Χρήση του εργαλείου sysmon για τον εντοπισμό επιθέσεων εσωτερικής μετακίνησης ενός επιτιθέμενου
Windows Sysmon tool for lateral movement alerts
View/ Open
Keywords
Sysmon ; Event ID ; Event logger ; Logs ; Lateral movement ; Εσωτερική μετακίνηση ; Καταγραφέας συμβάντων windows ; Καταγραφέας γεγονότων windows ; Αναγνωριστικό συμβάντος ; Επιτιθέμενος ; ΑμυνόμενοςAbstract
This thesis presents a way of installing, configuring and operating Sysmon, which is a windows system monitoring system. Sysmon provides detailed information on process creations, network connections, and changes in file generation time. By collecting the events it produces using Windows Event Collection or the SIEM agents and then analyzing them, it is able to detect malicious or abnormal activity and understand how intruders and malware work on the system network. With the help of sysmon, there will be several recorded events identified during the lateral movement between 2 windows 10 systems, one of which has the role of the attacker and the other the role of the victim. To achieve the above, sysmon preferred configuration techniques will be introduced to perform proper logging, preferred event log configuration for windows as well as various tools that we will use to successfully achieve, log and detect lateral movement to the victim’s system.