"), "ip" : "192.168.1.2", "hostname" : "bbbbbbbbbbbbbbb", "path" : [ ], "system" : "Windows Server 2008 R2 Enterprise  64", "type" : "db", "uptime" : ISODate("2018-04-12T12:15:10.475Z"), "health" : 1 }

{ "_id" : ObjectId("5acf4dec5e2ba50ef1b547f9"), "ip" : "192.168.1.3", "hostname" : "bbbbbbbbbbbbbbb", "path" : [ ], "system" : "Windows Server 2008 R2 Enterprise  64", "type" : "db", "uptime" : ISODate("2018-04-13T10:29:36.636Z"), "health" : 2 }

0健康 1离线 2存在防火墙阻拦

config:

1
2
3
4
5
6
7
8
9
10
db.config.find()

{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e2"), "type" : "client", "dic" : { "cycle" : 2, "udp" : false, "lan" : false, "monitorPath" : [ "%windows%", "%system32%", "%web%", "/etc/", "/bin/", "/sbin/", "/usr/bin/", "/usr/sbin/" ] } }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e3"), "type" : "server", "dic" : { "publickey" : "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJcyrbTRmezc++tR1ZF4R0LktE\nNye/MHY07CE229av69YnJuUtYnEWc1471mDhaJmL8kAb+46Bt7y7L53H2t4VuMTd\nQfghZ/QAyKWsumupZhll0clh3bbROKHfJbNYSydmT+M9GbLygGeH1zLpSL8Qx9to\n4eVPhcIUMhjGGxbpqwIDAQAB\n-----END PUBLIC KEY-----\n", "privatekey" : "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDJcyrbTRmezc++tR1ZF4R0LktENye/MHY07CE229av69YnJuUt\nYnEWc1471mDhaJmL8kAb+46Bt7y7L53H2t4VuMTdQfghZ/QAyKWsumupZhll0clh\n3bbROKHfJbNYSydmT+M9GbLygGeH1zLpSL8Qx9to4eVPhcIUMhjGGxbpqwIDAQAB\nAoGBAImFMFWDHaFWOKKku0MtlcNGMyV/TYfsClX4eHgdvUJdCdWybLL9x9ueqE7K\n+1oFcQSjPHad1Nvi1VknmVtsozwTAMWoRq1J1NLVK4nxKpB4G1WRw7lQPLTLwmkZ\n3MuvNHQpFKtUGgAnv8bOer2ijDpkg72FCU140ETapTGHVmfBAkEA/TMb8vgwhYK8\nnu/telcL8BStGbp+pS0T84Zcg4kdlznsQHXPnpueSQvsJmXeSW9zaDf/cQUMJFvT\nHzfbNgLSIQJBAMutiak/F6A1caFuS3uiDLwBnFBjvWR16YKonhSomSbE2RP4xPMm\nXXhjv1xPtLfav1Rx95txjiZyREjJNzlsGksCQQDZOhoGcAwg3zM4IJvbVAb36KVB\n55Bz4aK2UVXZu69ZaOZZvzlq2BQKk2H853S4CBg5F6Hdsvjh0K3moKM/SVhBAkBo\nOjDk9A1iBZdVdbyY0s9TcjuMg83KV/Cb1S+4AKMGzNsNNlOK3goc7mZhlcQ0BXO9\ngeikmhKVKAo7eQSSlPhLAkEApEHlFSWjbedA9RgHuUa/BeX6htRoghfOfS34Ebqg\ntuxp35YdsLs6iDl7zf1ZQuUvUsTPhXnSzP2Yti0/dI7Ejg==\n-----END RSA PRIVATE KEY-----\n", "cert" : "-----BEGIN CERTIFICATE-----\nMIICEDCCAXmgAwIBAgIJANcVcODaSbzPMA0GCSqGSIb3DQEBBQUAMCExHzAdBgNV\nBAMMFmRvbWFpbi1zZWMtcHJvamVjdC5jb20wHhcNMTgwNDA4MDkzNjM3WhcNMjgw\nNDA1MDkzNjM3WjAhMR8wHQYDVQQDDBZkb21haW4tc2VjLXByb2plY3QuY29tMIGf\nMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJcyrbTRmezc++tR1ZF4R0LktENye/\nMHY07CE229av69YnJuUtYnEWc1471mDhaJmL8kAb+46Bt7y7L53H2t4VuMTdQfgh\nZ/QAyKWsumupZhll0clh3bbROKHfJbNYSydmT+M9GbLygGeH1zLpSL8Qx9to4eVP\nhcIUMhjGGxbpqwIDAQABo1AwTjAdBgNVHQ4EFgQUZwP3xxBKYkhKUFyxt4ZoktDU\ne0YwHwYDVR0jBBgwFoAUZwP3xxBKYkhKUFyxt4ZoktDUe0YwDAYDVR0TBAUwAwEB\n/zANBgkqhkiG9w0BAQUFAAOBgQATrutSnvbPTqrPv+19DQZSSSTWQoyaddPT3Q5i\nvyqerVrozRfgHbxKspZZIyJL04BQtCLj+85yIIRfgTbWozy5pwimjJYd8NB72PUr\n8mirgWqewMLe1mhWmS8IXOJfzFhB9azlj5sly47JunLnbKlaVqU+ZtjUiq7jKw4p\nlpBftw==\n-----END CERTIFICATE-----\n", "learn" : false, "offlinecheck" : false } }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e4"), "type" : "intelligence", "dic" : { "switch" : false, "ipapi" : "http://127.0.0.1/api/?ip={$ip}", "fileapi" : "http://127.0.0.1/api/?hash={$hash}", "regex" : "black" } }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e5"), "dic" : { "switch" : false, "onlyhigh" : false, "api": "http://127.0.0.1/test/?text={$info}" }, "type" : "notice" }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e6"), "dic" : { "file" : [ ], "ip" : [ ], "process" : [ ], "other" : [ ] }, "type" : "whitelist" }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e7"), "type" : "blacklist", "dic" : { "process" : [ "mssecsvc\\.exe", "tasksche\\.exe" ], "other" : [ ], "file" : [ ], "ip" : [ ] } }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e8"), "type" : "filter", "dic" : { "file" : [ "^c:\\\\windows\\\\temp$", "\\.(png|js|css|jpg|gif|wolff|svg)$" ], "ip" : [ ], "process" : [ "c:\\\\windows\\\\system32\\\\wbem\\\\wmiprvse.exe" ] } }
{ "_id" : ObjectId("5ac9e1a25e2ba50ef1a758e9"), "type" : "web", "dic" : { "tfakey" : "" } }

file: 

1
2
3
4
5
6
7
8
9
10
> db.file.find()
{ "_id" : ObjectId("5ac9e22c5e2ba50ef1a7591f"), "platform" : "64", "system" : "linux", "type" : "agent", "hash" : "08e2a1144e4191e375cb03fcd5e7a7c3", "uptime" : ISODate("2018-04-08T09:34:36.178Z") }
{ "_id" : ObjectId("5ac9e22c5e2ba50ef1a75922"), "platform" : "64", "system" : "linux", "type" : "daemon", "hash" : "5b1ddf0f8ee2fc9c170be29462cdcc54", "uptime" : ISODate("2018-04-08T09:34:36.218Z") }
{ "_id" : ObjectId("5ac9e22c5e2ba50ef1a75925"), "platform" : "64", "system" : "linux", "type" : "data", "hash" : "ec777b4a79f32254f5a8dae10cf029b2", "uptime" : ISODate("2018-04-08T09:34:36.222Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a7592c"), "platform" : "32", "system" : "windows", "type" : "agent", "hash" : "536f05fd939ae563fbdd7e52a3d7e132", "uptime" : ISODate("2018-04-08T09:34:40.776Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a7592f"), "platform" : "32", "system" : "windows", "type" : "daemon", "hash" : "37e3593a084dff5e2bce85dd4815cf8e", "uptime" : ISODate("2018-04-08T09:34:40.792Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a75932"), "platform" : "32", "system" : "windows", "type" : "data", "hash" : "ce04138b9f0336f5c30297d34b44b63a", "uptime" : ISODate("2018-04-08T09:34:40.793Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a75938"), "platform" : "64", "system" : "windows", "type" : "agent", "hash" : "536f05fd939ae563fbdd7e52a3d7e132", "uptime" : ISODate("2018-04-08T09:34:40.935Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a7593b"), "platform" : "64", "system" : "windows", "type" : "daemon", "hash" : "37e3593a084dff5e2bce85dd4815cf8e", "uptime" : ISODate("2018-04-08T09:34:40.951Z") }
{ "_id" : ObjectId("5ac9e2305e2ba50ef1a7593e"), "platform" : "64", "system" : "windows", "type" : "data", "hash" : "00af5f5a51df34a942d44cf9641ad368", "uptime" : ISODate("2018-04-08T09:34:40.953Z") }

info: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
> db.info.findOne()
{
"_id" : ObjectId("5aca09915e2ba50ef1ac00a7"),
"ip" : "192.168.1.4",
"type" : "userlist",
"system" : "linux",
"data" : [
{
"name" : "root",
"description" : "x:0:0:root:/root:/bin/bash"
},
{
"description" : "x:5:0:sync:/sbin:/bin/sync",
"name" : "sync"
},
{
"name" : "shutdown",
"description" : "x:6:0:shutdown:/sbin:/sbin/shutdown"
},
{
"description" : "x:7:0:halt:/sbin:/sbin/halt",
"name" : "halt"
},
{
"description" : "x:500:500::/home/niubi:/bin/bash",
"name" : "niubi"
},
{
"name" : "papapa",
"description" : "x:550:550::/home/papapa:/bin/bash"
}
],
"uptime" : ISODate("2018-04-09T09:05:48.640Z")
}
>

notice:

1
2
3
4
5
6
7
8
9
10
11
12
> db.notice.findOne()
{
"_id" : ObjectId("5aca09915e2ba50ef1ac00ee"),
"description" : "企业网络中首次出现的linux可登陆用户",
"info" : "root|x:0:0:root:/root:/bin/bash",
"ip" : "192.168.1.4",
"level" : 1,
"source" : "可疑用户",
"status" : 4,
"time" : ISODate("2018-04-08T12:22:41.864Z"),
"type" : "userlist"
}

rules:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
"_id" : ObjectId("5ac9e1de5e2ba50ef1a758f8"),
"enabled" : true,
"meta" : {
"description" : "web进程执行了系统命令,可能为命令执行漏洞或者webshell行为",
"level" : 0,
"name" : "WebServer可疑进程启动(windows)",
"author" : "wolf"
},
"rules" : {
"name" : {
"data" : "^(cmd\\.exe|powershell\\.exe)$",
"type" : "regex"
},
"parentname" : {
"data" : "^(w3wp\\.exe|httpd\\.exe|nginx\\.exe|php-cgi\\.exe)$",
"type" : "regex"
}
},
"source" : "process",
"system" : "windows",
"and" : true
}

server:

1
2
3
4
5
{
"_id" : ObjectId("5aca096d5e2ba50ef1a75c5c"),
"netloc" : "192.168.1.5:33433",
"uptime" : ISODate("2018-04-13T12:47:34.678Z")
}

statistics: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
{ "_id" : ObjectId("5aca09915e2ba50ef1ac00ab"), "uptime" : ISODate("2018-04-11T12:35:13.782Z"), "type" : "loginlog", "info" : "192.168.1.6", "count" : 30, "server_list" : [ "192.168.1.4", "192.168.1.5" ]}

{ "_id" : ObjectId("5aca09915e2ba50ef1ac00b8"), "type" : "loginlog", "info" : "192.168.1.7", "count" :12, "server_list" : [ "192.168.1.4", "192.168.1.5" ], "uptime" : ISODate("2018-04-09T09:05:48.640Z")}


{ "_id" : ObjectId("5aca09915e2ba50ef1ac00b4"), "type" : "userlist", "info" : "root", "count" : 4, "server_list" : [ "192.168.1.4", "192.168.1.5" ], "uptime" : ISODate("2018-04-09T09:05:48.640Z") }

{ "_id" : ObjectId("5acf1f5e5e2ba50ef1fb4e28"), "type" : "userlist", "info" : "piasdf$", "count" : 7,"server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-12T12:35:53.264Z") }


{ "_id" : ObjectId("5aca09915e2ba50ef1ac00b6"), "info" : "0.0.0.0:5266", "count" : 7, "server_list" :[ "192.168.1.4", "192.168.1.5" ], "uptime" : ISODate("2018-04-12T18:21:44.314Z"), "type" : "listening" }

{ "_id" : ObjectId("5aca0bc25e2ba50ef1e3542a"), "type" : "listening", "info" : "0.0.0.0:443", "count": 4, "server_list" : [ "192.168.1.5" ], "uptime" : ISODate("2018-04-12T18:21:44.314Z") }



{ "_id" : ObjectId("5aca0bc25e2ba50ef1e353e0"), "type" : "crontab", "info" : "/usr/bin/test -f  /tmp/lockfile >/dev/null || /opt/apple/apps/ddd/tool 2 >/dev/null && /bin/touch /tmp/lock", "count" : 1, "server_list" : [ "192.168.1.5" ], "uptime" : ISODate("2018-04-08T12:32:02.633Z") }

{ "_id" : ObjectId("5acadea05e2ba50ef1a55877"), "type" : "crontab", "info" : "c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe", "count" : 16, "server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-12T12:35:53.233Z") }



{ "_id" : ObjectId("5acadea95e2ba50ef1a630c8"), "type" : "connection", "info" : "111.206.79.165", "count" : 4987, "server_list" : [ "192.168.1.1" ], "uptime" : ISODate("2018-04-11T12:53:15.086Z") }

{ "_id" : ObjectId("5acae3135e2ba50ef11946e6"), "type" : "connection", "info" : "123.125.80.36", "count" : 1, "server_list" : [ "192.168.1.1" ], "uptime" : ISODate("2018-04-09T03:50:43.619Z") }



{ "_id" : ObjectId("5acf23575e2ba50ef16296eb"), "type" : "process", "info" : "w3wp.exe", "count" : 6,"server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-13T12:43:03.017Z") }
{ "_id" : ObjectId("5acf32385e2ba50ef1e5ee42"), "info" : "HipsMain.exe", "count" : 3, "server_list" :[ "192.168.1.1", "192.168.1.3" ], "uptime" : ISODate("2018-04-12T12:39:49.601Z"), "type" : "process" }



{ "_id" : ObjectId("5acadea05e2ba50ef1a5587a"), "uptime" : ISODate("2018-04-12T12:35:53.232Z"), "type" : "startup", "info" : "360sd", "count" : 18, "server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ] }

{ "_id" : ObjectId("5acadea05e2ba50ef1a55886"), "count" : 18, "server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-12T12:35:53.232Z"), "type" : "startup", "info" : "AnyDesk" }



{ "_id" : ObjectId("5acae2665e2ba50ef107caa7"), "type" : "service", "info" : "hidserv", "count" : 114, "server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-13T11:41:20.587Z") }

{ "_id" : ObjectId("5acae2665e2ba50ef107cbe7"), "type" : "service", "info" : "SQLBrowser", "count" : 114, "server_list" : [ "192.168.1.1", "192.168.1.2", "192.168.1.3" ], "uptime" : ISODate("2018-04-13T11:41:20.587Z") }

六、入侵检测功能点和维度

[server]->ScanMonitorThread(安全检测线程)->Run(开始检测)->BlackFilter(黑名单)->WhiteFilter(白名单)->Rules(规则引擎)->Intelligence(威胁情报)

1. webshell写入行为

Linux目前支持Apache和nginx的目录自动监控:

apachectl -V

nginx -V

Windows目前支持IIS6和IIS7:

先在初始化时获取进程列表存库,如果获取到web进程,并web标签入库,则收集web目录,并进行监控:

x32
iis6配置文件:%SystemDrive%\WINDOWS\SysNative\inetsrv\MetaBase.xml
iis7配置文件:%SystemDrive%\Windows\SysNative\inetsrv\config\applicationHost.config

x64
iis6配置文件:%SystemDrive%\WINDOWS\System32\inetsrv\MetaBase.xml
iis7配置文件:%SystemDrive%\Windows\System32\inetsrv\config\applicationHost.config

识别模式:

1)文件监控,通过监控文件WRITE行为,正则匹配文件的后缀类型为黑名单中的后缀进行匹配。bypass 中文.aspx
2)进程监控,父进程是web服务,执行子进程是黑名单进程中的进程名字或命令。

2.异常登录、网络连接行为

统计第n次出现的登录ip、登录用户名告警,原则上MongoDB的statistics表里loginlog(登录的ip)、userlist(登录的用户)、listening(ip监听端口)、crontab(计划任务)、process(进程名字)、startup(启动项名字)、service(服务名字)都存在count字段,都可以通过自定义规则进行告警。

识别模式:

1)进程监控

2)文件监控,登录日志windows《驭龙 EventLog 读取模块的迭代历程》,Linux 登录成功(解析/var/log/wtmp)、登录失败lastb命令;

3)网络流量

3.异常命令调用行为

《Linux System Calls Hooking Method Summary》《如何在Linux下监控命令执行》《「驭龙」Linux执行命令监控驱动实现解析》

在驭龙hids官方git上的演示sql注入和命令执行,实际上跟我们平时理解的waf有所区别,没有对web请求进行监控。而是通过规则定义了sqlsrver.exe启动子进程为cmd.exe的调用关系,而在sqlserver上通过xp_cmdshell执行命令就是通过cmd间接执行其他命令的。

360主动拦截

进程调用

在3gstudent和evi1cg.me的博客上有关于win下文件下载、命令执行和sqlserver执行命令的一些姿势,如果理清楚进程的调用关系,相信你一定可以绕过某些安全软件的动作拦截,包括msf的payload去开shell等。

识别模式:

1)进程监控,通过规则定义进程调用关系进行告警

小结

没有小结~