|
2 | 2 | <img src="https://github.com/0xrawsec/whids/blob/master/doc/img/logo.png?s=200" alt="logo"> |
3 | 3 | </p> |
4 | 4 |
|
5 | | -Very flexible Host IDS designed for Windows. We are making |
6 | | -use of a previously developped rule engine [Gene](https://github.com/0xrawsec/gene) |
7 | | -designed to match Windows events according to custom rules. The |
8 | | -rules are simple to write and easy to understand so that everyone can |
9 | | -identify why a rule has triggered. |
10 | | - |
11 | | -With the democratisation of Sysmon, this tools is perfect to quickly build |
12 | | -hunting rules or simply monitoring rules to screen things of interest happening on your |
13 | | -machine(s). With WHIDS you don't have to bother with an over |
14 | | -complicated Sysmon configuration which often turns to the nightmare when you want |
15 | | -to be very specific.The simplest thing is just to enable all the logging |
16 | | -capabilites of Sysmon and let WHIDS do his job, grab a coffee and wait |
17 | | -for the juicy stuff to happen. The tool has a low overhead for the system, |
18 | | -according to our current benchmarks. |
19 | | - |
20 | | -This tool can be used on any Windows machine so you might install it either on |
21 | | -regular workstations or on Windows Event Collectors where you are receiving |
22 | | -all the logs of your infrastructure. The output format is nothing else than |
23 | | -JSON so it is very easy to handle the alerts generated by the HIDS in whatever |
24 | | -tool you want to use for this purpose like ELK, Splunk or simply your favourite |
25 | | -SIEM. |
| 5 | +## What |
| 6 | + |
| 7 | +This is an hybrid solution combining a flexible **Host IDS** with detection based **Incident Response |
| 8 | +capabilities**. The detection engine is built on top of a previously developped rule engine |
| 9 | +[Gene](https://github.com/0xrawsec/gene) specially designed to match Windows events against |
| 10 | +user defined rules. |
| 11 | + |
| 12 | +## Why |
| 13 | +* Provide an **Open Source EDR** like tool |
| 14 | +* Flexible detection |
| 15 | +* Easy integration with other open-source tools (MISP, The Hive ...) |
| 16 | + |
| 17 | +## How |
| 18 | +### Detection |
| 19 | +* On host real time detection |
| 20 | +* Listens to Windows event log channels and apply detection rules |
| 21 | +* User defined rules (we know why we detect something) |
| 22 | +* Designed to be used with MS [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) |
| 23 | +* Enriches Windows events in order to build powerfull detection primitives |
| 24 | +* Central agent to distributes rules and collect alerts |
| 25 | + |
| 26 | +### Incident Response |
| 27 | +* Reacts on detection (when an event above a given criticality is detected, artifacts are collected) |
| 28 | +* Real time evidence collection (files, process memory and registries) |
| 29 | +* Central agent to collect evidences |
26 | 30 |
|
27 | 31 | <p align="center"> |
28 | 32 | <img src="https://github.com/0xrawsec/whids/blob/master/doc/img/workflow.png" alt="workflow"> |
29 | 33 | </p> |
30 | 34 |
|
31 | | -# Example |
| 35 | +# Demo |
| 36 | + |
| 37 | +## Rule Example |
32 | 38 |
|
33 | 39 | Here is an example of a rule designed to catch suspicious access to *lsass.exe* |
34 | 40 | as it is done by the well known Mimikatz credential dump tool. |
@@ -56,8 +62,7 @@ as it is done by the well known Mimikatz credential dump tool. |
56 | 62 | You can find a bunch of other rules as well as a quick introduction to the |
57 | 63 | syntax of the rules on the [Gene repository](https://github.com/0xrawsec/gene-rules). |
58 | 64 |
|
59 | | -# Demo |
60 | | - |
| 65 | +## In Action |
61 | 66 | Running WHIDS with an already running Powershell Empire agent which invokes |
62 | 67 | Mimikatz module. |
63 | 68 |
|
@@ -99,7 +104,7 @@ which matched the event. |
99 | 104 |
|
100 | 105 | ## WHIDS |
101 | 106 | 1. Download and extract the latest WHIDS release https://github.com/0xrawsec/whids/releases |
102 | | -2. Run `install.bat` as administrator |
| 107 | +2. Run `install.bat` as **administrator** |
103 | 108 | 3. Verify that files have been created at the **installation directory** |
104 | 109 | 4. With a text editor **opened as administrator** (to prevent changing rights of WHIDs installation directory) open `config.json` and modify it as you wish |
105 | 110 | 5. Skip this if running with a connection to a manager. If there is nothing in the **rules directory** the tool will be useless, so make sure there are some **gene** rules in there. You can get some compiled rules [here](https://raw.githubusercontent.com/0xrawsec/gene-rules/master/compiled.gen) |
@@ -223,7 +228,7 @@ To know how to write rules for the engine please visit: https://rawsec.lu/doc/ge |
223 | 228 |
|
224 | 229 | * Does not work properly when ran from a network share **mapped as a network drive** (this case prevent whids to identify itself and thus generate some noise). Example: if `\\vbox\test` is mounted as `Z:` drive, running `Z:\whids.exe` **won't work** while running `\\vbox\test\whids.exe` actually would. |
225 | 230 |
|
226 | | -# Recommandations |
| 231 | +# Recommendations |
227 | 232 |
|
228 | 233 | In order to get the most of WHIDS you need to activate specific features |
229 | 234 |
|
|
0 commit comments