0x01 环境介绍
Windows Server 2012 已经安装部署好了域控,目的除了收集Windows服务器本身的日志外还收集域控环境下的各种日志。
0x02 Nxlog配置和使用
- 使用社区版本即可,下载地址:
- https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition
- 使用的版本是当前最新版本
- 安装过程就省略,下一步下一步一路走下去即可。
- 最终安装在C盘下默认的目录
- 下面就是准备修改配置
0x03 安装Sysmon
- Sysmon安装很简单,下载GitHub提供的配置文件,使其能收集想要的日志
- 参考:
https://cloud.tencent.com/developer/article/1970103https://github.com/SwiftOnSecurity/sysmon-confighttps://github.com/trustedsec/SysmonCommunityGuide - 配置文件:
https://github.com/Neo23x0/sysmon-confighttps://github.com/SwiftOnSecurity/sysmon-config - 下载Sysmon
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon - 执行安装
sysmon.exe -accepteula -i sysmonconfig-export.xml
0x04 开启Windows服务器审核策略
- https://learn.microsoft.com/zh-cn/windows/security/threat-protection/auditing/basic-security-audit-policies
- https://forum.butian.net/share/355
0x05 修改Nxlog配置文件
- 本次是需要收集Windows服务器System,Security,Application,Sysmon,Powershell的相关日志
- 配置文件详情
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets gbk, iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>
<Output out>
Module om_udp
Host 192.168.50.20
Port 536
Exec $EventTime = integer($EventTime) / 1000000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
- 可参考借鉴的配置文件
https://github.com/SMAPPER/NXLog-AutoConfighttps://github.com/Starke427/NXloghttps://github.com/Hacks4Snacks/windows-nxloghttps://github.com/Sep0lkit/Windows-Event-Forwarderhttps://github.com/thefaxe/nxlog-confighttps://github.com/acochenour/AND-NXLog-Windows-Configurationhttps://github.com/smiley2x4/NXLOG-Example-confhttps://github.com/noobzero/siem-and-event-forwarding-configshttps://github.com/sandeep663/windows - 重启Nxlog服务
0x06 SIEM平台确认日志接收情况
- 这里接收过来的日志需要先使用grok解析为json格式,然后再解析json,生成每个字段,然后基于字段进行日常安全运营配置相关策略进行告警。
- 使用到的Grok语法
.+]: %{GREEDYDATA:windows2012_json}
- 原始日志
<14>Feb 23 21:20:20 SHUNANDC2012.shunanatomic.com Microsoft-Windows-Security-Auditing[512]: {"EventTime":1677158419,"Hostname":"SHUNANDC2012.shunanatomic.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":516532,"ProcessID":512,"ThreadID":4984,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-18\r\n\t帐户名:\t\tSHUNANDC2012$\r\n\t帐户域:\t\tSHUNANATOMIC\r\n\t登录 ID:\t\t0xBB2EC6\r\n\r\n登录类型:\t\t\t3\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中,登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-18","TargetUserName":"SHUNANDC2012$","TargetDomainName":"SHUNANATOMIC","TargetLogonId":"0xbb2ec6","LogonType":"3","EventReceivedTime":1677158420,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}
- 进行Json格式解析
0x07 SIEM平台效果展示
迷茫的人生,需要不断努力,才能看清远方模糊的志向!