æä¹è¿è¡ATTåCKå¯¹æåä¸»æºEDRæ£æµè½åçåæ

ATTCKEDRATT&CKATT&CKATT&CKATT&CKATT&CKATT&CKAdversarial Tactics, Techniques & Common KnowledgeMITREMITRE(NIST)CVECWESTIXMITRE ATT&CKTTP(Tactics,Techniques,Procedures)ATT&CK-Kill ChainPRE-ATT&CKATT&CK for EnterprisePRE-ATT&CKKill ChainATT&CK for EnterpriseKill ChainATT&CK for Enterprise12:ATT&CKEDRAPT1ATT&CK 23ATT&CK4ATT&CKATT&CKTTPs TTPs ATT&CK EDRATT&CKATT&CKATT&CKTTPTTPMITRE ATT&CKSTIX 2.0 GitHubATTCKSTIX59()mimikatzTTPSysmonSysinternalsSysinternalsSysinternalswindowsSysmonETW(Event Tracing for Windows)EventLogMinifilterSysmonWindows SysmonHIDSEDRAgentATT&CKsysmon,sysmonsysmonminikatz****winlogbeatWindowsELKwinlogbeat.yml-nameSystem-nameMicrosoft-windows-sysmon / operationalwinlogbeat.winlogbeat.exe -c .winlogbeat.yml -configtest -estart-service winlogbeatSysmon ProcessCreate Process Monitoring ProcessminikatzhashAPISysmonview mimikatzcryptdll.dllsamlib.dllhid.dllWinSCard.dllvaultcli.dlllsass.exedllmimikatzdllsysmonATT&amp免费云主机域名;CKT1003-sysmonyamlminikatzbatminikatzT1036-MimikatzPowershellLSASSMimikatzMimikatz GrantedAccessMimikatzMimikatzEventCode=10TargetImage=”C:WINDOWSsystem32lsass.exe”(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)CallTrace=”C:windowsSYSTEM32ntdll.dll+*|C:windowsSystem32KERNELBASE.dll+20edd|UNKNOWN(*)”| table _time hostname user SourceImage GrantedAccessT1003sysmonEmpireEmpireMetasploitPowerShell ElasticsearchdlldllAtomic Red TeamMITER ATTCKEDRvssadmin/WindowsSAMSYSKEYmimikatzNTLM HashVSSntds.ditntds.ditADhashMimikatzmimikatzGentil Kiwiwindows lsass.exe windowsactivemimikatzhashhashProcdumpProcdumpWindowsprocdumplsass.exemimikatz.exehashNtdsdumpNtdsdumpNTDS.ditntds.ditSYSTEMhashhashhashATT&CKATT&CKATT&CK9Windows SAM.001T1134/T1134.001 T1134.002 Hypervisor Pre-OS Boot BootkitATT&CKsysmonSysmonSysmonSysmonsysmonTTPTTPslsass.exeTTPsATTCKEDR