ayinedjimi/LateralMovement-Detector

GitHub: ayinedjimi/LateralMovement-Detector

一款基于 Python 的 Active Directory 横向移动检测与监控工具，通过分析 Windows 安全事件日志识别内网横向移动攻击行为。

Stars: 0 | Forks: 0

# 横向移动检测器 [![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Security Tool](https://img.shields.io/badge/Security-Blue%20Team-blue.svg)]() [![MITRE ATT&CK](https://img.shields.io/badge/MITRE-T1021-red.svg)](https://attack.mitre.org/techniques/T1021/) **Active Directory 横向移动检测与监控工具** 一款 100% 防御性的蓝队工具，用于检测 Active Directory 环境中的横向移动模式。分析 Windows 安全事件以识别可疑的访问模式。 ## 功能特性 ### FR - Francais - **Detection de mouvement lateral** : Connexions admin depuis workstations, connexions sequentielles rapides, Pass-the-Hash (logon type 9), execution distante - **Cartographie des acces** : Graphe des acces admin normaux, baseline connexions, detection d'ecarts, validation tiering - **Moteur d'alertes** : Regles configurables, correlation temporelle, scoring severite, requetes KQL/Splunk, playbooks d'investigation - **Rapports** : Timeline, graphe de mouvement, heat map, HTML/JSON ### EN - English - **Lateral Movement Detection**: Admin connections from workstations, rapid sequential logons, Pass-the-Hash (logon type 9), remote execution patterns - **Access Mapping**: Admin access graph, connection baseline, deviation detection, tiering validation - **Alert Engine**: Configurable rules, temporal correlation, severity scoring, KQL/Splunk queries, investigation playbooks - **Reports**: Timeline, movement graph, heat map, HTML/JSON ## 安装 ``` git clone https://github.com/nemusic/LateralMovement-Detector.git cd LateralMovement-Detector pip install -e ".[dev]" ``` ## 使用 ``` # 检测横向移动 lateralmovement-detector detect --events events.json --dc-hosts DC01,DC02 -o reports/ # 构建访问图 lateralmovement-detector map --events events.json --validate-tiering # 运行告警引擎 lateralmovement-detector alert --events events.json --correlation-window 30 -o reports/ ``` ## 检测能力 | 模式 | 描述 | MITRE | |---------|-------------|-------| | Admin from Workstation | Admin logon from Tier 2 to Tier 0/1 | T1021 | | Sequential Logons | Rapid connections to multiple hosts | T1021 | | Pass-the-Hash | Logon type 9 (NewCredentials) pattern | T1550.002 | | Remote Execution | PsExec/WMI/WinRM patterns | T1021, T1047 | | Tier Violation | Cross-tier admin access | T1078 | | Lateral Chain | Multi-hop movement detection | T1021 | | Credential Reuse | Single account on many hosts | T1078 | ## 测试 ``` pytest tests/ -v ``` ## 作者 / Author **Ayi NEDJIMI** - contact@ayinedjimi-consultants.fr ## 许可证 / License MIT License - 见 [LICENSE](LICENSE)

标签：Active Directory, AMSI绕过, Cloudflare, Homebrew安装, KQL查询, MITRE ATT&CK, Modbus, Pass-the-Hash检测, PE 加载器, Plaso, Python安全工具, Splunk查询, Terraform 安全, Tiering模型, Windows安全事件, 事件关联分析, 多模态安全, 威胁检测, 安全基线, 教学环境, 横向移动检测, 网络安全, 访问映射, 身份认证安全, 逆向工具, 防御性安全, 隐私保护