开源EDR whids部署

文章来源：鸿鹄实验室

whids是一款Go语言开发的开源EDR，其官方地址为：

https://github.com/0xrawsec/whids

其优点如下：

• Open Source

• Relies on Sysmon for all the heavy lifting (kernel component)

• Very powerful but also customizable detection engine

• Built by an Incident Responder for all Incident Responders to make their job easier

• Low footprint (no process injection)

• Can co-exist with any antivirus product (advised to run it along with MS Defender)

• Designed for high thoughput. It can easily enrich and analyse 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.

• Easily integrable with other tools (Splunk, ELK, MISP ...)

• Integrated with ATT&CK framework

官方给出的运行示意图如下：

部署过程

首先需要安装Sysmon，最新版本为13.1,下载地址为：

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

使用-i安装既可

然后导入其配置，地址为：

https://github.com/0xrawsec/whids/tree/master/tools/sysmon/v13

如有需要，可以配置下面的两个的选项：

 gpedit.msc -> Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit PoliciesSystemAudit Security System Extension -> Enable

和

gpedit.msc -> Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit PoliciesObject AccessAudit File System -> Enable

然后运行agent

需要server的可以运行server

附一张效果图

https://github.com/0xrawsec/whids/blob/master/demo/whids.gif

“如侵权请私聊公众号删文”