whids v1.6 releases: Very flexible Host IDS designed for Windows
Very flexible Host IDS designed for Windows. We are making use of a previously developed rule engine Gene designed to match Windows events according to custom rules. The rules are simple to write and easy to understand so that everyone can understand why a rule has triggered.
With the democratization of Sysmon, this tools is perfect to quickly build hunting rules or simply monitoring rules to screen things of interest happening on your machine(s). With WHIDS you don’t have to bother with an overcomplicated Sysmon configuration which often turns to the nightmare when you want to be very specific. The simplest thing is just to enable all the logging capabilities of Sysmon and let WHIDS do his job, grab a coffee and wait for the juicy stuff to happen. The tool has a very low overhead for the system, according to our current benchmarks.
This tool can be used on any Windows machine so you might install it easier on regular workstations or on Windows Event Collectors where you are receiving all the logs of your infrastructure. The output format is nothing else than JSON so it is very easy to handle the alerts generated by the HIDS in whatever tool you want to use for this purpose like ELK, Splunk or simply your favourite SIEM.
- WHIDS is installed as a true Windows service
- Reworked the installation script to allow several options
- Created an optimized Sysmon configuration to run with WHIDS
- Process Integrity check not done before boot is finished
- Removed DNS logging features by default (since Sysmon v10 has DNSQuery events)
- Log message if process termination is not enabled
- Sysmon service depends on WHIDS (solution found not to miss events at boot)
- Updated to the latest version of Gene (v1.6)
- New registry dump mode to dump suspicious registries
- Some random code refactoring
- Sysmon events enrichment:
- Ancestors in CreateProcess
- Name of the windows services is resolved and put in Services field for any event
- CommandLine in NetworkConnect
- User and IntegrityLevel propagated to all applicable events (all except DriverLoad)
- CreateRemoteThread and ProcessAccess enrichment with:
Here is an example of a rule designed to catch suspicious access to lsass.exe as it is done by the well known Mimikatz credential dump tool.
You can find a bunch of other rules as well as a quick introduction to the syntax of the rules on the Gene repository.
Running WHIDS with an already running Powershell Empire agent which invokes Mimikatz module.
Hereafter is the kind of output returned by WHIDS. An additional section is added to the JSON event where the criticality of the alert is reported along with the different signatures which matched the event.
Copyright 2018 qjerome