skpan10/Adversary-Emulation-Framework

# ⚔️ 对手仿真框架      大多数检测工程师编写 KQL 规则后便默认它们是有效的。本框架**以此进行验证** —— 通过在受控实验室环境中执行 MITRE ATT&CK 技术，检查您的 Sentinel/Defender 规则是否真的会被触发，并生成包含“前后”覆盖率指标的差距报告。 这正是 Microsoft DART 和 CrowdStrike 检测团队内部所做的工作。现在它已开源。 ## 🧠 解决的核心问题 ``` Traditional approach: Write rule → Deploy to SIEM → Wait for real attack → Hope it works This framework: Simulate attack → Check if rule fires → Measure coverage % → Fix gaps → Repeat ``` ## 🏗️ 架构 ``` adversary-emulation-framework/ │ ├── engine.py # Core orchestrator — loads, executes, validates │ ├── techniques/ # MITRE ATT&CK technique modules │ ├── execution/ │ │ └── T1059_001_powershell.py # Command-line parsing, parent process logic │ ├── credential_access/ │ │ └── T1003_001_lsass_dump.py # Tool detection, FP exclusion by vendor │ ├── persistence/ │ │ └── T1547_001_registry_run.py# Registry monitoring, known-good exclusions │ ├── lateral_movement/ │ │ └── T1021_002_smb_shares.py # Multi-signal correlation (SMB + tool) │ └── defense_evasion/ │ └── T1562_001_disable_tools.py # Defense impairment patterns │ ├── detection/ │ ├── rules/ # KQL rules matched to each technique │ │ └── T1059.001.kql # With FP handling, scoring, parent logic │ ├── gap_analyzer.py # Before/After comparison engine │ └── mitre_coverage.py # Coverage matrix + Navigator export │ ├── reports/ │ ├── report_generator.py # HTML report with coverage visualizations │ └── run_.json # Machine-readable run artifacts │ ├── lab/ │ └── config.json # Safe mode, exclusions, thresholds │ └── .github/workflows/ci.yml # Auto-runs emulation + validates coverage ``` ## 🎯 MITRE ATT&CK 覆盖率矩阵 | Technique | Name | Tactic | Rule | Emulation | FP Handling | Coverage | |-----------|------|--------|------|-----------|-------------|----------| | T1059.001 | PowerShell Execution | Execution | ✅ | ✅ | ✅ | 95% | | T1003.001 | LSASS Memory Dump | Credential Access | ✅ | ✅ | ✅ | 90% | | T1547.001 | Registry Run Keys | Persistence | ✅ | ✅ | ✅ | 80% | | T1021.002 | SMB/Admin Shares | Lateral Movement | ✅ | ✅ | ✅ | 85% | | T1562.001 | Disable Security Tools | Defense Evasion | ✅ | ✅ | ✅ | 92% | | T1110 | Brute Force | Credential Access | ✅ | ⬜ | ✅ | 75% | | T1078 | Valid Accounts | Initial Access | ✅ | ⬜ | ✅ | 70% | | T1218 | LOLBIN Execution | Defense Evasion | ✅ | ⬜ | ✅ | 88% | **整体检测覆盖率：84.4%**（目标：≥80%） ## 🔬 检测规则质量标准 本框架中的每条规则都实现了所有 5 个质量维度： ### 1. 误报处理 ``` -- Every rule has explicit FP exclusions, not just detection logic let FPExcludedParents = dynamic(["msiexec.exe","TrustedInstaller.exe"]); let FPExcludedAccounts = dynamic(["svc-backup","svc-patch"]); | where InitiatingProcessFileName !in~ (FPExcludedParents) ``` ### 2. 父进程逻辑 ``` -- Rules validate the full process chain, not just the leaf process let SuspiciousParents = dynamic(["winword.exe","excel.exe","mshta.exe"]); | extend HasSuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents) ``` ### 3. 命令行解析 ``` -- Deep command-line inspection with pattern scoring | extend HasEncodedCmd = ProcessCommandLine has_any ("-enc","-encodedcommand"), HasNetworkDownload = ProcessCommandLine has_any ("DownloadString","WebClient"), HasPolicyBypass = ProcessCommandLine has_any ("bypass","unrestricted") ``` ### 4. 可疑模式提取 ``` -- Multi-signal scoring prevents single-indicator false positives | extend SuspiciousScore = toint(HasEncodedCmd) * 3 + toint(HasSuspiciousParent) * 3 + toint(HasNetworkDownload) * 2 | where SuspiciousScore >= 3 -- Requires multiple signals to fire ``` ### 5. 覆盖率验证 ``` # 引擎自动验证：该规则是否针对此 technique 触发？ detection_status, rule_fired = engine._validate_detection(technique_id, artifacts) # 输出：DETECTED | MISSED | PARTIAL ``` ## 📊 规则调优前后对比 差距分析器跟踪每次运行的覆盖率提升情况： ``` ════════════════════════════════════════════════════ BEFORE vs AFTER RULE TUNING ════════════════════════════════════════════════════ Before : 61.5% (8/13 techniques) After : 84.6% (11/13 techniques) Delta : +23.1% | Trend: IMPROVING 3 new techniques detected. 2 gaps remain. ════════════════════════════════════════════════════ ``` **运行之间的变化：** - 为 T1059.001 增加了父进程排除 → 误报率降低 40% - 为 T1547.001 增加了多信号评分 → 消除了常见软件误报 - 为 T1021.002 创建了新规则 → 横向移动现已完全覆盖 ## 🚀 快速开始 ### 前置条件 - Python 3.11+ - Windows 实验室环境（或任何操作系统上的安全仿真模式） - Microsoft Defender for Endpoint / Azure Sentinel（用于实时验证） ### 运行仿真（安全仿真模式） ``` git clone https://github.com/skpan10/adversary-emulation-framework cd adversary-emulation-framework pip install -r requirements.txt # 运行所有 techniques（safe mode — 无实际执行） python engine.py # 仅运行特定 tactics python engine.py --tactics execution credential_access # 生成 coverage matrix python detection/mitre_coverage.py ``` ### 分析差距（含前后对比） ``` # Single run 分析 python detection/gap_analyzer.py --run reports/run_.json # Before vs After 对比 python detection/gap_analyzer.py \ --run reports/run_.json \ --baseline reports/run_.json ``` ### 生成 HTML 报告 ``` python reports/report_generator.py --run reports/run_.json --gap reports/gap_analysis.json ``` ## ⚙️ 安全模式 vs 实时模式 | Mode | What happens | Use when | |------|-------------|---------| | `safe_mode: true` (default) | Generates artifacts + telemetry only, zero execution | CI/CD, code review, demos | | `safe_mode: false` | Executes techniques against local lab environment | Dedicated isolated lab VM only | ## 📋 示例运行输出 ``` ╔══════════════════════════════════════════════════════════╗ ║ ADVERSARY EMULATION — RUN SUMMARY ║ ╠══════════════════════════════════════════════════════════╣ ║ Run ID : a3f9c12b8e41 ║ ║ Platform : Windows ║ ╠══════════════════════════════════════════════════════════╣ ║ Total Techniques : 5 ║ ║ ✅ Detected : 4 ║ ║ ❌ Missed : 1 ║ ║ ⚠️ Partial : 0 ║ ╠══════════════════════════════════════════════════════════╣ ║ Coverage : [████████████████████████░░░░░░] 80.0% ║ ╠══════════════════════════════════════════════════════════╣ ║ Detection Gaps : 1 ║ ║ Recommendations : 2 ║ ╚══════════════════════════════════════════════════════════╝ ``` ## 🔗 与 Detection-as-Code 框架集成 本框架旨在与 [Detection-as-Code Framework](https://github.com/skpan10/Detection-Rules-) 配合使用： ``` Detection-as-Code Repo Adversary Emulation Framework ───────────────────── ────────────────────────────── KQL rules written here → Rules validated here MITRE ATT&CK mapped → Coverage % measured here FP logic documented → FP risk scored here CI validates syntax → CI validates detection works ``` **二者结合，共同构成了完整的检测工程闭环：** 1. 在 Detection-as-Code 仓库中编写规则 2. 运行仿真框架以验证其是否触发 3. 检查覆盖率 % —— 差距是否缩小？ 4. 对比调优前后 —— 量化改进效果 5. 将改进提交至两个仓库 ## 🤝 贡献 有关技术模块标准，请参阅 [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md)。 **添加新技术：** 1. 创建 `techniques//T_.py` 2. 实现 `execute(safe_mode)` 并返回 `{artifacts, indicators, notes}` 3. 创建匹配的 `detection/rules/T.kql` 并包含误报处理 4. 运行 `python detection/mitre_coverage.py` 更新矩阵 ## 📄 许可证 MIT — 为检测工程社区而构建。

标签：AMSI绕过, Cloudflare, EDR, FTP漏洞扫描, KQL, Microsoft Defender, Microsoft Sentinel, MITRE ATT&CK, PE 加载器, Python, TGT, 多模态安全, 威胁检测, 安全工具集合, 安全测试, 安全编排, 对手模拟, 差距分析, 攻击性安全, 攻击模拟, 攻防演练, 无后门, 检测规则验证, 紫队, 脆弱性评估, 覆盖率分析, 逆向工具, 驱动签名利用