In the last article, we collected data in order to monitor the exploitation of a vulnerability in Windows Server, which has the role of a domain controller. In this article, we will try to understand whether it is possible to monitor other classes of exploits using ELK, Zabbix or Prometheus tools.
Exploit classification from a monitoring point of view
- . .
? . β1 :
, .
ELK, Zabbix Prometheus. .
. , . , . .
699 ? , . , CWE-120. , , . . .
, . , .
? . . VMMap. , , , .. ?
, . 699 , . , , , . :
,
Mitre
. . , , .
CVE-2020-1472 Microsoft , , . . .
CVE-2020-0796. - , . 2 :
, . - , -.
. github C++. , .
:
loopback 445 . . , primary . cmd.exe. ? :
, , . "Security" . ? 2 :
IDS loopback
Endpoint
3- . Windows , . SysMon. , , . . loopback , :
...
<RuleGroup name="" groupRelation="or">
<NetworkConnect onmatch="exclude">
...
<DestinationIp condition="is">127.0.0.1</DestinationIp> <==
<DestinationIp condition="begin with">fe80:0:0:0</DestinationIp> <==
</NetworkConnect>
</RuleGroup>
...
. Windows 10 : Applications and Services Logs\Microsoft\Windows\Sysmon\Operational.
Sysmon :
sysmon.exe -accepteula -i sysmonconfig-export.xml
Sysmon:
, . Zabbix. . , .
P.S. Linux SysMon.