开源EDR whids部署

whids是一款Go语言开发的开源EDR，其官方地址为：

https://github.com/0xrawsec/whids

其优点如下：

• Open Source
• Relies on Sysmon for all the heavy lifting (kernel component)
• Very powerful but also customizable detection engine
• Built by an Incident Responder for all Incident Responders to make their job easier
• Low footprint (no process injection)
• Can co-exist with any antivirus product (advised to run it along with MS Defender)
• Designed for high thoughput. It can easily enrich and analyse 4M events a day per endpoint without performance impact. Good luck to achieve that with a SIEM.
• Easily integrable with other tools (Splunk, ELK, MISP ...)
• Integrated with ATT&CK framework

官方给出的运行示意图如下：

部署过程

首先需要安装Sysmon，最新版本为13.1,下载地址为：https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

使用-i安装既可

然后导入其配置，地址为：https://github.com/0xrawsec/whids/tree/master/tools/sysmon/v13

如有需要，可以配置下面的两个的选项：

 gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension -> Enable

和

gpedit.msc -> Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System -> Enable

然后运行agent

需要server的可以运行server

附一张效果图

https://github.com/0xrawsec/whids/blob/master/demo/whids.gif