首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >开源EDR whids部署

开源EDR whids部署

作者头像
鸿鹄实验室
发布2021-05-27 15:15:00
1.5K0
发布2021-05-27 15:15:00
举报
文章被收录于专栏:鸿鹄实验室鸿鹄实验室

whids是一款Go语言开发的开源EDR,其官方地址为:

https://github.com/0xrawsec/whids

其优点如下:

  • Open Source
  • Relies on Sysmon for all the heavy lifting (kernel component)
  • Very powerful but also customizable detection engine
  • Built by an Incident Responder for all Incident Responders to make their job easier
  • Low footprint (no process injection)
  • Can co-exist with any antivirus product (advised to run it along with MS Defender)
  • Designed for high thoughput. It can easily enrich and analyse 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
  • Easily integrable with other tools (Splunk, ELK, MISP ...)
  • Integrated with ATT&CK framework

官方给出的运行示意图如下:

部署过程

首先需要安装Sysmon,最新版本为13.1,下载地址为:https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

使用-i安装既可

然后导入其配置,地址为:https://github.com/0xrawsec/whids/tree/master/tools/sysmon/v13

如有需要,可以配置下面的两个的选项:

 gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension -> Enable

gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System -> Enable

然后运行agent

需要server的可以运行server

附一张效果图

https://github.com/0xrawsec/whids/blob/master/demo/whids.gif

本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-05-09,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 鸿鹄实验室 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档