這章嘗試看看其他工具能偵測到跡象

Sysmon

昨天從WindowsEvent可以偵測，網路上有一些資料說可以sysmon看到更多資訊
介紹可以參考 網管人:安裝Sysmon隨時監視　系統稽核記錄不漏失
https://www.netadmin.com.tw/netadmin/zh-tw/technology/111D82A739524049A739DE9B518574AD

Install

從Microsoft下載主程式
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

從Github下載設定檔
https://github.com/SwiftOnSecurity/sysmon-config

>Sysmon64.exe -accepteula -i sysmonconfig-export.xml


System Monitor v12.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.22
Sysmon schema version: 4.40
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.

安裝完後，從服務可以看到正在執行

Winlogbeat

利用winlogbeat把Sysmon的evenlog傳到elastic

Set-ExecutionPolicy RemoteSigned
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

設定yaml

cloud.id: "xxx"
cloud.auth: "xxx"