Всем привет! В Sysmon v14.1 появился новый тип событий с ID 28, но начну немножко издалека. Прошло совсем не много времени, как популярный инструмент для отслеживания и регистрации действий системы, логирования по-простому, обновился до версии 14. В 14 версии появилось произошли существенные изменения в Sysmon - инструмент научили не только логировать, но и блокировать: появилось событие с идентификатором 27 FileBlockExecutable. Это позволило, например, блокировать запуск исполняемых файлов, загруженных MS Office, блокировать запуск файлов с "двойным расширением" .pdf.exe или docx.exe, блокировать запуск загруженных скриптов и многое другое. Пример хорошего конфига для Sysmon можно посмотреть у Ion-storm
Не все все еще успели освоить события ID 27, как 29 сентября появляется Sysmon версии 14.1. В данной версии возможности по блокированию процессов расширили еще больше. Появилось событие с идентификатором 28: FileBlockShredding. Как кратко гласит описание, это событие создается, когда Sysmon обнаруживает и блокирует измельчение файлов из таких средств, как SDelete. Решил проверить, сможет ли мне пригодится данная возможность, например, для защиты какого-нибудь произвольного .evtx файла от "безопасного удаления", а если точнее, то от удаления без возможности восстановления. За инструментом удаления далеко ходить не стал и скачал SDelete. Конфиг для Sysmon взял опять же от Ion-storm (Построен на матрице MITRE ATT&CK, адаптирован к SIEM, регулярно обновляется, автор принимает предложения и замечания). Ниже фрагмент конфига по ID 28
<!--SYSMON EVENT ID 28 : FILE BLOCK SHREDDING [FileBlockShredding]-->
<RuleGroup name="RG=FileBlockShredding Include Group" groupRelation="or">
<FileBlockShredding onmatch="include">
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in C:\Users,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\Users</TargetFilename>
<Image condition="excludes any">C:\Program Files\WindowsApps\;AppData</Image>
</Rule>
<!-- Unsure how this runs with Enterprise Software Like Exchange, Uncomment and provide feedback of any issues/things to whitelist
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramFiles,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\Program Files</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ProgramData,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\ProgramData</TargetFilename>
</Rule>
-->
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in $mft,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\$mft</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Windows Event Logs,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\Windows\System32\winevt\Logs</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in ntuser.dat artifacts,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">ntuser.dat</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Pagefile,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">Pagefile.sys</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in System Profile and registry backups,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="begin with">C:\Windows\System32\config</TargetFilename>
<Image condition="excludes">C:\WINDOWS\system32\consent.exe</Image>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Database Files,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">.db</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in encryption/certificate files,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="end with">.asc</TargetFilename>
<TargetFilename condition="end with">.ca-bundle</TargetFilename>
<TargetFilename condition="end with">.cer</TargetFilename>
<TargetFilename condition="end with">.cer</TargetFilename>
<TargetFilename condition="end with">.crl</TargetFilename>
<TargetFilename condition="end with">.crt</TargetFilename>
<TargetFilename condition="end with">.csr</TargetFilename>
<TargetFilename condition="end with">.der</TargetFilename>
<TargetFilename condition="end with">.gpg</TargetFilename>
<TargetFilename condition="end with">.key</TargetFilename>
<TargetFilename condition="end with">.p7b</TargetFilename>
<TargetFilename condition="end with">.p7r</TargetFilename>
<TargetFilename condition="end with">.p7s</TargetFilename>
<TargetFilename condition="end with">.p12</TargetFilename>
<TargetFilename condition="end with">.pem</TargetFilename>
<TargetFilename condition="end with">.pfx</TargetFilename>
<TargetFilename condition="end with">.pgp</TargetFilename>
<TargetFilename condition="end with">.ppk</TargetFilename>
<TargetFilename condition="end with">.sst</TargetFilename>
<TargetFilename condition="end with">.sto</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">.log</TargetFilename>
<TargetFilename condition="excludes">C:\Windows\System32\sru\</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Log files 2,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">ConsoleHost_history.txt</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in evtx files,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">.evtx</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Data Destruction Detected in Recyclebin,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="contains">$Recycle</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Executable Data Destruction Detected,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">.exe</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=DLL Data Destruction Detected,Author=@ionstorm" groupRelation="and">
<TargetFilename condition="end with">.dll</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Office File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="contains">\Content.Outlook\</TargetFilename>
<TargetFilename condition="contains">\Microsoft\Office\Recent</TargetFilename>
<TargetFilename condition="contains">\Microsoft\Templates\</TargetFilename>
<TargetFilename condition="contains">\Recent\CustomDestinations\</TargetFilename>
<TargetFilename condition="contains">oleObject</TargetFilename>
<TargetFilename condition="end with">.accdb</TargetFilename>
<TargetFilename condition="end with">.accde</TargetFilename>
<TargetFilename condition="end with">.accdr</TargetFilename>
<TargetFilename condition="end with">.accdt</TargetFilename>
<TargetFilename condition="end with">.doc</TargetFilename>
<TargetFilename condition="end with">.docb</TargetFilename>
<TargetFilename condition="end with">.docm</TargetFilename>
<TargetFilename condition="end with">.docx</TargetFilename>
<TargetFilename condition="end with">.dot</TargetFilename>
<TargetFilename condition="end with">.dotx</TargetFilename>
<TargetFilename condition="end with">.eml</TargetFilename>
<TargetFilename condition="end with">.mdb</TargetFilename>
<TargetFilename condition="end with">.mde</TargetFilename>
<TargetFilename condition="end with">.msc</TargetFilename>
<TargetFilename condition="end with">.msg</TargetFilename>
<TargetFilename condition="end with">.mst</TargetFilename>
<TargetFilename condition="end with">.ped</TargetFilename>
<TargetFilename condition="end with">.potm</TargetFilename>
<TargetFilename condition="end with">.potx</TargetFilename>
<TargetFilename condition="end with">.ppam</TargetFilename>
<TargetFilename condition="end with">.ppsm</TargetFilename>
<TargetFilename condition="end with">.ppsx</TargetFilename>
<TargetFilename condition="end with">.ppt</TargetFilename>
<TargetFilename condition="end with">.pptm</TargetFilename>
<TargetFilename condition="end with">.pptx</TargetFilename>
<TargetFilename condition="end with">.pub</TargetFilename>
<TargetFilename condition="end with">.sldm</TargetFilename>
<TargetFilename condition="end with">.sldx</TargetFilename>
<TargetFilename condition="end with">.wbk</TargetFilename>
<TargetFilename condition="end with">.xla</TargetFilename>
<TargetFilename condition="end with">.xlam</TargetFilename>
<TargetFilename condition="end with">.xll</TargetFilename>
<TargetFilename condition="end with">.xls</TargetFilename>
<TargetFilename condition="end with">.xlsb</TargetFilename>
<TargetFilename condition="end with">.xlsm</TargetFilename>
<TargetFilename condition="end with">.xlsx</TargetFilename>
<TargetFilename condition="end with">.xlt</TargetFilename>
<TargetFilename condition="end with">.xltm</TargetFilename>
<TargetFilename condition="end with">.xlw</TargetFilename>
<TargetFilename condition="end with">.xps</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=PDF File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="end with">.pdf</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Archive File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="end with">.zip</TargetFilename>
<TargetFilename condition="end with">.rar</TargetFilename>
<TargetFilename condition="end with">.tar</TargetFilename>
<TargetFilename condition="end with">.tgz</TargetFilename>
<TargetFilename condition="end with">.ace</TargetFilename>
<TargetFilename condition="end with">.7z</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Common Script File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="end with">.cdxml</TargetFilename>
<TargetFilename condition="end with">.ps1</TargetFilename>
<TargetFilename condition="end with">.ps1xml</TargetFilename>
<TargetFilename condition="end with">.psc1</TargetFilename>
<TargetFilename condition="end with">.psd1</TargetFilename>
<TargetFilename condition="end with">.psm1</TargetFilename>
<TargetFilename condition="end with">.pssc</TargetFilename>
<TargetFilename condition="end with">.bat</TargetFilename>
<TargetFilename condition="end with">.com</TargetFilename>
<TargetFilename condition="end with">.hta</TargetFilename>
<TargetFilename condition="end with">.vbs</TargetFilename>
</Rule>
<Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=File: File Modification,Level=4,Risk=100,Alert=Virtual Disk Image File Data Destruction Detected,Author=@ionstorm" groupRelation="or">
<TargetFilename condition="end with">.D01</TargetFilename>
<TargetFilename condition="end with">.D02</TargetFilename>
<TargetFilename condition="end with">.DD</TargetFilename>
<TargetFilename condition="end with">.DISK</TargetFilename>
<TargetFilename condition="end with">.E01</TargetFilename>
<TargetFilename condition="end with">.EX01</TargetFilename>
<TargetFilename condition="end with">.HC</TargetFilename>
<TargetFilename condition="end with">.HDD</TargetFilename>
<TargetFilename condition="end with">.HDS</TargetFilename>
<TargetFilename condition="end with">.IMAGE</TargetFilename>
<TargetFilename condition="end with">.IMD</TargetFilename>
<TargetFilename condition="end with">.IMG</TargetFilename>
<TargetFilename condition="end with">.ISO</TargetFilename>
<TargetFilename condition="end with">.L01</TargetFilename>
<TargetFilename condition="end with">.LZ01</TargetFilename>
<TargetFilename condition="end with">.PARTIMG</TargetFilename>
<TargetFilename condition="end with">.PGD</TargetFilename>
<TargetFilename condition="end with">.SPARSEIMAGE</TargetFilename>
<TargetFilename condition="end with">.TIB</TargetFilename>
<TargetFilename condition="end with">.VBK</TargetFilename>
<TargetFilename condition="end with">.VBM</TargetFilename>
<TargetFilename condition="end with">.VIB</TargetFilename>
<TargetFilename condition="end with">.WIM</TargetFilename>
<TargetFilename condition="end with">.WIM</TargetFilename>
<TargetFilename condition="end with">.WMT</TargetFilename>
<TargetFilename condition="end with">.XVA</TargetFilename>
<TargetFilename condition="end with">.avhd</TargetFilename>
<TargetFilename condition="end with">.dsk</TargetFilename>
<TargetFilename condition="end with">.dvd</TargetFilename>
<TargetFilename condition="end with">.mdf</TargetFilename>
<TargetFilename condition="end with">.vdi</TargetFilename>
<TargetFilename condition="end with">.vhd</TargetFilename>
<TargetFilename condition="end with">.vhdx</TargetFilename>
<TargetFilename condition="end with">.vmdk</TargetFilename>
<TargetFilename condition="end with">.vmwarevm</TargetFilename>
</Rule>
</FileBlockShredding>
</RuleGroup>
<RuleGroup name="RG=FileBlockShredding Exclude Group" groupRelation="or">
<FileBlockShredding onmatch="exclude">
<Rule name="safe images - be careful" groupRelation="or">
<Image condition="begin with">C:\WINDOWS\</Image>
<Image condition="begin with">C:\Program Files\WindowsApps\</Image>
<Image condition="image">C:\PROGRA~2\Citrix\ICACLI~1\WFICA32.EXE</Image>
<Image condition="contains all">C:\Program Files;\Microsoft\EdgeWebView\Application\;\msedgewebview2.exe</Image>
<Image condition="contains all">C:\Program Files;\Citrix\;\WFICA32.EXE</Image>
<Image condition="contains all">C:\Program Files\Google\Drive File Stream\;\GoogleDriveFS.exe</Image>
<Image condition="contains all">C:\Program Files (x86)\Microsoft\EdgeWebView\Application\;msedgewebview2.exe</Image>
</Rule>
<Rule name="safe paths - be careful" groupRelation="or">
<TargetFilename condition="contains any">C:\Safe-shred-location</TargetFilename>
<TargetFilename condition="contains any">C:\$WINDOWS.~BT\NewOS\</TargetFilename>
<TargetFilename condition="contains all">:\Users\;\AppData\;\D3DSCache</TargetFilename>
<TargetFilename condition="end with">.lock</TargetFilename>
</Rule>
<Rule name="Antivirus Exclusions" groupRelation="or">
<Image condition="begin with">C:\Program Files (x86)\Kaspersky Lab</Image>
<Image condition="begin with">C:\Program Files\Kaspersky Lab</Image>
<Image condition="begin with">C:\Program Files (x86)\ESET</Image>
<Image condition="begin with">C:\Program Files\ESET</Image>
<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\</Image>
</Rule>
<Rule name="safe users - be careful" groupRelation="or">
<!--<User condition="is">NT AUTHORITY\TrustedInstaller</User>
<User condition="is">SYSTEM</User>
<User condition="is">NT AUTHORITY\SYSTEM</User>
<User condition="is">TrustedInstaller</User>
<User condition="is">NT AUTHORITY\TrustedInstaller</User>
<User condition="is">NT AUTHORITY\NETWORK SERVICE</User>
<User condition="end with">ERVICE RÉSEAU</User>
<User condition="end with">NETZWERKDIENST</User>
<User condition="is">NT AUTHORITY\LOCAL SERVICE</User>
<User condition="end with">SERVICE LOCAL</User>
<User condition="end with">LOKALER DIENST</User>
<User condition="end with">СИСТЕМА</User>
<User condition="is">NT-AUTORITÄT\SYSTEM</User>
<User condition="is">AUTORITE NT\SYSTEM</User>-->
</Rule>
</FileBlockShredding>
</RuleGroup>Как можно убедиться, автор конфига проделал большую и скурпулезную работу над событиями ID 28, проработал и типы файлов и исключения. Итак, пробуем безвозвратно удалить файл sysmon.evtx
Удаление не произошло, появилась ошибка.
Смотрим, что на это нам скажет Sysmon.
Как мы видим Sysmon заблокировал возможность скормить наш тестовый файл шредеру и создал соответствующее уведомление. Чего я собственно от него и хотел.
Да, есть много дорогих и классных продуктов которые могут "Быстрее! Выше! Сильнее!", но Sysmon доступен всем.