<< [[2022-06-12]] | [[2022-06-14]] >>

工具的道与术： 道，是指这个工具内在的哲学，如果你觉得哲学这个词太大了，也可以叫它逻辑。一个工具的优雅之处就体现在「道」上，「道」虽然貌似虚无缥缈，它却是最容易区分同类型工具之间不同之处的东西。 术，就是技术层面，这个工具怎么操作，怎么用起来。

开源EDR-Windows-whids

0x01简介

项目地址

0x02架构图

0x03核心能力

优势

• Open Source
• Relies on Sysmon for all the heavy lifting (kernel component)
• Very powerful but also customizable detection engine
• Built by an Incident Responder for all Incident Responders to make their job easier
• Low footprint (no process injection)
• Can co-exist with any antivirus product (advised to run it along with MS Defender)
• Designed for high throughput. It can easily enrich and analyze 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
• Easily integrable with other tools (Splunk, ELK, MISP ...)
• Integrated with ATT&CK framework

劣势

• Only works on Windows
• Detection limited to what is available in the Windows event logs channels (already a lot in there)
• No process instrumentation (it is also a strength as it depends on the point of view)
• No GUI yet (will develop one if requested by the community)
• No support for ETW
• Tell me if you notice others ...

0x04对比

0x05Quickstart

require

1. Install Sysmon
2. Configure Sysmon
   • You can find optimized Sysmon configurations here
   • Logging any ProcessCreate and ProcessTerminate is mandatory
3. Take note of the path to your Sysmon binary because you will need it later on

NB: event filtering can be done at 100% with Gene rules so do not bother creating a complicated Sysmon configuration.

Pre-Installation Recommendations

In order to get the most of WHIDS you might want to improve your logging policy.

• Enable Powershell Module Logging
• Audit Service Creation: gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension -> Enable
• Enable File System Audit. Sysmon only provides FileCreate events when new files are created, so if you want/need to log other kind of accesses (Read, Write, ...) you need to enable FS Auditing.
  1. gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System -> Enable
  2. Right Click Any Folder -> Properties -> Security -> Advanced -> Auditing -> Add
     1. Select a principal (put here the name of the user/group you want the audit for). Put group Everyone if you want to log access from any user.
     2. Apply this to is used to select the scope of this audit policy starting from the folder you have selected
     3. Basic permissions select the kinds of accesses you want the logs to be generated for
     4. Validate
  3. File System auditing logs will appear in the Security log channel
• If you want an antivirus to run on your endpoints, keep Microsoft Defender, first because it is a good AV but also because it logs alerts in a dedicated log channel Microsoft-Windows-Windows Defender/Operationalmonitored by the EDR.

EDR Endpoint agent (Whids.exe)

This section covers the installation of the agent on the endpoint.

1. Download and extract the latest WHIDS release https://github.com/0xrawsec/whids/releases
2. Run manage.bat as administrator
3. Launch installation by selecting the appropriate option
4. Verify that files have been created at the installation directory
5. Edit configuration file by selecting the appropriate option in manage.bat or using your preferred text editor
6. Skip this if running with a connection to a manager, because rules will be updated automatically. If there is nothing in the rules directory the tool will be useless, so make sure there are some gene rules in there. Some rules are packaged with WHIDS and you will be prompted to choose if you want to install those or not. If you want the last up to date rules, you can get those here (take the compiled ones)
7. Start the services from appropriate option in manage.bat or just reboot (preferred option otherwise some enrichment fields will be incomplete leading to false alerts)
8. If you configured a manager do not forget to run it in order to receive alerts and dumps

NB: At installation time the Sysmon service will be made dependent of WHIDS service so that we are sure the EDR runs before Sysmon starts generating some events.

EDR Manager

The EDR manager can be installed on several platforms, pre-built binaries are provided for Windows, Linux and Darwin.

1. Create TLS certificate if needed for HTTPS connections
2. Create a configuration file (there is a command line argument to generate a basic config)
3. Run the binary

check

进阶

• Endpoint Manager REST API documentation
• How to write rules
• Getting EDR detection rules
• Overview of events enrichment

0x06使用说明

Please visit doc/configuration.md

0x07应用场景

References