{"id":439,"date":"2020-09-29T16:52:53","date_gmt":"2020-09-29T08:52:53","guid":{"rendered":"http:\/\/weizn.net\/?p=439"},"modified":"2021-12-15T17:24:38","modified_gmt":"2021-12-15T09:24:38","slug":"%e9%80%9a%e8%bf%87sysmon%e6%97%a5%e5%bf%97%e6%a3%80%e6%b5%8bcobalt-strike%e6%9c%a8%e9%a9%ac","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=439","title":{"rendered":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_17 counter-hierarchy\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" style=\"display: none;\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/weizn.net\/?p=439\/#%E4%B8%80%E3%80%81%E5%85%B3%E4%BA%8E%E5%BC%BA%E7%89%B9%E5%BE%81\" title=\"\u4e00\u3001\u5173\u4e8e\u5f3a\u7279\u5f81\">\u4e00\u3001\u5173\u4e8e\u5f3a\u7279\u5f81<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/weizn.net\/?p=439\/#1%E3%80%81%E8%BD%AC%E5%82%A8HASH\" title=\"1\u3001\u8f6c\u50a8HASH\">1\u3001\u8f6c\u50a8HASH<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/weizn.net\/?p=439\/#2%E3%80%81%E9%BB%98%E8%AE%A4%E5%91%BD%E5%90%8D%E7%AE%A1%E9%81%93\" title=\"2\u3001\u9ed8\u8ba4\u547d\u540d\u7ba1\u9053\">2\u3001\u9ed8\u8ba4\u547d\u540d\u7ba1\u9053<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/weizn.net\/?p=439\/#3%E3%80%81spawnto%E4%B8%AD%E9%97%B4%E8%BF%9B%E7%A8%8B\" title=\"3\u3001spawnto\u4e2d\u95f4\u8fdb\u7a0b\">3\u3001spawnto\u4e2d\u95f4\u8fdb\u7a0b<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/weizn.net\/?p=439\/#%E4%BA%8C%E3%80%81%E5%85%B3%E4%BA%8E%E5%BC%B1%E7%89%B9%E5%BE%81\" title=\"\u4e8c\u3001\u5173\u4e8e\u5f31\u7279\u5f81\">\u4e8c\u3001\u5173\u4e8e\u5f31\u7279\u5f81<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/weizn.net\/?p=439\/#1%E3%80%81%E5%88%86%E6%9E%90shell%E6%89%A7%E8%A1%8C%E6%97%B6%E7%9A%84%E5%BC%B1%E7%89%B9%E5%BE%81%EF%BC%9A\" title=\"1\u3001\u5206\u6790shell\u6267\u884c\u65f6\u7684\u5f31\u7279\u5f81\uff1a\">1\u3001\u5206\u6790shell\u6267\u884c\u65f6\u7684\u5f31\u7279\u5f81\uff1a<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/weizn.net\/?p=439\/#1%EF%BC%89%E8%BF%90%E8%A1%8C%E6%97%B6%E7%9A%84%E5%BF%83%E8%B7%B3%E8%BF%9E%E6%8E%A5%EF%BC%9A\" title=\"1\uff09\u8fd0\u884c\u65f6\u7684\u5fc3\u8df3\u8fde\u63a5\uff1a\">1\uff09\u8fd0\u884c\u65f6\u7684\u5fc3\u8df3\u8fde\u63a5\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/weizn.net\/?p=439\/#2%EF%BC%89%E6%89%A7%E8%A1%8Cshell%E7%9A%84%E5%91%BD%E4%BB%A4%E8%A1%8C%E6%A0%BC%E5%BC%8F%EF%BC%9A\" title=\"2\uff09\u6267\u884cshell\u7684\u547d\u4ee4\u884c\u683c\u5f0f\uff1a\">2\uff09\u6267\u884cshell\u7684\u547d\u4ee4\u884c\u683c\u5f0f\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/weizn.net\/?p=439\/#3%EF%BC%89%E6%89%A7%E8%A1%8C%E5%90%8E%E6%B8%97%E9%80%8F%E9%98%B6%E6%AE%B5%E5%B8%B8%E7%94%A8%E7%9A%84%E5%91%BD%E4%BB%A4%EF%BC%9A\" title=\"3\uff09\u6267\u884c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u7528\u7684\u547d\u4ee4\uff1a\">3\uff09\u6267\u884c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u7528\u7684\u547d\u4ee4\uff1a<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/weizn.net\/?p=439\/#2%E3%80%81%E6%A3%80%E6%B5%8Bshell%E6%89%A7%E8%A1%8C%E8%A1%8C%E4%B8%BA\" title=\"2\u3001\u68c0\u6d4bshell\u6267\u884c\u884c\u4e3a\">2\u3001\u68c0\u6d4bshell\u6267\u884c\u884c\u4e3a<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/weizn.net\/?p=439\/#1%EF%BC%89%E9%A6%96%E5%85%88%E5%9C%A8%E5%85%A8%E7%BD%91Sysmon%E7%BD%91%E7%BB%9C%E8%BF%9E%E6%8E%A5%E6%97%A5%E5%BF%97%E4%B8%AD%EF%BC%8C%E9%80%9A%E8%BF%87CEP%E8%A7%84%E5%88%99%E7%AD%9B%E9%80%89%E5%87%BA%E6%89%80%E6%9C%89%E5%AD%98%E5%9C%A8TCP%E5%BF%83%E8%B7%B3%E8%BF%9E%E6%8E%A5%E7%9A%84%E8%BF%9B%E7%A8%8B%EF%BC%9A\" title=\"1\uff09\u9996\u5148\u5728\u5168\u7f51Sysmon\u7f51\u7edc\u8fde\u63a5\u65e5\u5fd7\u4e2d\uff0c\u901a\u8fc7CEP\u89c4\u5219\u7b5b\u9009\u51fa\u6240\u6709\u5b58\u5728TCP\u5fc3\u8df3\u8fde\u63a5\u7684\u8fdb\u7a0b\uff1a\">1\uff09\u9996\u5148\u5728\u5168\u7f51Sysmon\u7f51\u7edc\u8fde\u63a5\u65e5\u5fd7\u4e2d\uff0c\u901a\u8fc7CEP\u89c4\u5219\u7b5b\u9009\u51fa\u6240\u6709\u5b58\u5728TCP\u5fc3\u8df3\u8fde\u63a5\u7684\u8fdb\u7a0b\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/weizn.net\/?p=439\/#2%EF%BC%89%E9%80%9A%E8%BF%87%E7%BC%96%E5%86%99Sigma%E8%A7%84%E5%88%99%EF%BC%8C%E5%9C%A8Sysmon%E8%BF%9B%E7%A8%8B%E5%90%AF%E5%8A%A8%E6%97%A5%E5%BF%97%E4%B8%AD%EF%BC%8C%E6%A3%80%E6%9F%A5%E5%87%BA%E7%B1%BB%E4%BC%BCCS%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%9A%84%E8%A1%8C%E4%B8%BA%EF%BC%8C%E5%92%8C%E5%90%8E%E6%B8%97%E9%80%8F%E9%98%B6%E6%AE%B5%E5%B8%B8%E8%A7%81%E7%9A%84%E5%91%BD%E4%BB%A4%EF%BC%9A\" title=\"2\uff09\u901a\u8fc7\u7f16\u5199Sigma\u89c4\u5219\uff0c\u5728Sysmon\u8fdb\u7a0b\u542f\u52a8\u65e5\u5fd7\u4e2d\uff0c\u68c0\u67e5\u51fa\u7c7b\u4f3cCS\u547d\u4ee4\u6267\u884c\u7684\u884c\u4e3a\uff0c\u548c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u89c1\u7684\u547d\u4ee4\uff1a\">2\uff09\u901a\u8fc7\u7f16\u5199Sigma\u89c4\u5219\uff0c\u5728Sysmon\u8fdb\u7a0b\u542f\u52a8\u65e5\u5fd7\u4e2d\uff0c\u68c0\u67e5\u51fa\u7c7b\u4f3cCS\u547d\u4ee4\u6267\u884c\u7684\u884c\u4e3a\uff0c\u548c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u89c1\u7684\u547d\u4ee4\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/weizn.net\/?p=439\/#3%EF%BC%89%E6%9C%80%E5%90%8E%E5%9C%A8Esper%E5%BC%95%E6%93%8E%E4%B8%AD%EF%BC%8C%E5%85%B3%E8%81%94%E5%AD%98%E5%9C%A8%E4%BB%A5%E4%B8%8A1%E3%80%812%E8%A1%8C%E4%B8%BA%E7%9A%84%E8%BF%9B%E7%A8%8B%EF%BC%8C%E5%8F%AF%E4%BB%A5%E7%94%9F%E6%88%90%E6%9C%80%E7%BB%88%E5%91%8A%E8%AD%A6%EF%BC%9A\" title=\"3\uff09\u6700\u540e\u5728Esper\u5f15\u64ce\u4e2d\uff0c\u5173\u8054\u5b58\u5728\u4ee5\u4e0a1\u30012\u884c\u4e3a\u7684\u8fdb\u7a0b\uff0c\u53ef\u4ee5\u751f\u6210\u6700\u7ec8\u544a\u8b66\uff1a\">3\uff09\u6700\u540e\u5728Esper\u5f15\u64ce\u4e2d\uff0c\u5173\u8054\u5b58\u5728\u4ee5\u4e0a1\u30012\u884c\u4e3a\u7684\u8fdb\u7a0b\uff0c\u53ef\u4ee5\u751f\u6210\u6700\u7ec8\u544a\u8b66\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-14\" href=\"http:\/\/weizn.net\/?p=439\/#4%EF%BC%89%E5%91%8A%E8%AD%A6%E6%A0%B7%E4%BE%8B\" title=\"4\uff09\u544a\u8b66\u6837\u4f8b\">4\uff09\u544a\u8b66\u6837\u4f8b<\/a><\/li><\/ul><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-15\" href=\"http:\/\/weizn.net\/?p=439\/#%E4%B8%89%E3%80%81%E5%85%B6%E5%AE%83\" title=\"\u4e09\u3001\u5176\u5b83\">\u4e09\u3001\u5176\u5b83<\/a><\/li><\/ul><\/nav><\/div>\n<p>Cobalt Strike Beacon\u63d0\u4f9b\u4e86\u5f88\u591a\u547d\u4ee4\u63a7\u5236\u7684\u529f\u80fd\uff0c\u5176\u4e2d\u6709\u7684\u5b58\u5728\u5f3a\u7279\u5f81\uff0c\u6709\u7684\u5b58\u5728\u5f31\u7279\u5f81\uff0c\u800c\u5269\u4e0b\u7684\u57fa\u672c\u6ca1\u6709\u7279\u5f81\uff0c\u524d\u4e24\u8005\u90fd\u53ef\u4ee5\u76d1\u63a7\uff0c\u5373\u4f7f\u662f\u5f31\u7279\u5f81\u901a\u8fc7\u5173\u8054\u5206\u6790\u4e5f\u80fd\u505a\u5230\u57fa\u672c\u65e0\u8bef\u62a5\u7684\u7a0b\u5ea6\uff0c\u5982\u679c\u5185\u7f51\u4e2d\u5b58\u5728\u7ea2\u961f\u7684CS\u6728\u9a6c\uff0c\u5728\u6ca1\u6709\u5bf9\u6297\u610f\u8bc6\u7684\u60c5\u51b5\u4e0b\uff0c\u5f88\u5bb9\u6613\u505a\u51fa\u4e00\u4e9b\u300e\u9519\u8bef\u300f\u7684\u64cd\u4f5c\u88ab\u84dd\u961f\u68c0\u6d4b\u5230\u3002<\/p>\n<p><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_17-12-02.jpg\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-458\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_17-12-02.jpg\" alt=\"\" width=\"470\" height=\"413\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_17-12-02.jpg 1386w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_17-12-02-768x675.jpg 768w\" sizes=\"auto, (max-width: 470px) 100vw, 470px\" \/><\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%B8%80%E3%80%81%E5%85%B3%E4%BA%8E%E5%BC%BA%E7%89%B9%E5%BE%81\"><\/span>\u4e00\u3001\u5173\u4e8e\u5f3a\u7279\u5f81<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u65e2\u7136\u662f\u5f3a\u7279\u5f81\uff0c\u81ea\u7136\u662f\u901a\u8fc7\u6b64\u7c7b\u7279\u5f81\u7684\u76d1\u63a7\u80fd\u8fbe\u5230\u7cbe\u51c6\u544a\u8b66\uff0c\u6781\u5c11\u6709\u8bef\u62a5\u7684\u60c5\u51b5\uff0c\u6216\u8005\u5373\u4f7f\u5728\u67d0\u4e9b\u73af\u5883\u4e0b\u5b58\u5728\u8bef\u62a5\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7\u6dfb\u52a0\u5c11\u91cf\u767d\u540d\u5355\u7684\u65b9\u5f0f\u6536\u655b\u6389\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1%E3%80%81%E8%BD%AC%E5%82%A8HASH\"><\/span>1\u3001\u8f6c\u50a8HASH<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u4f7f\u7528Beacon\u5185\u7f6e\u7684\u300e\u8f6c\u50a8HASH\u300f\u529f\u80fd\u9ed8\u8ba4\u65f6\uff0cBeacon\u5148\u901a\u8fc7\u8fdc\u7a0b\u6ce8\u5165spawnto\u5230\u4e2d\u95f4\u8fdb\u7a0b\uff08\u9ed8\u8ba4\u662fRundll32.exe\uff09\uff0c\u7136\u540e\u901a\u8fc7\u4e2d\u95f4\u8fdb\u7a0b\u518d\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165lsass.exe\u8bfb\u53d6\u51ed\u636e\uff0c\u5f00\u6e90<a href=\"https:\/\/github.com\/Neo23x0\/sigma\">Sigma\u89c4\u5219<\/a>\u4e2d\u4e5f\u5305\u542b\u6b64\u7c7b\u89c4\u5219\uff0c\u68c0\u6d4b\u70b9\u662f\u5bf9lsass.exe\u8fdb\u7a0b\u7684\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u884c\u4e3a\uff0c\u4f46\u6ce8\u610f\u8fd9\u91cc\u4ea7\u751f\u7684\u544a\u8b66\u5e76\u4e0d\u80fd\u5b9a\u4f4d\u5230Beacon\u8fdb\u7a0b\uff0c\u53ea\u80fd\u5b9a\u4f4d\u5230spawnto\u7684\u4e2d\u95f4\u8fdb\u7a0b\uff0c\u6838\u5fc3\u68c0\u6d4b\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">detection:\r\n    selection:\r\n        event_id: 8\r\n        event_data.TargetImage: '*\\lsass.exe'\r\n        event_data.StartModule: '-'\r\n        event_data.StartFunction: '-'\r\n        event_data.StartAddress: '0x*'\r\n    condition: selection<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"2%E3%80%81%E9%BB%98%E8%AE%A4%E5%91%BD%E5%90%8D%E7%AE%A1%E9%81%93\"><\/span>2\u3001\u9ed8\u8ba4\u547d\u540d\u7ba1\u9053<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CobaltStrike\u786c\u7f16\u7801\u4e86\u72ec\u6709\u7684\u7ba1\u9053\u540d\u300e\\MSSE-*-server\u300f\uff0c\u89e6\u53d1\u7684Sysmon\u65e5\u5fd7\u4e3a\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\">{\r\n  \"event_id\": \"17\",\r\n  \"event_data\": {\r\n    \"ProcessId\": \"9228\",\r\n    \"EventType\": \"CreatePipe\",\r\n    \"Image\": \"C:\\\\cs_beacon.exe\",\r\n    \"PipeName\": \"\\\\MSSE-7472-server\",\r\n    \"ProcessGuid\": \"{8b627b42-006a-619c-fc01-000000002600}\"\r\n  }\r\n}<\/pre>\n<p>\u5bf9\u5e94\u7684Sigma\u89c4\u5219\u4e3a\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">detection:\r\n    selection:\r\n        event_id: 17\r\n        event_data.EventType: 'CreatePipe'\r\n        event_data.PipeName:\r\n            - '\\MSSE-*-server'\r\n    condition: all of them<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"3%E3%80%81spawnto%E4%B8%AD%E9%97%B4%E8%BF%9B%E7%A8%8B\"><\/span>3\u3001spawnto\u4e2d\u95f4\u8fdb\u7a0b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Beacon\u7684\u5927\u90e8\u5206\u63a7\u5236\u64cd\u4f5c\u662f\u5c06\u4e3b\u529f\u80fd\u7684\u4ee3\u7801\u8fdc\u7a0b\u6ce8\u5165\u5230\u5176\u5b83\u8fdb\u7a0b\u4e2d\u6267\u884c\uff0c\u9ed8\u8ba4\u662fRundll32.exe\uff0c\u867d\u7136\u8fd9\u6837\u589e\u52a0\u4e86\u88ab\u68c0\u51fa\u7684\u98ce\u9669\uff0c\u4f46\u5b98\u65b9\u5bf9\u6b64\u7684\u89e3\u91ca\u662f\uff0c\u5982\u679c\u5728Beacon\u8fdb\u7a0b\u91cc\u6267\u884c\u8fd9\u4e9b\u529f\u80fd\u65f6\u53d1\u751f\u4e86crash\uff0c\u53ef\u80fd\u4f1a\u5bfc\u81f4Beacon\u8fdb\u7a0b\u9000\u51fa\uff0c\u8fd9\u6837\u5c31\u4e22\u5931\u4e86\u8fdc\u63a7\u673a\u5668\uff0c\u770b\u6765\u4e5f\u662f\u4e00\u79cd\u65e0\u5948\u4e4b\u4e3e\u3002<\/p>\n<p>\u5bf9\u4e8e\u8fdc\u7a0b\u6ce8\u5165Rundll32.exe\u7684\u64cd\u4f5c\u662f\u4e00\u79cd\u6781\u5176\u5c11\u89c1\u7684\u884c\u4e3a\uff0c\u6240\u4ee5\u57fa\u672c\u5c5e\u4e8eCS\u7684\u4e00\u4e2a\u5f3a\u7279\u5f81\uff0cSysmon\u4f1a\u8bb0\u5f55\u6bcf\u4e00\u4e2a\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u4e8b\u4ef6\uff0c\u53ef\u4ee5\u901a\u8fc7Sigma\u89c4\u5219\u76d1\u63a7\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">detection:\r\n    selection:\r\n        event_id: 8\r\n        event_data.TargetImage: '*\\rundll32.exe'\r\n        event_data.StartModule: '-'\r\n        event_data.StartFunction: '-'\r\n        event_data.StartAddress: '0x*'\r\n    condition: selection<\/pre>\n<p>\u5f53\u7136\u5728CS\u7684\u914d\u7f6e\u6587\u4ef6\u4e2d\uff0c\u53ef\u4ee5\u9009\u62e9\u6ce8\u5165\u7684\u76ee\u6807\uff0c\u5982\u679c\u4f60\u5728\u914d\u7f6eCS\u7684profile\u65f6\u9ed8\u8ba4\u9009\u62e9\u6ce8\u5165Rundll32.exe\uff0c\u8fd8\u4f1a\u6709OPSEC\u7684\u63d0\u793a\uff1a<\/p>\n<p><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_18-26-06.jpg\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-466\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_18-26-06.jpg\" alt=\"\" width=\"647\" height=\"282\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_18-26-06.jpg 1598w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_18-26-06-768x334.jpg 768w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_18-26-06-1536x669.jpg 1536w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/a><\/p>\n<p>\u7ea2\u961f\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u9009\u62e9\u6ce8\u5165\u5176\u5b83\u7cfb\u7edf\u8fdb\u7a0b\uff0c\u7ed5\u5f00\u5bf9\u4e8eRundll32.exe\u6ce8\u5165\u7684\u76d1\u63a7\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u4e0d\u8fc7\u84dd\u961f\u53ef\u4ee5\u7ee7\u7eed\u5199\u4e00\u6761\u5173\u4e8e\u6ca1\u6709\u4ee3\u7801\u7b7e\u540d\u7684\u8fdb\u7a0b\uff0c\u5374\u5bf9\u7cfb\u7edf\u8fdb\u7a0b\u8fdb\u884c\u8fdc\u7a0b\u6ce8\u5165\u7684\u76d1\u63a7\uff0c\u4f46\u8fd9\u91cc\u6d89\u53ca\u5230\u5173\u8054\u5206\u6790\uff0c\u6682\u4e0d\u5c55\u5f00\u8bf4\u660e\u3002<\/p>\n<p>\u8fd8\u6709\u4e00\u70b9\u5c31\u662f\uff0c\u6ca1\u6709\u6b63\u89c4\u4ee3\u7801\u7b7e\u540d\u7684\u8fdb\u7a0b\uff0c\u8fdb\u884c\u53ef\u7591\u7684\u8fdc\u7a0b\u7ebf\u7a0b\u6ce8\u5165\u7684\u884c\u4e3a\uff0c\u5927\u90e8\u5206\u4e3b\u52a8\u9632\u5fa1\u505a\u7684\u597d\u7684\u6740\u8f6f\u5df2\u7ecf\u53ef\u4ee5\u62e6\u622a\u4e86\uff0c\u5373\u4f7fCS\u6728\u9a6c\u5b9e\u73b0\u4e86\u4ee3\u7801\u9759\u6001\u514d\u6740\uff0c\u4e5f\u5728\u8fd9\u70b9\u4e0a\u8fc7\u4e0d\u4e86\u884c\u4e3a\u514d\u6740\uff0c\u4f8b\u5982\u5728\u8fdb\u884c\u6ce8\u5165\u65f6360\u4f1a\u5bf9\u7528\u6237\u8fdb\u884c\u544a\u8b66\u63d0\u793a\uff0c\u5e76\u9ed8\u8ba4\u963b\u62e6\uff0c\u4f46\u4ecd\u6709\u4e00\u4e9b\u8001\u724c\u6740\u8f6f\uff0c\u4f8b\u5982\u56fd\u5185\u4e00\u4e9b\u7532\u65b9\u4f7f\u7528\u7684\u67d0S\u5f00\u5934\u7684\u56fd\u5916\u6740\u8f6f\uff0c\u4e00\u70b9\u53cd\u5e94\u90fd\u6ca1\u6709\uff0c\u5f88\u5bb9\u6613\u7ed5\u8fc7\u3002<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%BA%8C%E3%80%81%E5%85%B3%E4%BA%8E%E5%BC%B1%E7%89%B9%E5%BE%81\"><\/span>\u4e8c\u3001\u5173\u4e8e\u5f31\u7279\u5f81<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>CS\u6728\u9a6c\u90e8\u5206\u64cd\u4f5c\u8fd0\u884c\u65f6\u65e0\u5f3a\u7279\u5f81\uff0c\u6240\u4ee5\u68c0\u6d4b\u601d\u8def\u53ea\u80fd\u5c1d\u8bd5\u63d0\u53d6\u591a\u4e2a\u5f31\u7279\u5f81\u540e\uff0c\u5728\u540c\u4e00\u4e2a\u8fdb\u7a0b\u4e0a\u5173\u8054\u8d77\u6765\uff0c\u591a\u6b21\u5c1d\u8bd5\u540e\u770b\u770b\u8bef\u62a5\u91cf\u5927\u4e0d\u5927\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1%E3%80%81%E5%88%86%E6%9E%90shell%E6%89%A7%E8%A1%8C%E6%97%B6%E7%9A%84%E5%BC%B1%E7%89%B9%E5%BE%81%EF%BC%9A\"><\/span>1\u3001\u5206\u6790shell\u6267\u884c\u65f6\u7684\u5f31\u7279\u5f81\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E8%BF%90%E8%A1%8C%E6%97%B6%E7%9A%84%E5%BF%83%E8%B7%B3%E8%BF%9E%E6%8E%A5%EF%BC%9A\"><\/span>1\uff09\u8fd0\u884c\u65f6\u7684\u5fc3\u8df3\u8fde\u63a5\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Sysmon\u53ef\u4ee5\u8bb0\u5f55\u4e0b\u6bcf\u4e00\u4e2a\u51fa\u7ad9\u548c\u5165\u7ad9\u7684\u77ed\u8fde\u63a5\u548c\u957f\u8fde\u63a5\uff08event_id: 3\uff09\uff0c\u4f46CS\u7684\u5fc3\u8df3\u5468\u671f\u53ef\u4ee5\u81ea\u884c\u8bbe\u7f6e\uff0c\u751a\u81f3\u8bbe\u7f6e\u975e\u56fa\u5b9a\u7684\u5fc3\u8df3\u5468\u671f\uff0c\u6240\u4ee5\u5fc3\u8df3\u8fde\u63a5\u53ea\u80fd\u5c5e\u4e8e\u6ca1\u6709\u5dee\u5f02\u6027\u7684\u5f31\u7279\u5f81\u3002<\/p>\n<h4><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E6%89%A7%E8%A1%8Cshell%E7%9A%84%E5%91%BD%E4%BB%A4%E8%A1%8C%E6%A0%BC%E5%BC%8F%EF%BC%9A\"><\/span>2\uff09\u6267\u884cshell\u7684\u547d\u4ee4\u884c\u683c\u5f0f\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u6267\u884c\u547d\u4ee4\u65f6CS\u4f1a\u901a\u8fc7\u7ed1\u5b9a\u53cc\u5411\u533f\u540d\u7ba1\u9053\u7684\u65b9\u5f0f\u521b\u5efacmd.exe\u5b50\u8fdb\u7a0b\uff0c\u5e76\u4f20\u5165\u547d\u4ee4\u53c2\u6570\uff0c\u683c\u5f0f\u4e3acmd.exe\u7684\u5b8c\u6574\u8def\u5f84 + <span style=\"color: #ff0000;\">\u5927\u5199\/C<\/span>\u53c2\u6570 + \u5b9e\u9645\u6267\u884c\u547d\u4ee4\u3002<\/p>\n<p><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-scaled.jpg\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-479\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-scaled.jpg\" alt=\"\" width=\"660\" height=\"361\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-scaled.jpg 2560w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-768x420.jpg 768w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-1536x840.jpg 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/Xnip2020-09-29_19-05-22-2048x1120.jpg 2048w\" sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/a><\/p>\n<p>\u5728\u8fd9\u4e2aSysmon\u539f\u59cb\u65e5\u5fd7\u4e2d\uff0c\u6267\u884c\u7684\u547d\u4ee4\u8bb0\u5f55\u5230\u4e24\u4e2a\u5b57\u6bb5\u4e2dCommandLine\u548cCommandLine_Raw\uff0cCommandLine\u5185\u5bb9\u5168\u90e8\u8f6c\u6362\u4e3a\u5c0f\u5199\uff0c\u65b9\u4fbf\u5728es\u548chive\u4e2d\u4e0d\u533a\u5206\u5927\u5c0f\u5199\u67e5\u8be2\uff0c\u800cCommandLine_Raw\u8bb0\u5f55\u4e86\u539f\u59cb\u547d\u4ee4\uff0c\u662f\u533a\u5206\u4e86\u5927\u5c0f\u5199\u7684\u3002<\/p>\n<p>\u901a\u8fc7\u65e5\u5fd7\u56de\u6d4b\u53d1\u73b0\uff0ccmd\u547d\u4ee4\u6267\u884c\u8fd9\u4e5f\u662f\u5f31\u7279\u5f81\uff0c\u6b63\u5e38\u8f6f\u4ef6\u4e5f\u4f1a\u5927\u91cf\u89e6\u53d1\u3002\u4e0d\u8fc7\u6ce8\u610f\/C\u53c2\u6570\u662fCS\u7279\u6709\u7684\u5927\u5199\uff0c\u90e8\u5206\u6b63\u5e38\u8f6f\u4ef6\u901a\u8fc7cmd\u5b50\u8fdb\u7a0b\u6267\u884c\u547d\u4ee4\u65f6\uff0c\/c\u53c2\u6570\u662f\u5c0f\u5199\u7684\uff0c\u8fd9\u70b9\u4e5f\u53ef\u4ee5\u5e2e\u6211\u4eec\u8fc7\u6ee4\u90e8\u5206\u6b63\u5e38\u8f6f\u4ef6\u3002<\/p>\n<h4><span class=\"ez-toc-section\" id=\"3%EF%BC%89%E6%89%A7%E8%A1%8C%E5%90%8E%E6%B8%97%E9%80%8F%E9%98%B6%E6%AE%B5%E5%B8%B8%E7%94%A8%E7%9A%84%E5%91%BD%E4%BB%A4%EF%BC%9A\"><\/span>3\uff09\u6267\u884c<strong>\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u7528\u7684\u547d\u4ee4<\/strong>\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>CS\u8fdc\u63a7\u540e\u7684\u5927\u90e8\u5206\u901a\u7528\u884c\u4e3a\u96c6\u4e2d\u5728shell\u6267\u884c\u4e0a\uff0c\u4ece\u5bf9\u7ea2\u961f\u884c\u4e3a\u7684\u590d\u76d8\u548c\u4e00\u4e9b\u7ecf\u9a8c\u53ef\u4ee5\u603b\u7ed3\u51fa\uff0c\u9ed1\u5ba2\u5728\u540e\u6e17\u900f\u9636\u6bb5\uff0c\u6267\u884c\u7684\u547d\u4ee4\u7c7b\u578b\u96c6\u4e2d\u5728\uff1a\u7cfb\u7edf\u4fe1\u606f\u67e5\u770b\u3001\u6587\u4ef6\u67e5\u770b\u3001\u6587\u4ef6\u64cd\u4f5c\u7b49\uff0c\u800c\u8fd9\u5c5e\u4e8e\u7b2c3\u4e2a\u5f31\u7279\u5f81\u3002<\/p>\n<p data-diff-id=\"ct-diff-id-KBWBCNiH\">\u6700\u7ec8\u68c0\u6d4b\u601d\u8def\u5c1d\u8bd5\u5c063\u4e2a\u5f31\u7279\u5f81\u7ed3\u5408\uff1a<br \/>\n<span style=\"color: #800000;\"><strong>\u6301\u7eed\u7684\u5fc3\u8df3\u8fde\u63a5 + \u7279\u6b8acmd\u547d\u4ee4\u6267\u884c\u683c\u5f0f + \u4e00\u4e9b\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u7528\u7684\u547d\u4ee4<\/strong><\/span><\/p>\n<h3 data-diff-id=\"ct-diff-id-KBWBCNiH\"><span class=\"ez-toc-section\" id=\"2%E3%80%81%E6%A3%80%E6%B5%8Bshell%E6%89%A7%E8%A1%8C%E8%A1%8C%E4%B8%BA\"><\/span>2\u3001\u68c0\u6d4bshell\u6267\u884c\u884c\u4e3a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u7531\u4e8e\u8fd9\u91cc\u9700\u8981\u5173\u8054\u5206\u6790\u591a\u4e2a\u65e5\u5fd7\uff0c\u56e0\u6b64\u6211\u4eec\u501f\u52a9\u5f00\u6e90CEP\u5f15\u64ce<a href=\"https:\/\/www.espertech.com\/\">Esper<\/a>\u5b9e\u73b0\uff0c\u5047\u8bbe\u6211\u4eec\u5728Storm\u4e0a\u96c6\u6210\u4e86\u5b9e\u65f6Sigma\u5f15\u64ce\u548cEsper\u5f15\u64ce\uff0c\u5e76\u4e14\u548cEsper\u5f15\u64ce\u76f8\u5173\u7684\u6570\u636e\u6d41\u8f6c\u5982\u672c\u6587\u6240\u793a\uff1a<a href=\"http:\/\/weizn.net\/?p=667\">CEP\u5f15\u64ceEsper\u5728\u5165\u4fb5\u68c0\u6d4b\u7cfb\u7edf\u4e2d\u7684\u5b9e\u8df5<\/a><\/p>\n<p>\u57fa\u4e8e\u8fd9\u6837\u7684\u67b6\u6784\uff0c\u6211\u4eec\u53ef\u4ee5\u505a\u51fa\u4ee5\u4e0b\u7684\u68c0\u6d4b\u89c4\u5219\uff08\u5f53\u7136\u4e0d\u9002\u7528\u4e8e\u5176\u5b83\u67b6\u6784\uff09\u3002<\/p>\n<h4><span class=\"ez-toc-section\" id=\"1%EF%BC%89%E9%A6%96%E5%85%88%E5%9C%A8%E5%85%A8%E7%BD%91Sysmon%E7%BD%91%E7%BB%9C%E8%BF%9E%E6%8E%A5%E6%97%A5%E5%BF%97%E4%B8%AD%EF%BC%8C%E9%80%9A%E8%BF%87CEP%E8%A7%84%E5%88%99%E7%AD%9B%E9%80%89%E5%87%BA%E6%89%80%E6%9C%89%E5%AD%98%E5%9C%A8TCP%E5%BF%83%E8%B7%B3%E8%BF%9E%E6%8E%A5%E7%9A%84%E8%BF%9B%E7%A8%8B%EF%BC%9A\"><\/span>1\uff09\u9996\u5148\u5728\u5168\u7f51Sysmon\u7f51\u7edc\u8fde\u63a5\u65e5\u5fd7\u4e2d\uff0c\u901a\u8fc7CEP\u89c4\u5219\u7b5b\u9009\u51fa\u6240\u6709\u5b58\u5728TCP\u5fc3\u8df3\u8fde\u63a5\u7684\u8fdb\u7a0b\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p data-diff-id=\"ct-diff-id-86YgzGtl\">\u68c0\u6d4b\u903b\u8f91\u7b80\u5355\u63cf\u8ff0\u4e3a\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-OlLumfSu\">\u8fdb\u7a0b\u5411\u540c\u4e00\u4e2aIP\u540c\u4e00\u4e2a\u7aef\u53e3\uff0c\u8fde\u7eed\u53d1\u8d77&gt;=5\u6b21\u7684TCP\u8fde\u63a5\uff0c\u6bcf\u6b21\u95f4\u9694\u6700\u5927\u4e0d\u8d85\u8fc712min\uff0c\u603b\u5171\u5fc3\u8df3\u65f6\u957f\u4e0d\u5c0f\u4e8e80sec\uff0c\u5219\u5224\u5b9a\u5b58\u5728TCP\u5fc3\u8df3\u884c\u4e3a\uff0c\u5173\u952e\u89c4\u5219\u7247\u6bb5\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">title: \u53d1\u73b0Windows\u4e0b\u53ef\u7591\u7684TCP\u5fc3\u8df3\u8fde\u63a5_Sysmon\r\n\r\nstorm_grouping_field:\r\n    - 'host_computer_name'\r\n\r\nepl: '\r\n@name(\"\u68c0\u6d4bWindows\u4e0b\u53ef\u7591\u7684\u5fc3\u8df3\u8fde\u63a5_Sysmon_\u62c6\u5206\u51fa\u7f51\u7edc\u4e8b\u4ef6\u6d41\")\r\n@public\r\ncreate schema SYSMON_TCP_FLOW () copyfrom SysmonRawLogs;\r\n\r\n\r\n@name(\"\u68c0\u6d4bWindows\u4e0b\u53ef\u7591\u7684\u5fc3\u8df3\u8fde\u63a5_Sysmon_\u7b5b\u9009\u611f\u5174\u8da3\u4e8b\u4ef6\u6d41\")\r\non SysmonRawLogs\r\ninsert into SYSMON_TCP_FLOW\r\nselect * where\r\nevent_id = \"3\" and\r\nevent_data_direction = \"outbound\" and\r\nevent_data_protocol = \"tcp\" and\r\nevent_data_image != \"\" and\r\nevent_data_processguid != \"\" and\r\n\r\nIPAddress4Utils.is_valid_ipv4(event_data_sourceip) and\r\nIPAddress4Utils.is_valid_ipv4(event_data_destinationip) and\r\n\r\nevent_data_image not like \"%\\\\\\\\google\\\\\\\\%\" and\r\nevent_data_image not like \"%\\\\\\\\inetsrv\\\\\\\\w3wp.exe\" and\r\nevent_data_image not like \"%\\\\\\\\system32\\\\\\\\dns.exe\" and\r\nevent_data_image not like \"%\\\\\\\\bin\\\\\\\\msexchangemailboxassistants.exe\" and\r\n\r\nArrayContains.array_contains(event_data_sourceip, host_ip, \",\") &gt; 0\r\n;\r\n\r\n\r\n@name(\"\u68c0\u6d4bWindows\u4e0b\u53ef\u7591\u7684\u5fc3\u8df3\u8fde\u63a5_Sysmon_\u521b\u5efa\u5339\u914d\u6a21\u5f0f\")\r\nselect * from pattern[\r\n    every-distinct(\r\n        a.computer_name, a.event_data_destinationip, a.event_data_destinationport,\r\n        a.event_data_processguid, a.event_data_processid, a.event_data_image, 10 min\r\n    )\r\n    a=SYSMON_TCP_FLOW -&gt;\r\n\r\n    (timer:interval(20 sec) and b=SYSMON_TCP_FLOW(\r\n        a.computer_name = computer_name and\r\n        a.event_data_sourceip = event_data_sourceip and\r\n        a.event_data_destinationip = event_data_destinationip and\r\n        a.event_data_destinationport = event_data_destinationport and\r\n        a.event_data_processguid = event_data_processguid and\r\n        a.event_data_processid = event_data_processid and\r\n        a.event_data_image = event_data_image\r\n    )) where timer:within(12 min) -&gt;\r\n\r\n    (timer:interval(20 sec) and c=SYSMON_TCP_FLOW(\r\n        a.computer_name = computer_name and\r\n        a.event_data_sourceip = event_data_sourceip and\r\n        a.event_data_destinationip = event_data_destinationip and\r\n        a.event_data_destinationport = event_data_destinationport and\r\n        a.event_data_processguid = event_data_processguid and\r\n        a.event_data_processid = event_data_processid and\r\n        a.event_data_image = event_data_image\r\n    )) where timer:within(12 min) -&gt;\r\n\r\n    (timer:interval(20 sec) and d=SYSMON_TCP_FLOW(\r\n        a.computer_name = computer_name and\r\n        a.event_data_sourceip = event_data_sourceip and\r\n        a.event_data_destinationip = event_data_destinationip and\r\n        a.event_data_destinationport = event_data_destinationport and\r\n        a.event_data_processguid = event_data_processguid and\r\n        a.event_data_processid = event_data_processid and\r\n        a.event_data_image = event_data_image\r\n    )) where timer:within(12 min) -&gt;\r\n\r\n    (timer:interval(20 sec) and e=SYSMON_TCP_FLOW(\r\n        a.computer_name = computer_name and\r\n        a.event_data_sourceip = event_data_sourceip and\r\n        a.event_data_destinationip = event_data_destinationip and\r\n        a.event_data_destinationport = event_data_destinationport and\r\n        a.event_data_processguid = event_data_processguid and\r\n        a.event_data_processid = event_data_processid and\r\n        a.event_data_image = event_data_image\r\n    )) where timer:within(12 min)\r\n]\r\n\r\n'\r\n<\/pre>\n<p data-diff-id=\"ct-diff-id-d3e5351u\">\u901a\u8fc7RabbitMQ\u4e2d\u95f4\u4ef6\u5c06\u4ea7\u751f\u7684\u5fc3\u8df3\u4e8b\u4ef6\u91cd\u5165Esper\u5f15\u64ce\u65f6\uff0c\u53ef\u4ee5\u770b\u5230\u5185\u7f51\u6bcf\u79d2\u4ea7\u751f\u5927\u7ea6100\u6761\u6b64\u4e8b\u4ef6\uff1a<\/p>\n<p data-diff-id=\"ct-diff-id-lhye52XU\"><span class=\"block-wrapper\"><span class=\"ct-image ct-image-container ct-image-container-success\"><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528.png\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-626\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528.png\" alt=\"\" width=\"607\" height=\"153\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528.png 1398w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528-768x193.png 768w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528-1170x295.png 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/421134528-585x147.png 585w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/a><\/span><\/span><\/p>\n<h4 id=\"id-2\uff09\u901a\u8fc7\u7f16\u5199Sigma\u89c4\u5219\uff0c\u5728Sysmon\u8fdb\u7a0b\u542f\u52a8\u65e5\u5fd7\u4e2d\uff0c\u68c0\u67e5\u51fa\u7c7b\u4f3cCS\u547d\u4ee4\u6267\u884c\u7684\u884c\u4e3a\uff0c\u548c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u89c1\u7684\u547d\u4ee4\u3002\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-tpto8DPf\"><span class=\"ez-toc-section\" id=\"2%EF%BC%89%E9%80%9A%E8%BF%87%E7%BC%96%E5%86%99Sigma%E8%A7%84%E5%88%99%EF%BC%8C%E5%9C%A8Sysmon%E8%BF%9B%E7%A8%8B%E5%90%AF%E5%8A%A8%E6%97%A5%E5%BF%97%E4%B8%AD%EF%BC%8C%E6%A3%80%E6%9F%A5%E5%87%BA%E7%B1%BB%E4%BC%BCCS%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%9A%84%E8%A1%8C%E4%B8%BA%EF%BC%8C%E5%92%8C%E5%90%8E%E6%B8%97%E9%80%8F%E9%98%B6%E6%AE%B5%E5%B8%B8%E8%A7%81%E7%9A%84%E5%91%BD%E4%BB%A4%EF%BC%9A\"><\/span>2\uff09\u901a\u8fc7\u7f16\u5199Sigma\u89c4\u5219\uff0c\u5728Sysmon\u8fdb\u7a0b\u542f\u52a8\u65e5\u5fd7\u4e2d\uff0c\u68c0\u67e5\u51fa\u7c7b\u4f3cCS\u547d\u4ee4\u6267\u884c\u7684\u884c\u4e3a\uff0c\u548c\u540e\u6e17\u900f\u9636\u6bb5\u5e38\u89c1\u7684\u547d\u4ee4\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">title: Windows\u6267\u884c\u53ef\u7591\u7684\u547d\u4ee4\u683c\u5f0f_\u7591\u4f3cCobaltStrike_Sysmon_0\r\ndescription: \u7528\u4e8e\u7ea7\u8054\u68c0\u6d4b\u300e\u68c0\u6d4b\u7591\u4f3cCobaltStrike\u6728\u9a6c\u884c\u4e3a\u300f\uff0c\u4e0d\u4f1a\u5355\u72ec\u4ea7\u751f\u544a\u8b66\u3002\r\n\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\n\r\ndetection:\r\n    selection1:\r\n        event_id: '1'\r\n    selection2:\r\n        event_data.CommandLine:\r\n            - '?:\\windows\\system32\\cmd.exe \/c whoami'\r\n            - '?:\\windows\\system32\\cmd.exe \/c ipconfig'\r\n            - '?:\\windows\\system32\\cmd.exe \/c ipconfig \/all'\r\n            - '?:\\windows\\system32\\cmd.exe \/c hostname'\r\n#            - '?:\\windows\\system32\\cmd.exe \/c net user'\r\n            - '?:\\windows\\system32\\cmd.exe \/c set'\r\n            - '?:\\windows\\system32\\cmd.exe \/c quser'\r\n#            - '?:\\windows\\system32\\cmd.exe \/c net localgroup administrators'\r\n            - '?:\\windows\\system32\\cmd.exe \/c dir'\r\n            - '?:\\windows\\system32\\cmd.exe \/c systeminfo'\r\n            - '?:\\windows\\system32\\cmd.exe \/c tasklist'\r\n            - '?:\\windows\\system32\\cmd.exe \/c qprocess'\r\n\r\n            - '?:\\windows\\system32\\cmd.exe \/c cd *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c dir *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c net *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c net1 *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c powershell*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c netsh *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c wmic *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c bitsadmin*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c cmstp*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c mshta*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c certutil*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c rundll32*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c cscript*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c msiexec*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c sctasks*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c wscript*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c cmd *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c more *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c ping *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c nslookup *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c tasklist *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c taskkill *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c tracert *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c echo *&gt;*'\r\n            - '?:\\windows\\system32\\cmd.exe \/c del *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c copy *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c move *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c rename *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c quser *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c query *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c xcopy *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c type *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c netstat *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c fsutil *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c sc *'\r\n            - '?:\\windows\\system32\\cmd.exe \/c qprocess*'\r\n\r\n            - '?:\\windows\\system32\\cmd.exe \/c *|*findstr *'\r\n    filter1:\r\n        event_data.ParentImage:\r\n            - '*\\cmd.exe'\r\n    filter2:\r\n        event_data.CommandLine_Raw:\r\n            # CobaltStrike\u6267\u884ccmd\u547d\u4ee4\u7684\u53c2\u6570\u5fc5\u987b\u662f\u5927\u5199\u7684\u300e\/C\u300f\uff0c\u56e0\u6b64\u8fc7\u6ee4\u6389\u5c0f\u5199\u7684\u300e\/c\u300f\uff0c\u300eregex:\u300f\u524d\u7f00\u8868\u793a\u8fd9\u91cc\u4f7f\u7528\u6b63\u5219\u5339\u914d\u3002\r\n            - 'regex:((?i)$?:\\\\Windows\\\\system32\\\\cmd\\.exe)\\s\/c\\s'\r\n    condition: selection1 and selection2 and not filter1 and not filter2\r\n\r\nstorm_grouping_field:\r\n    - 'computer_name'<\/pre>\n<h4 id=\"id-3\uff09\u6700\u540e\u5728Esper\u5f15\u64ce\u4e2d\uff0c\u5173\u8054\u5b58\u5728\u4ee5\u4e0a1\u30012\u884c\u4e3a\u7684\u8fdb\u7a0b\uff0c\u53ef\u4ee5\u751f\u6210\u6700\u7ec8\u544a\u8b66\u3002\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-b8YwUzkA\"><span class=\"ez-toc-section\" id=\"3%EF%BC%89%E6%9C%80%E5%90%8E%E5%9C%A8Esper%E5%BC%95%E6%93%8E%E4%B8%AD%EF%BC%8C%E5%85%B3%E8%81%94%E5%AD%98%E5%9C%A8%E4%BB%A5%E4%B8%8A1%E3%80%812%E8%A1%8C%E4%B8%BA%E7%9A%84%E8%BF%9B%E7%A8%8B%EF%BC%8C%E5%8F%AF%E4%BB%A5%E7%94%9F%E6%88%90%E6%9C%80%E7%BB%88%E5%91%8A%E8%AD%A6%EF%BC%9A\"><\/span>3\uff09\u6700\u540e\u5728Esper\u5f15\u64ce\u4e2d\uff0c\u5173\u8054\u5b58\u5728\u4ee5\u4e0a1\u30012\u884c\u4e3a\u7684\u8fdb\u7a0b\uff0c\u53ef\u4ee5\u751f\u6210\u6700\u7ec8\u544a\u8b66\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u6ce8\u610f\u4ee5\u4e0a\u4e24\u4e2a\u89c4\u5219\u8bbe\u7f6e\u4e86\u5206\u7ec4\u5b57\u6bb5\u90fd\u4e3acomputer_name\uff0c\u56e0\u6b64\u53ef\u4ee5\u4fdd\u8bc1\u5728Storm\u4e2d\u88ab\u5206\u7ec4\u5230\u540c\u4e00\u4e2abolt\u4e2d\u505a\u7ea7\u8054\u8ba1\u7b97\uff0cStorm\u4e2dCEP\u6570\u636e\u6d41\u8f6c\u65b9\u5f0f\u53c2\u8003\u4e0a\u9762\u7684\u6570\u636e\u6d41\u56fe\uff0c\u89c4\u5219\u7247\u6bb5\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">title: \u53d1\u73b0Windows\u4e0b\u7591\u4f3cCobaltStrike\u6728\u9a6c\u8fdb\u7a0b\r\ndescription: '\u53d1\u73b0\u4e3b\u673a{$computer_name}\u7591\u4f3c\u5b58\u5728Cobalt Strike\u6728\u9a6c\u8fdb\u7a0b{$proc_path}\uff0c\u4ee5{host_users}\u5e10\u6237\u8fd0\u884c\uff0c\u6267\u884c\u4e86\u5b50\u547d\u4ee4{$cmd}\uff0c\u5e76\u4e14\u5b58\u5728\u5468\u671f\u6027TCP\u5fc3\u8df3\uff0c\u8fde\u63a5\u4e86IP\u5730\u5740{dest_ip}\u7684{dest_port}\u7aef\u53e3\uff0c\u9700\u68c0\u67e5\u6837\u672c\u6587\u4ef6\u3002'\r\ndefine: '\u5982\u679c\u8fdb\u7a0b\u5b58\u5728\u5468\u671f\u6027\u5fc3\u8df3\u8fde\u63a5\uff0c\u5e76\u4e14\u6267\u884c\u7684\u547d\u4ee4\u683c\u5f0f\u7591\u4f3cCobalt Strike\uff0c\u5219\u5224\u5b9a\u8be5\u8fdb\u7a0b\u53ef\u80fd\u4e3aCobalt Strike\u6728\u9a6c\u3002'\r\n\r\nstorm_grouping_field:\r\n    - 'host_computer_name'\r\n\r\nfalsepositives:\r\n    - '\u7531\u4e8e\u4e0d\u5b58\u5728\u5f3a\u7279\u5f81\uff0c\u56e0\u6b64\u6709\u4e00\u5b9a\u8bef\u62a5\u7684\u53ef\u80fd\u3002'\r\n\r\nepl: '\r\n@name(\"\u53d1\u73b0Windows\u4e0b\u7591\u4f3cCobaltStrike\u6728\u9a6c\u8fdb\u7a0b_Sysmon_\u67e5\u8be2\u540c\u65f6\u6709\u4e24\u4e2a\u884c\u4e3a\u7684\u8fdb\u7a0b_1\")\r\nselect * from pattern [\r\n    every-distinct(\r\n        b.computer_name, b.event_data_parentimage,\r\n        b.event_data_parentprocessguid, b.event_data_parentprocessid, b.event_data_commandline, 5 min\r\n    )\r\n    b=SigmaAlerts(alert_signature = \"Windows\u6267\u884c\u53ef\u7591\u7684\u547d\u4ee4\u683c\u5f0f_\u7591\u4f3cCobaltStrike_Sysmon_0\") -&gt;\r\n\r\n    a=ComplexAttackAlerts(\r\n        signature = \"\u53d1\u73b0Windows\u4e0b\u53ef\u7591\u7684TCP\u5fc3\u8df3\u8fde\u63a5_Sysmon\" and\r\n        host_computer_name = b.computer_name and\r\n        host_images = b.event_data_parentimage and\r\n        host_guid = b.event_data_parentprocessguid and\r\n        host_pid = b.event_data_parentprocessid\r\n    ) where timer:within(40 min)\r\n];\r\n\r\n\r\n@name(\"\u53d1\u73b0Windows\u4e0b\u7591\u4f3cCobaltStrike\u6728\u9a6c\u8fdb\u7a0b_Sysmon_\u67e5\u8be2\u540c\u65f6\u6709\u4e24\u4e2a\u884c\u4e3a\u7684\u8fdb\u7a0b_2\")\r\nselect * from pattern [\r\n    every-distinct(\r\n        a.host_computer_name, a.host_images, a.host_guid, a.host_pid, a.dest_ip, a.dest_port, 3 min\r\n    )\r\n    a=ComplexAttackAlerts(signature = \"\u53d1\u73b0Windows\u4e0b\u53ef\u7591\u7684TCP\u5fc3\u8df3\u8fde\u63a5_Sysmon\") -&gt;\r\n\r\n    b=SigmaAlerts(\r\n        alert_signature = \"Windows\u6267\u884c\u53ef\u7591\u7684\u547d\u4ee4\u683c\u5f0f_\u7591\u4f3cCobaltStrike_Sysmon_0\" and\r\n        a.host_computer_name = computer_name and\r\n        a.host_images = event_data_parentimage and\r\n        a.host_guid = event_data_parentprocessguid and\r\n        a.host_pid = event_data_parentprocessid\r\n    ) where timer:within(40 min)\r\n];\r\n\r\n'\r\n<\/pre>\n<h4 id=\"id-4\u3001\u544a\u8b66\u6837\u4f8b\" class=\"ct-heading\" data-diff-id=\"ct-diff-id-xVxZfId5\"><span class=\"ez-toc-section\" id=\"4%EF%BC%89%E5%91%8A%E8%AD%A6%E6%A0%B7%E4%BE%8B\"><\/span>4\uff09\u544a\u8b66\u6837\u4f8b<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u53ef\u4ee5\u901a\u8fc7\u6dfb\u52a0\u5c11\u91cf\u767d\u540d\u5355\u8fbe\u5230\u57fa\u672c\u65e0\u8bef\u62a5\u7684\u7a0b\u5ea6\uff0c\u4f7f\u7528CS\u6267\u884cshell\u540e\u65e0\u6f0f\u62a5\u60c5\u51b5\u3002<\/p>\n<p><a href=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40.jpg\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-627\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40.jpg\" alt=\"\" width=\"2370\" height=\"1506\" srcset=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40.jpg 2370w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-768x488.jpg 768w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-1536x976.jpg 1536w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-2048x1301.jpg 2048w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-1920x1220.jpg 1920w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-1170x743.jpg 1170w, http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/xnip2020-10-12_17-24-40-585x372.jpg 585w\" sizes=\"auto, (max-width: 2370px) 100vw, 2370px\" \/><\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%B8%89%E3%80%81%E5%85%B6%E5%AE%83\"><\/span>\u4e09\u3001\u5176\u5b83<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5176\u5b83\u4e00\u4e9b\u68c0\u6d4b\u70b9\u6682\u6ca1\u8be6\u7ec6\u68b3\u7406\uff0c\u5f85\u4ee5\u540e\u6709\u9700\u6c42\u518d\u770b\uff0c\u5176\u5b9e\u8fd8\u6709\u4e00\u79cd\u5173\u8054\u5206\u6790\u7684\u6a21\u578b\uff0c\u76d1\u63a7\u5efa\u7acb\u4e00\u4e2a\u6216\u4e24\u4e2a\u5355\u5411\u533f\u540d\u7ba1\u9053\u7ed1\u5b9acmd\u6267\u884c\u547d\u4ee4\u7684\u65b9\u6cd5\uff0c\u8fd9\u79cd\u6a21\u578b\u6cdb\u5316\u80fd\u529b\u8f83\u5f3a\uff0c\u8bef\u62a5\u4e5f\u5c11\uff0c\u53ef\u4ee5\u76d1\u63a7\u5927\u90e8\u5206\u5f00\u6e90\u3001\u81ea\u7814\u548c\u5546\u7528\u8fdc\u63a7\u7684shell\u547d\u4ee4\u6267\u884c\u884c\u4e3a\uff0c\u4ee5\u540e\u6709\u65f6\u95f4\u518d\u5199\u3002\uff08<a href=\"http:\/\/weizn.net\/?p=825\">\u901a\u7528\u6a21\u578b\u68c0\u6d4b\u8fdc\u63a7\u6728\u9a6c\u6267\u884c\u4ea4\u4e92\u5f0fcmdshell<\/a>\uff09<br \/>\n\u7efc\u5408\u770b\u6765\u6267\u884cshell\u547d\u4ee4\u662f\u7ea2\u961f\u4e00\u5b9a\u8981\u89c4\u907f\u7684\u884c\u4e3a\uff0c\u9664\u975e\u84dd\u961f\u6ca1\u91c7\u96c6\u7ec8\u7aef\u4fa7\u6570\u636e\uff0c\u5426\u5219\u6709\u80fd\u529b\u76d1\u63a7\uff0c\u800c\u4e14\u6267\u884cshell\u884c\u4e3a\u5728\u5185\u7f51\u7684\u566a\u97f3\u4e5f\u4e0d\u5927\u3002<\/p>\n<p>\u5bf9\u4e8e\u84dd\u961f\u6765\u8bf4\uff0c\u672c\u6587\u8fd9\u79cd\u76d1\u63a7\u65b9\u6cd5\u4e5f\u4ec5\u4ec5\u662f\u521d\u7ea7\u7684\uff0c\u7ea2\u961f\u4f9d\u7136\u53ef\u4ee5\u901a\u8fc7bin-patch\u7b49\u514d\u6740\u624b\u6bb5\u7ed5\u8fc7\uff0c\u4ee5\u540e\u6709\u7a7a\u5199\u5199\u4e00\u79cd\u6728\u9a6c\u9759\u6001\u514d\u6740\u548c\u884c\u4e3a\u514d\u6740\u7684\u65b9\u6cd5\uff0c\u53ef\u4ee5\u8fc7\u6389\u6240\u6709VT\u4e0a\u6740\u8f6f\u7684\u9759\u6001\u626b\u63cf\uff0c\u4ee5\u53ca\u6240\u4e3b\u6d41\u6c99\u7bb1\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cobalt Strike Beacon\u63d0\u4f9b\u4e86\u5f88\u591a\u547d\u4ee4\u63a7\u5236\u7684\u529f\u80fd\uff0c\u5176\u4e2d\u6709\u7684\u5b58\u5728\u5f3a\u7279\u5f81\uff0c\u6709\u7684\u5b58\u5728\u5f31\u7279\u5f81\uff0c\u800c\u5269\u4e0b\u7684\u57fa\u672c\u6ca1\u6709\u7279\u5f81\uff0c\u524d\u4e24\u8005\u90fd\u53ef\u4ee5\u76d1\u63a7\uff0c\u5373\u4f7f\u662f\u5f31\u7279\u5f81\u901a\u8fc7\u5173\u8054\u5206\u6790\u4e5f\u80fd\u505a\u5230\u57fa\u672c\u65e0\u8bef\u62a5\u7684\u7a0b\u5ea6\uff0c\u5982\u679c\u5185\u7f51\u4e2d\u5b58\u5728\u7ea2\u961f\u7684CS\u6728\u9a6c\uff0c\u5728\u6ca1\u6709\u5bf9\u6297\u610f\u8bc6\u7684\u60c5\u51b5\u4e0b\uff0c\u5f88\u5bb9\u6613\u505a\u51fa\u4e00\u4e9b\u300e\u9519\u8bef\u300f\u7684\u64cd\u4f5c\u88ab\u84dd\u961f\u68c0\u6d4b\u5230\u3002<\/p>\n","protected":false},"author":1,"featured_media":442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[346],"class_list":["post-439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-cobalt-strike"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c - Wayne&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=439\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c - Wayne&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"Cobalt Strike Beacon\u63d0\u4f9b\u4e86\u5f88\u591a\u547d\u4ee4\u63a7\u5236\u7684\u529f\u80fd\uff0c\u5176\u4e2d\u6709\u7684\u5b58\u5728\u5f3a\u7279\u5f81\uff0c\u6709\u7684\u5b58\u5728\u5f31\u7279\u5f81\uff0c\u800c\u5269\u4e0b\u7684\u57fa\u672c\u6ca1\u6709\u7279\u5f81\uff0c\u524d\u4e24\u8005\u90fd\u53ef\u4ee5\u76d1\u63a7\uff0c\u5373\u4f7f\u662f\u5f31\u7279\u5f81\u901a\u8fc7\u5173\u8054\u5206\u6790\u4e5f\u80fd\u505a\u5230\u57fa\u672c\u65e0\u8bef\u62a5\u7684\u7a0b\u5ea6\uff0c\u5982\u679c\u5185\u7f51\u4e2d\u5b58\u5728\u7ea2\u961f\u7684CS\u6728\u9a6c\uff0c\u5728\u6ca1\u6709\u5bf9\u6297\u610f\u8bc6\u7684\u60c5\u51b5\u4e0b\uff0c\u5f88\u5bb9\u6613\u505a\u51fa\u4e00\u4e9b\u300e\u9519\u8bef\u300f\u7684\u64cd\u4f5c\u88ab\u84dd\u961f\u68c0\u6d4b\u5230\u3002\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=439\" \/>\n<meta property=\"og:site_name\" content=\"Wayne&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-29T08:52:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-15T09:24:38+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1952\" \/>\n\t<meta property=\"og:image:height\" content=\"1008\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne&#039;s Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=439#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg\",\"contentUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg\",\"width\":1952,\"height\":1008},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=439#webpage\",\"url\":\"http:\/\/weizn.net\/?p=439\",\"name\":\"\\u901a\\u8fc7Sysmon\\u65e5\\u5fd7\\u68c0\\u6d4bCobalt Strike\\u6728\\u9a6c - Wayne&#039;s Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=439#primaryimage\"},\"datePublished\":\"2020-09-29T08:52:53+00:00\",\"dateModified\":\"2021-12-15T09:24:38+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=439#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=439\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=439#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\\u901a\\u8fc7Sysmon\\u65e5\\u5fd7\\u68c0\\u6d4bCobalt Strike\\u6728\\u9a6c\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=439#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=439#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"\\u901a\\u8fc7Sysmon\\u65e5\\u5fd7\\u68c0\\u6d4bCobalt Strike\\u6728\\u9a6c\",\"datePublished\":\"2020-09-29T08:52:53+00:00\",\"dateModified\":\"2021-12-15T09:24:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=439#webpage\"},\"wordCount\":119,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=439#primaryimage\"},\"thumbnailUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg\",\"keywords\":[\"Cobalt Strike\"],\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=439#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c - Wayne&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=439","og_locale":"zh_CN","og_type":"article","og_title":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c - Wayne&#039;s Blog","og_description":"Cobalt Strike Beacon\u63d0\u4f9b\u4e86\u5f88\u591a\u547d\u4ee4\u63a7\u5236\u7684\u529f\u80fd\uff0c\u5176\u4e2d\u6709\u7684\u5b58\u5728\u5f3a\u7279\u5f81\uff0c\u6709\u7684\u5b58\u5728\u5f31\u7279\u5f81\uff0c\u800c\u5269\u4e0b\u7684\u57fa\u672c\u6ca1\u6709\u7279\u5f81\uff0c\u524d\u4e24\u8005\u90fd\u53ef\u4ee5\u76d1\u63a7\uff0c\u5373\u4f7f\u662f\u5f31\u7279\u5f81\u901a\u8fc7\u5173\u8054\u5206\u6790\u4e5f\u80fd\u505a\u5230\u57fa\u672c\u65e0\u8bef\u62a5\u7684\u7a0b\u5ea6\uff0c\u5982\u679c\u5185\u7f51\u4e2d\u5b58\u5728\u7ea2\u961f\u7684CS\u6728\u9a6c\uff0c\u5728\u6ca1\u6709\u5bf9\u6297\u610f\u8bc6\u7684\u60c5\u51b5\u4e0b\uff0c\u5f88\u5bb9\u6613\u505a\u51fa\u4e00\u4e9b\u300e\u9519\u8bef\u300f\u7684\u64cd\u4f5c\u88ab\u84dd\u961f\u68c0\u6d4b\u5230\u3002","og_url":"http:\/\/weizn.net\/?p=439","og_site_name":"Wayne&#039;s Blog","article_published_time":"2020-09-29T08:52:53+00:00","article_modified_time":"2021-12-15T09:24:38+00:00","og_image":[{"width":1952,"height":1008,"url":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg","path":"\/app\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg","size":"full","id":442,"alt":"","pixels":1967616,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"4 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne&#039;s Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=439#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg","contentUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg","width":1952,"height":1008},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=439#webpage","url":"http:\/\/weizn.net\/?p=439","name":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c - Wayne&#039;s Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=439#primaryimage"},"datePublished":"2020-09-29T08:52:53+00:00","dateModified":"2021-12-15T09:24:38+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=439#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=439"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=439#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=439#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=439#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"\u901a\u8fc7Sysmon\u65e5\u5fd7\u68c0\u6d4bCobalt Strike\u6728\u9a6c","datePublished":"2020-09-29T08:52:53+00:00","dateModified":"2021-12-15T09:24:38+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=439#webpage"},"wordCount":119,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=439#primaryimage"},"thumbnailUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/09\/cobaltstrike.jpg","keywords":["Cobalt Strike"],"articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=439#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=439"}],"version-history":[{"count":57,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions"}],"predecessor-version":[{"id":974,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions\/974"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/media\/442"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}