Kormeeraha nidaamka Sysinternals Sysmon ee Windows

Microsoft waxay siisaa qalab badan oo faa'iido leh oo loogu talagalay isticmaalayaasha dhamaadka kuwaas oo loo isticmaali karo in lagu hagaajiyo, lagu ciyaaro, lagu xalliyo, lagu ogaado, lagu sugo, ama lagu sameeyo wax kasta nidaamka hawlgalka Windows . Kormeeraha Nidaamka Sysinternals (Sysinternals) (Sysmon),(System Monitor (Sysmon),) waa mid ka mid ah aaladaha cusub ee la sii daayay ee loogu talagalay kombuyuutar ku salaysan Windows kaas oo ururiya dhammaan faylasha nidaamka log. Faylashan logu waa kuwo aad muhiim u ah oo aad muhiim u ah si loo fahmo arrimaha khuseeya Windows . Sysmon mar la rakibo waxa uu gadaal ka sii shaqaynayaa sidii uu hurdo oo dib ayaa loo soo noolayn karaa marka loo baahdo.

Kormeerka Nidaamka Nidaamka Daaqadaha

Socodka shaqada aasaasiga ah ee ka dambeeya Nidaamka Kormeeraha(System Monitor) waa in uu kaydiyo macluumaadka Ururinta Dhacdooyinka Windows(Windows Event Collection) ( Dhacdada Daawade(Event Viewer) ) iyo Macluumaadka Amniga(Security Information) iyo Maareynta Dhacdada(Event Management) ( SIEM ) wakiilada sida aqoonsiga(IDs) nidaamka , GUIDs , SHA1 , MD5 ( SHA256 ) xashiishyada. Waxay ku kaydisaa dhammaan faylashan hoostooda Applications and Services\logs\Microsoft\Windows\Sysmon\operational folder gudaha Windows 10/8/7/Vista , iyo hoos gelitaanka dhacdooyinka System( System event log)  ee da'da weyn ee nidaamyada hawlgalka Windows sida Windows XP.

Kormeerka Nidaamka Nidaamka Daaqadaha

Sida loo rakibo System Monitor
(How to install System Monitor)

  • Soo deji Sysmon [(Download Sysmon [) linkiga hoose ayaa ku yaal]
  • Faylka la soo dejiyay wuxuu ahaan doonaa qaab zip ah. Ka fur faylka adigoo isticmaalaya daaqadaha soo saarista faylka caadiga ah ama isku day Winrar , 7zip iwm.
  • Marka faylka la furo, orod "Sysmon" aqbal EULA oo ku dhufo Next.
  • Sug(Wait) Nidaamka , La (System)soco(Monitor) si aad u dhammaystirto rakibidda, taasi waa dhammaan!

Sida loo isticmaalo Symmon(How to use Sysmon)

Khadka taliska ee ku jira sysmon waxa loo isticmaali karaa in lagu rakibo, ka saaro, la hubiyo iyo in lagu hagaajiyo qaabaynta Kormeerka System:

Install:    Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]
Configure:  Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]
Uninstall:  Sysmon.exe –u

Amarro yar oo isticmaaluhu u baahan yahay inuu fahmo waa:(Few commands that user need to understand are:)

i: rakib adeegga iyo barnaamijyada darawalnimada

-n : waxay kaydisaa diiwaannada isku xirka shabakada

-u : uninstall adeegyada iyo barnaamijyada darawalka

-c : waxay cusboonaysiisaa darawalka sysmon-ka ee lagu rakibay kumbuyuutarka ama waxay ka caawisaa inay daadiso habaynta qaabaynta hadda la heli karo

-h : Waxay qeexaysaa algorithm-ka lagu dabaqay barnaamijka [sida caadiga ah SHA1 ayaa lagu dabaqay]

Tusaalooyinka:(Examples:)

  • Si aad ugu rakibto arjiga leh goobaha caadiga ah: " sysmon -i accepteula " iyada oo aan la soo xigan [SHA1 default]
  • Si loo rakibo arjiga leh MD5 [SHA256] settings: " sysmon -i accepteula -h md5 -n "  
  • Si aad isaga saarto " sysmon-u "

System Monitor waxa(System Monitor) uu kaydiyaa dhacdooyinka sida Aqoonsiyada Dhacdada(Event IDs) sida,

  • Aqoonsiga Dhacdada 1(Event ID 1) : Waxaa loo isticmaalay Hab-abuurka,
  • Aqoonsiga Dhacdada 2(Event ID 2) : Hab-socodku(Process) wuxuu beddelay wakhtiga abuurista faylka oo wata timestamp iyo
  • Aqoonsiga Dhacdada 3(Event ID 3) : Isku xirka Shabakadda.

Qalabku wuxuu ku sii socon doonaa xagga dambe wuxuuna ku qori doonaa dhammaan diiwaannada dhacdada gal. Ka dib markii la rakibo ama uninstall ah nidaamka reboot looma wada baahna.

Waa qalab loo baahan yahay in loo helo dhammaan kumbiyuutarrada ku shaqeeya Windows . Halkan ka soo qabso qalabka Kormeerka(System Monitor) Systemka here!

CUSBOONAYSIINTA(UPDATE) : Windows Sysinternals Sysmon hadda waxa kale oo uu diiwangeliyaa hawsha habsocodka diiwaanka dhacdada Windows si loogu isticmaalo ogaanshaha shilka iyo falanqaynta baadhista, waxa ku jira culayska darawalka iyo dhacdooyinka raritaanka sawirka oo wata macluumaadka saxeexa, warbixinta hashing algorithm ka warbixinta, filtarrada dabacsan ee lagu daro lagana saarayo dhacdooyinka, iyo taageerada si loogu keeno qaabeynta iyada oo loo sii marayo faylka qaabeynta beddelka khadka taliska. Waxa kale oo ay helaysaa ogaanshaha hab-socodka malware-ka .



About the author

Waxaan ahay injineer software iyo khabiir Windows 10 ah. Waxaan leeyahay waayo-aragnimo ka badan laba sano oo ku saabsan la shaqaynta casriga ah, windows 10, iyo Microsoft Edge. Diiradayda ugu weyn waa ka dhigista aaladahaagu kuwo si ka wanaagsan oo degdeg ah u shaqeeya. Waxaan ka shaqeeyay mashaariic kala duwan shirkado ay ka mid yihiin Verizon, Imac, HP, Comcast, iyo kuwo kale oo badan. Sidoo kale waxaan ahay macalin shahaado ka haysta tababarka daruuraha Microsoft Azure.



Related posts