說明

預設的Event訊息並不完整，很多事件不會產生，難以關聯前因後果，Windows在群組原則GPO部分可以設定啟用那些稽核原則

作法

1. 設定 Windows 事件記錄的審核策略

這邊微軟的文章寫得很詳細，就不額外贅述
https://learn.microsoft.com/zh-tw/defender-for-identity/deploy/configure-windows-event-collection

查看目前啟用策略

這裡如果有加入網域並套用規則，就算登入本機帳號仍會顯示已套用的情況(可能會跟畫面顯示不同)

PS C:\Windows\system32> AuditPol /get /category:"Logon/Logoff"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
  User / Device Claims                    Success and Failure
  Group Membership                        No Auditing

2. Sysmon

提供有關處理序建立、網路連線，以及檔案建立時間變更的詳細資訊。
https://learn.microsoft.com/zh-tw/sysinternals/downloads/sysmon
在CMD以管理者權限執行安裝

Sysmon>Sysmon.exe -accepteula -i sysmonconfig.xml

日誌路徑>Applications and Services Logs > Microsoft > Sysmon > Operational

全局設定

以這個設定檔為範例，來分析一下組態設定
https://github.com/olafhartong/sysmon-modular?tab=readme-ov-file

HashAlgorithms 用MD5,SHA256,IMPHASH 記錄執行的檔案
CopyOnDeletePE 保留已刪除的可執行檔，預設是關閉
ArchiveDirectory 保留已刪除的可執行檔，可自己改名稱，預設是關閉 (C:\DeleteFiles)

<HashAlgorithms>MD5,SHA256,IMPHASH</HashAlgorithms>
<CopyOnDeletePE>True</CopyOnDeletePE>
<ArchiveDirectory>DeleteFiles</ArchiveDirectory>

Event ID 1 Process Creation

以ID1為範立
設定放在RuleGroup及ProcessCreate間，條件為包含

<RuleGroup groupRelation="or">
  <ProcessCreate onmatch="include">
	<OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</OriginalFileName>
	<Rule name="technique_id=T1003,technique_name=Credential Dumping (Likely)" groupRelation="and">
	<OriginalFileName condition="image">rpcping.exe</OriginalFileName>
	<CommandLine condition="contains any">\s;-s</CommandLine>
	<CommandLine condition="contains any">-u;\u;-t;\t</CommandLine>
	<CommandLine condition="contains any">NTLM;ncacn_np</CommandLine>
	</Rule>
  </ProcessCreate>
</RuleGroup>

使用Windows 內件功能certutil，常被駭客利用下載惡意工具

• OriginalFileName 監控檔案名稱
• name 描述(選填)這裡是用對應的 ATT&CK
• technique_name 描述(選填)
• condition 檔案名稱為certutil.exe

<OriginalFileName name="technique_id=T1202,technique_name=Indirect Command Execution" condition="is">certutil.exe</OriginalFileName>

監控到檔案為 rpcping.exe，且命令行中包含 -s、-u、-t 或提及 NTLM 和 ncacn_np 等參數，這些都可能表明存在憑證轉儲行為
rpcping -s 127.0.0.1 -t ncacn_np

<Rule name="technique_id=T1003,technique_name=Credential Dumping (Likely)" groupRelation="and">
  <OriginalFileName condition="image">rpcping.exe</OriginalFileName>
  <CommandLine condition="contains any">\s;-s</CommandLine>
  <CommandLine condition="contains any">-u;\u;-t;\t</CommandLine>
  <CommandLine condition="contains any">NTLM;ncacn_np</CommandLine>
</Rule>

REF

安裝Sysmon隨時監視　系統稽核記錄不漏失
https://www.netadmin.com.tw/netadmin/zh-tw/technology/111D82A739524049A739DE9B518574AD

sysmon-modular | A Sysmon configuration repository for everybody to customise
https://github.com/olafhartong/sysmon-modular?tab=readme-ov-file

A Guide to Sysmon-View
https://medium.com/@Mr.Aur0ra/a-guide-to-sysmon-view-9c2e2c373397

Sysmon Tools
https://github.com/nshalabi/SysmonTools?tab=readme-ov-file

Living Off The Land Binaries and Scripts (and now also Libraries)
https://github.com/yeyintminthuhtut/LOLBAS-1/blob/master/Archive-Old-Version/OSBinaries/Rpcping.exe.md

Windows: Capture Credentials with Rpcping.exe
https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_Capture_Credentials_with_Rpcping_exe.htm