특정 경로의 실행 파일을 예외 처리하는 Network connection 이벤트 필터링 설정.
<Sysmon schemaversion="4.90"/> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <FileDelete onmatch="include"/> <ClipboardChange onmatch="include"/> <ProcessCreate onmatch="exclude"/> <ProcessTerminate onmatch="include"/> <ProcessTampering onmatch="exclude"/> <ProcessAccess onmatch="exclude"/> <FileCreateTime onmatch="exclude"/> <FileCreate onmatch="exclude"/> <FileCreateStreamHash onmatch="exclude"/> <Image condition="begin with"/>C:\Splunk</Image> <Image condition="begin with"/>D:\ELK</Image> </NetworkConnect> <DriverLoad onmatch="exclude"/> <ImageLoad onmatch="exclude"/> <CreateRemoteThread onmatch="exclude"/> <RawAccessRead onmatch="exclude"/> <RegistryEvent onmatch="exclude"/> <PipeEvent onmatch="exclude"/> <WmiEvent onmatch="exclude"/> <DnsQuery onmatch="exclude"/> </EventFiltering></Sysmon>And 조건으로 표시돼 헷갈리지만 조건 필드 이름이 같을 때 실제 동작 조건은 Or이며,
PS C:\Users\Administrator\Downloads\Sysmon> .\Sysmon64.exe -c
System Monitor v15.15 - System activity monitorBy Mark Russinovich and Thomas GarnierCopyright (C) 2014-2024 Microsoft CorporationUsing libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.Sysinternals - www.sysinternals.com
Current configuration: - Service name: Sysmon64 - Driver name: SysmonDrv - Config file: .\sysmon.xml - Config hash: SHA256=637818313215997ADA80024CFBD275970441BAF61C746509AF7B347DB65EBFCB
- HashingAlgorithms: SHA1,MD5,SHA256,IMPHASH - Network connection: enabled - Archive Directory: - - Image loading: enabled - CRL checking: enabled - DNS lookup: enabled
Rule configuration (version 4.90): - ProcessCreate onmatch: exclude combine rules using 'And' - FileCreateTime onmatch: exclude combine rules using 'And' - NetworkConnect onmatch: exclude combine rules using 'And' Image filter: begin with value: 'C:\Splunk' Image filter: begin with value: 'D:\ELK' - ProcessTerminate onmatch: include combine rules using 'And' - DriverLoad onmatch: exclude combine rules using 'And' - ImageLoad onmatch: exclude combine rules using 'And' - CreateRemoteThread onmatch: exclude combine rules using 'And' - RawAccessRead onmatch: exclude combine rules using 'And' - ProcessAccess onmatch: exclude combine rules using 'And' - FileCreate onmatch: exclude combine rules using 'And' - RegistryEvent onmatch: exclude combine rules using 'And' - FileCreateStreamHash onmatch: exclude combine rules using 'And' - PipeEvent onmatch: exclude combine rules using 'And' - WmiEvent onmatch: exclude combine rules using 'And' - DnsQuery onmatch: exclude combine rules using 'And' - FileDelete onmatch: include combine rules using 'And' - ClipboardChange onmatch: include combine rules using 'And' - ProcessTampering onmatch: exclude combine rules using 'And'조건 필드가 다를 때만 And 조건으로 동작한다.
<NetworkConnect onmatch="exclude"/> <Image condition="begin with"/>C:\Splunk</Image> <DestinationIp condition="is"/>127.0.0.1</DestinationIp> </NetworkConnect> - NetworkConnect onmatch: exclude combine rules using 'And' Image filter: begin with value: 'C:\Splunk' DestinationIp filter: is value: '127.0.0.1'다른 조건 필드의 Or 조건 동작이 필요하면?
RuleGroup 지정 후 동작 방식을 명시해줘야 한다.
<RuleGroup name="NetworkConnect group" groupRelation="or"> <NetworkConnect onmatch="exclude"/> <Image condition="begin with"/>C:\Splunk</Image> <DestinationIp condition="is">127.0.0.1</DestinationIp> </NetworkConnect> </RuleGroup> - NetworkConnect onmatch: exclude combine rules using 'Or' Image filter: begin with value: 'C:\Splunk' DestinationIp filter: is value: '127.0.0.1'
댓글 없음:
댓글 쓰기