# 搭建 EDR 测试环境 有效的 EDR 测试环境对于我们检验自己所写载荷的规避性能十分重要。可惜的是,EDR 几乎都不对个人用户开放,而且通常都有着最低设备数量要求,价格也不菲。除了在公司里申请一个配置了 EDR 的测试主机外或者申请一期一会的免费试用,本小节内容会教大家如何用最小的代价配置 2 款主流且声誉较好的 EDR 产品。 尽管如此,即便你们编写的载荷能完美绕过这 2 款 EDR,也不代表能绕过客户或者自己企业里的安全产品,因为尤其是对于中大型企业,他们会订阅更加高级的套餐,使得他们 EDR 的特性与性能更为强大,以及会与其他安全产品例如防火墙,IDS/IPS 产生联动。 如果有条件,最好能有一台物理设备用于安装与配置 EDR,以实现最强的检测性能。 ### **Microsoft Defender for Business** 除了 Windows 自带的 Windows Defender,微软还有着 EDR 和 XDR 产品。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/WP0ad5w0aRNi2034-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/WP0ad5w0aRNi2034-image.png) XDR 乃至 EDR 的购买主要面向中大型企业,销售会验证企业资质,以及往往有着最低设备数量的要求。因此,对于我们做安全研究与测试有些不便与奢侈。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/XkfXcDitPkaZkFHS-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/XkfXcDitPkaZkFHS-image.png) 不过,Microsoft Defender for Business([https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-business#Microsoft-defender-plans-and-pricing](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-business#Microsoft-defender-plans-and-pricing)) 为我们提供了个门槛很低的选项,每个月 3 美元即可。MDB 主要面向 1-300 人的小型企业,但相应的,检测性能与功能丰富程度也逊于 MDE,但对于我们初入 EDR 对抗也足以。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/uihnqOlyG1hRaObB-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/uihnqOlyG1hRaObB-image.png) 我们点击 Buy now,左边的套餐即可。我们输入一个有效的邮箱地址。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/DiTwxsWaCKJfds2v-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/DiTwxsWaCKJfds2v-image.png) 确认使用该邮箱地址 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/wN4W3ERyGvWd36SC-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/wN4W3ERyGvWd36SC-image.png) 填写相关信息,之后需要接收手机验证码。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/6fCHe85FAIpO193O-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/6fCHe85FAIpO193O-image.png) 设置一个初始账户,记住自己的企业域名,是 **\*.onmicrosoft.com** 的形式。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/xaKw39vRq8RSkxlS-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/xaKw39vRq8RSkxlS-image.png) 之后,我们可以选择需要购买的数量,1 个即可,输入支付方式信息,需要有借记卡或者信用卡。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/Vy8tFy2qO7aif4ym-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/Vy8tFy2qO7aif4ym-image.png) 核对信息,确认支付。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/dTAoDtYtOeEIxRzv-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/dTAoDtYtOeEIxRzv-image.png) 然后,我们便可以登录到管理员中心了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/y7cR36EUj30Nvzsr-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/y7cR36EUj30Nvzsr-image.png) 我们不需要该订阅的时候,可以在 **Billing -> Your product**s 这里选择取消。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/pxRhZRdILBI8dI5y-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/pxRhZRdILBI8dI5y-image.png) 接下来,我们需要注册设备。访问 [https://security.microsoft.com/](https://security.microsoft.com/),进入 Settings -> Endpoints [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/Wc9Mz8gaI7nOcYXs-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/Wc9Mz8gaI7nOcYXs-image.png) 首次配置,微软会建议我们分配用户权限和通知,但我们可以暂时跳过,因此我们只是用于个人研究,而非真正管理企业。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/X467TbqdgXeCE0Rg-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/X467TbqdgXeCE0Rg-image.png) 这里,我们选择 Local Script,即本地脚本。通过运行脚本,这会与 Entra ID 建立信任。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/TtRK58Mu0Pa9eVWw-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/TtRK58Mu0Pa9eVWw-image.png) 在高完整度下运行命令行,执行脚本 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/QWbsmQjdMTlUnI6q-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/QWbsmQjdMTlUnI6q-image.png) 然后,我们可以运行一个检测测试来验证设备已经注册成功。我们在 C 盘下创建名为 test-MDATP-test 的文件夹,然后运行下述 powershell 命令: ```powershell powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/5yVYENtMrHEHTnsN-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/5yVYENtMrHEHTnsN-image.png) 如果运行后,命令行自动关闭,那么意味着检测测试通过。这里,在运行后,powershell 程序确实被关闭了。 我们可以在面板中看到注册后的设备,以及查看相应的告警。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/j3C7HQi1soE6JTzV-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/j3C7HQi1soE6JTzV-image.png) 检测日志的出现可能存在延迟,不过几分钟后,我们便能看到对应的告警。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/Poy6xZJ6DeyLs31t-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/Poy6xZJ6DeyLs31t-image.png) ### **Elastic EDR** Elastic EDR 是一款易于部署,业内有着良好声誉,免费的 EDR 产品。当然,Elastic 也有面向企业的更加高级的方案,对此我们也有着 30 天的免费试用。 不过,手动配置 Elastic 栈以及 EDR 是个比较繁琐的任务,因此我们将用 Docker 简化这一过程,elastic-container 项目([https://github.com/peasead/elastic-container](https://github.com/peasead/elastic-container)) 帮了大忙。 我们将在 Ubuntu 服务器上部署,用到 Docker 来安装和运行 Elasticsearch,Kibana,和 Fleet。 首先卸载所有冲突的包: ```bash for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/b2BWVXfcUeUpL18k-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/b2BWVXfcUeUpL18k-image.png) 然后,设置 Docker 仓库: ```bash sudo apt-get update sudo apt-get install ca-certificates curl gnupg ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/YNGcK8DNem0nhCVX-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/YNGcK8DNem0nhCVX-image.png) 添加 Docker 的官方 PGP 密钥。 ```bash sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/ekQwPETcHeqsdoRa-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/ekQwPETcHeqsdoRa-image.png) 使用下述命令配置仓库: ```bash echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/NrbpfzhprAa9Gnd9-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/NrbpfzhprAa9Gnd9-image.png) 更新 APT 包索引: [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/rM9jmbymj3wArLJG-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/rM9jmbymj3wArLJG-image.png) 安装 Docker 引擎 ```bash apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/uGvYIHsYVphpiJeg-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/uGvYIHsYVphpiJeg-image.png) 接下来,我们就该安装 Elastic 了。首先,安装依赖: ```bash apt-get install jq git curl ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/rBaEdiJ3EmD9gZxh-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/rBaEdiJ3EmD9gZxh-image.png) 克隆仓库: [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/XyznhX8IoqLg5Ys3-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/XyznhX8IoqLg5Ys3-image.png) 编辑项目中的 **.env** 文件 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/KQbAsdccumE52SeB-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/KQbAsdccumE52SeB-image.png) 根据自己需要修改账号密码,用户名需要是 **elastic**,否则会无法启动检测引擎。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/fscCjszt13IaHjEf-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/fscCjszt13IaHjEf-image.png) 开启 Windows 检测,并且根据需要调节 basic 或者 trial,其中 trial 是30天,提供高级检测特性。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/Qr2jd48umIglxgYx-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/Qr2jd48umIglxgYx-image.png) 赋予脚本执行权,并且启动所有组件,脚本将下载和配置容器。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/hEg52LLvTIVrywoE-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/hEg52LLvTIVrywoE-image.png) 几分钟后,配置完成。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/rmidRPbXbwMyqaKB-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/rmidRPbXbwMyqaKB-image.png) 于是,我们可以访问 kibana 与 elasticsearch 面板了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/5BBOrCVSf8UP0n2e-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/5BBOrCVSf8UP0n2e-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/2pcm3sDXSHEXK15I-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/2pcm3sDXSHEXK15I-image.png) 我们进入左侧导航栏的 **Management -> Fleet** [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/zBkfImFnjidAcQNu-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/zBkfImFnjidAcQNu-image.png) 配置 **Setting**s 里的 **Outputs Actions**,确保 **Advanced YAML configuration** 的值如图所示。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/DvRfv2yWN9UflF6b-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/DvRfv2yWN9UflF6b-image.png) 添加一个 Agent [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/rKhAUdJqu5LirXTZ-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/rKhAUdJqu5LirXTZ-image.png) 创建一个新的 policy [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/XSlVYOiVDRf7h0Ri-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/XSlVYOiVDRf7h0Ri-image.png) 然后,在受控的 Windows 主机上运行下述命令,记得改成自己的 IP。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/DXhew42dnvrbwRVj-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/DXhew42dnvrbwRVj-image.png) ```powershell $ProgressPreference = 'SilentlyContinue' Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.12.2-windows-x86_64.zip -OutFile elastic-agent-8.12.2-windows-x86_64.zip Expand-Archive .\elastic-agent-8.12.2-windows-x86_64.zip -DestinationPath . cd elastic-agent-8.12.2-windows-x86_64 .\elastic-agent.exe install --url=https://192.168.1.165:8220 --enrollment-token=U1dHZnBvOEJlTFFfLVFjampldW46a3EzU3VqV2NSc2VVTlRxeVBvSkt1QQ== --insecure ``` [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/Ar4kWUwIZOwJd37B-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/Ar4kWUwIZOwJd37B-image.png) 安装完成后,我们便能在列表里看到新注册的设备了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/H5iCYWuWbMgvtLRS-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/H5iCYWuWbMgvtLRS-image.png) 选择刚才新建的 Policy,点击 **Add Integration**,选择 **Elastic Defend**。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/gek3jVZQ7ck0pmk1-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/gek3jVZQ7ck0pmk1-image.png) [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/GLsqjlVTf1nzA78x-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/GLsqjlVTf1nzA78x-image.png) 添加一个名称,选择 **Complete EDR**,作用于该 Policy,保存。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/V9BsPYOEboIjpK7R-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/V9BsPYOEboIjpK7R-image.png) 左侧导航栏进入 **Security -> Alert** [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/X6x5iSa3mgaHlp3z-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/X6x5iSa3mgaHlp3z-image.png) 点击 **Manage rules**,我们可以看到已经安装的规则,确保他们都是**启用**的状态。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/LP4LMW9NyM6iCfIU-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/LP4LMW9NyM6iCfIU-image.png) 尝试运行一个恶意软件作为测试,我们发现 Elastic EDR 能立即拦截了。 [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/RnNIeKhWAF0NAXKU-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/RnNIeKhWAF0NAXKU-image.png) 我们也能在面板里看到相应的告警: [![image.png](https://raven-medicine.com/uploads/images/gallery/2024-05/scaled-1680-/WJbfkQf2nMcUl5lA-image.png)](https://raven-medicine.com/uploads/images/gallery/2024-05/WJbfkQf2nMcUl5lA-image.png) 有趣的是,Elastic 公开了其检测规则([https://github.com/elastic/detection-rules](https://github.com/elastic/detection-rules)),我们可以根据检测规则中的 gap 来实现对 Elastic EDR 的绕过。 除此之外,Wazuh([https://wazuh.com/](https://wazuh.com/)) 与 OpenEDR([https://www.openedr.com/](https://www.openedr.com/)) 也是 2 款免费开源的 EDR,有兴趣可以自行配置与尝试。