OSSEC——windows默认监控

发表于


%WINDIR%/win.ini
%WINDIR%/system.ini
C:\autoexec.bat
C:\config.sys
C:\boot.ini
%WINDIR%/System32/CONFIG.NT
%WINDIR%/System32/AUTOEXEC.NT
%WINDIR%/System32/at.exe
%WINDIR%/System32/attrib.exe
%WINDIR%/System32/cacls.exe
%WINDIR%/System32/debug.exe
%WINDIR%/System32/drwatson.exe
%WINDIR%/System32/drwtsn32.exe
%WINDIR%/System32/edlin.exe
%WINDIR%/System32/eventcreate.exe
%WINDIR%/System32/eventtriggers.exe
%WINDIR%/System32/ftp.exe
%WINDIR%/System32/net.exe
%WINDIR%/System32/net1.exe
%WINDIR%/System32/netsh.exe
%WINDIR%/System32/rcp.exe
%WINDIR%/System32/reg.exe
%WINDIR%/regedit.exe
%WINDIR%/System32/regedt32.exe
%WINDIR%/System32/regsvr32.exe
%WINDIR%/System32/rexec.exe
%WINDIR%/System32/rsh.exe
%WINDIR%/System32/runas.exe
%WINDIR%/System32/sc.exe
%WINDIR%/System32/subst.exe
%WINDIR%/System32/telnet.exe
%WINDIR%/System32/tftp.exe
%WINDIR%/System32/tlntsvr.exe
%WINDIR%/System32/drivers/etc
C:\Documents and Settings/All Users/Start Menu/Programs/Startup
C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup
.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$


HKEY_LOCAL_MACHINE\Software\Classes\batfile
HKEY_LOCAL_MACHINE\Software\Classes\cmdfile
HKEY_LOCAL_MACHINE\Software\Classes\comfile
HKEY_LOCAL_MACHINE\Software\Classes\exefile
HKEY_LOCAL_MACHINE\Software\Classes\piffile
HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects
HKEY_LOCAL_MACHINE\Software\Classes\Directory
HKEY_LOCAL_MACHINE\Software\Classes\Folder
HKEY_LOCAL_MACHINE\Software\Classes\Protocols
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

./shared/win_audit_rcl.txt
./shared/win_applications_rcl.txt
./shared/win_malware_rcl.txt

可选监控:
所有日志:”%s\\System32\\LogFiles\\
NCSA:%s\\System32\\LogFiles\\W3SVC%d\\nc%02d%02d%02d.log
W3C :%s\\System32\\LogFiles\\W3SVC%d\\ex%02d%02d%02d.log
FTP Extended format:%s\\System32\\LogFiles\\MSFTPSVC%d\\ex%02d%02d%02d.log
dir-based:”%s\\System32\\LogFiles\\W3SVC%d”, win_dir, i);
IIS SMTP logs:%s\\System32\\LogFiles\\SMTPSVC%d\\ex%02d%02d%02d.log


HKEY_LOCAL_MACHINE\Security\Policy\Secrets
HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users
\Enum$

发表评论