文章来源:鸿鹄实验室
whids是一款Go语言开发的开源EDR,其官方地址为:
https://github.com/0xrawsec/whids
其优点如下:
Open Source
Relies on Sysmon for all the heavy lifting (kernel component)
Very powerful but also customizable detection engine
Built by an Incident Responder for all Incident Responders to make their job easier
Low footprint (no process injection)
Can co-exist with any antivirus product (advised to run it along with MS Defender)
Designed for high thoughput. It can easily enrich and analyse 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
Easily integrable with other tools (Splunk, ELK, MISP ...)
Integrated with ATT&CK framework
官方给出的运行示意图如下:
部署过程
首先需要安装Sysmon,最新版本为13.1,下载地址为:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
使用-i安装既可
然后导入其配置,地址为:
https://github.com/0xrawsec/whids/tree/master/tools/sysmon/v13
如有需要,可以配置下面的两个的选项:
gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension -> Enable
和
gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System -> Enable
然后运行agent
需要server的可以运行server
附一张效果图
https://github.com/0xrawsec/whids/blob/master/demo/whids.gif
“如侵权请私聊公众号删文”