近年來針對性惡意程式與入侵攻擊服務模式日趨成熟,攻擊者為達成攻擊目的會透過進階持續威脅(Advanced Persistent Threat , APT)盡一切方法規避組織端點安全軟體,以利長時間潛伏在組織內部進行入侵任務而不被發現最終達到攻擊目的。資安防禦最終的防線是端點,有鑒於此主流端點安全解決方案將以龐大特徵碼資料庫為基礎,搭配機器學習演算法來強化端點異常行為偵測成為主要發展方向。然而上述方案均需安裝常駐型代理程式以達到即時偵測、防禦之目的,但近年資安案例顯示,惡意程式除了能規避組織防毒軟體外,更能進一步置換並控制防毒軟體以達成合法掩飾非法之目的,組織也很難短時間發現異常跡象,此情況顯示常駐型代理程式確實有資安風險,同時端點為因應不同需求也被迫安裝不少代理程式造成效能瓶頸,上述問題導致組織無法完全放心常駐型代理程式的解決方案。然而端點安全檢測又是必要作為,為解決此問題,本研究提出非常駐型端點資安檢測系統(Non-Resident Endpoint Detection and Probe System,簡稱NonR-EDP系統),可降低端點效能影響與避免代理程式遭規避、置換、控制等風險,同時提出在NonR-EDP系統檢測空窗期間,透過Sysmon與微軟原生稽核日誌機制,完整記錄系統活動與偵測日誌是否遭偽造滅跡之方法。經過各種端點日誌滅跡手法測試,NonR-EDP系統能成功偵測出端點日誌是否遭偽造滅跡,也能在確保日誌在未遭偽造滅跡下可成功檢測出端點之異常行為。本研究期望能讓組織在評估端點檢測方案與平衡安全與效能風險問題時在常駐型代理程式之外能有另一種選擇。;In recent years Targeting-Malwares and intrusive attacks were refined as standard modules. The mainstream’s Final-Line of Defense is the endpoint security system. Current solution required a residing-agent to be installed on endpoints for immediate analysis, detection or self-defense. Recent studies reveal that malwares are not only capable to remain undetected by endpoint security system, some of them can even break through its mechanism and replace the agent as their own. Such scenario indicates possible risk of residing-agent might be replaced or controlled by malwares as security issue; another common scenario is that different solutions and its agent were applied on same endpoint for specified purposes respectively, causing performance bottleneck as management issue. This research is to use Non-Resident Endpoint Detection and Probe(NonR-EDP) Endpoint Security Detection System, reducing the risks of performance issue and preventing residing-agents being replaced or controlled. This research also develops a procedure that will utilize SYSMON with Microsoft native audit logs mechanism, recording entirely system activities and verify logs’ authenticity between NonR-EDP detecting windows. It has been proven in endpoint log erase tests that NonR-EDP system is capable to detect attack events on endpoint with authentic logs
