0xsabry/ThreatScopeX

# ⚡ ThreatscopeX — 高级日志智能与威胁检测引擎 ## 概述 **ThreatscopeX** 是一个使用 Python 构建的高性能、企业级日志分析和威胁检测引擎。它能够获取 `.log`、`.txt`、`.evtx`、`.csv` 和 `.json` 文件，并应用 **308 条正则表达式驱动的检测规则**，涵盖 **24 个攻击类别**，以检测威胁、关联多阶段攻击链、提取 IOC，并将发现结果映射到 **274 个 MITRE ATT&CK 技术** —— 所有这些都可以通过高端深色主题 GUI 或命令行完成。 ## 功能特性 | 功能 | 详情 | | -------------------------- | -------------------------------------------------------------------- | | 🔍 **检测引擎** | 308 条规则，900+ 正则表达式模式，24 个攻击类别 | | 🎯 **MITRE ATT&CK** | 完整技术映射（涵盖所有 14 个战术的 274 项技术） | | ⚡ **关联引擎** | 35 条多信号攻击链检测规则 | | 🔎 **IOC 提取** | MD5/SHA1/SHA256, IPv4/IPv6, URLs, domains, emails, CVEs, Bitcoin, MAC, registry keys, file paths, user-agents | | 📄 **文件支持** | `.log`, `.txt`, `.evtx` (原生 + python-evtx), `.csv`, `.json` | | 💾 **JSON 导出** | 包含 IOC、MITRE、关联关系的完整结构化报告 | | 🔗 **STIX 2.1 导出** | 用于威胁情报平台的标准 IOC bundle | | 📐 **Sigma 规则** | 导入基于 YAML 的检测规则 | | 🖥️ **8 标签页高端 GUI** | Report, Findings, IP/Users, Timeline, MITRE ATT&CK, IOCs, Rule Browser, Raw Log | | 📚 **规则浏览器** | 按类别/严重性搜索、过滤和浏览所有 308 条规则 | | ⌨️ **CLI 模式** | 用于自动化和脚本编写的无头分析 | | 📊 **威胁评分** | 0–100% 加权严重性评分，包含关联加成 | | 🔒 **文件完整性** | 分析文件的 MD5/SHA256 哈希验证 | | ⚙️ **零配置** | 仅使用 Python stdlib (tkinter, re, json, struct) | ## 攻击类别 (24) | # | 类别 | 规则数 | 关键威胁 | | --- | --------------------- | ----- | -------------------------------------------------------------- | | 1 | Authentication | 30 | Failed logins, brute-force, password spray, SID history, SPN | | 2 | Privilege Escalation | 21 | UAC bypass, token theft, Potato exploits, Zerologon, PwnKit | | 3 | Persistence | 31 | Registry run keys, WMI, COM hijack, BITS, kernel modules | | 4 | Lateral Movement | 20 | PsExec, Pass-the-Hash/Ticket, RDP hijack, CrackMapExec | | 5 | C2 | 24 | Cobalt Strike, DNS tunneling, domain fronting, Mythic, Sliver | | 6 | Exfiltration | 15 | DNS exfil, cloud storage, USB, steganography, keylogger | | 7 | Defense Evasion | 30 | AMSI/ETW bypass, process injection, rootkit, NTDLL unhooking | | 8 | Discovery | 20 | AD recon, BloodHound, cloud enum, SNMP/LDAP enum | | 9 | Credential Access | 20 | LSASS dump, DCSync, Kerberoasting, AS-REP roast, DPAPI | | 10 | Web Attack | 20 | SQLi, XSS, SSRF, Log4Shell, Spring4Shell, deserialization | | 11 | Malware | 21 | Ransomware (LockBit/BlackCat), RATs, APT tools, Mimikatz | | 12 | Cloud Attack | 2 | Metadata service abuse, container escape | | 13 | Supply Chain | 3 | Dependency confusion, typosquatting, CI/CD compromise | | 14 | IoT/OT Attack | 3 | SCADA/ICS, Modbus exploit, MQTT anomaly | | 15 | Insider Threat | 3 | Mass file access, off-hours, bulk download | | 16 | Zero-Day/Exploit | 4 | Exploit kits, shellcode, heap spray, ROP chain | | 17 | Email/Phishing | 4 | Phishing URLs, macro docs, spoofed sender, credential harvest | | 18 | Cryptomining | 3 | Mining pools, Stratum protocol, XMRig detection | | 19 | API Security | 7 | JWT abuse, GraphQL injection, BOLA/IDOR, OAuth theft | | 20 | AI/ML Attack | 4 | Prompt injection, model poisoning, adversarial input | | 21 | Blockchain Attack | 4 | Smart contract exploit, wallet theft, rug pull, crypto clipper | | 22 | Network Attack | 6 | ARP poisoning, DNS rebinding, BGP hijack, SSL stripping | | 23 | Zero Trust Bypass | 6 | MFA fatigue, SAML forgery, Kerberos delegation abuse | | 24 | Execution | 10 | PowerShell, WMI, certutil, BITSAdmin, Office child process | ## 安装说明 ``` # 克隆 repository git clone https://github.com/0xsabry/ThreatScope.git cd ThreatScope # 运行（需要 Python 3.8+，无需 pip install） python ThreatscopeX.py # 可选：安装增强 dependencies pip install -r requirements.txt ``` ## 使用说明 ### GUI 模式（默认） ``` python ThreatscopeX.py ``` 1. **Load Log** — 点击 `📂 Load Log File` 并选择一个 `.log`、`.txt`、`.evtx`、`.csv` 或 `.json` 文件 2. **Analyze** — 点击 `⚡ Analyze` — 分析将在后台线程中运行 3. **Review** — 浏览 8 个标签页：Report, Findings, IP/Users, Timeline, MITRE ATT&CK, IOCs, Rule Browser, Raw Log 4. **Export** — 点击 `💾 Export JSON` 或 `🔗 Export STIX` 获取机器可读报告 ### CLI 模式（无头模式） ``` # 分析并打印文本报告 python ThreatscopeX.py -f server.log --report # 分析并导出 JSON 报告 python ThreatscopeX.py -f data.evtx -j report.json # 将 IOC 导出为 STIX 2.1 bundle python ThreatscopeX.py -f log.txt --stix iocs.json # Full analysis 及所有导出 python ThreatscopeX.py -f access.log -r -j report.json --stix iocs.json ``` | 标志 | 描述 | | ---------------- | ----------------------------------- | | `-f`, `--file` | 日志文件路径（CLI 必需） | | `-r`, `--report` | 打印文本报告到 stdout | | `-j`, `--json` | 导出 JSON 报告到指定路径 | | `--stix` | 导出 STIX 2.1 IOC bundle | ## Sigma 规则支持 将 Sigma 格式的 YAML 文件放入 `sigma_rules/` 以扩展检测能力： ``` title: Suspicious PowerShell Encoded Command level: high tags: - attack.t1059.001 detection: keywords: - "powershell -encodedcommand" - "powershell -w hidden" condition: keywords ``` 规则将在分析期间自动加载。安装 `pyyaml` 以获得 Sigma 支持： ``` pip install pyyaml ``` ## 项目结构 ``` ThreatScopeX/ ├── ThreatscopeX.py # Main application (GUI + CLI + Engine) ├── requirements.txt # Optional dependencies ├── sigma_rules/ # Custom Sigma detection rules (YAML) │ └── example_powershell.yml # Example Sigma rule ├── sample_anonymous_report.json # Sample analysis output ├── sample_anyonomus login.evtx # Sample EVTX log for testing ├── CONTRIBUTING.md # Contribution guidelines ├── SECURITY.md # Vulnerability reporting policy ├── LICENSE # MIT License └── README.md # This file ``` ## 关联引擎 (35 条规则) | 链名称 | 所需信号 | 加成 | | ----------------------------- | --------------------------------------------------------- | ----- | | Credential Compromise Chain | brute_force + privilege_escalation | +20 | | Full Kill Chain Detected | credential_dumping + lateral_movement + data_exfiltration | +30 | | Ransomware Deployment Chain | lateral_movement + av_tamper + ransomware | +25 | | Active C2 with Exfiltration | command_and_control + data_exfiltration | +20 | | AD Compromise Chain | ad_recon + kerberoasting + golden_silver_ticket | +30 | | DCSync + Golden Ticket | dcsync_attack + golden_silver_ticket | +30 | | Ransomware Kill Chain | credential_dumping + lateral_movement + ransomware | +30 | | ICS Attack Chain | scada_ics_abuse + modbus_exploit | +30 | | Zero-Day Exploitation | shellcode_detect + process_injection | +28 | | SAML Forgery + Cloud Access | saml_attack + cloud_metadata_abuse | +28 | | Rootkit + Timestomping | rootkit_detect + timestomp | +28 | | AI System Compromise | prompt_injection + data_extraction_llm | +25 | | MFA Bypass + Lateral | mfa_fatigue + lateral_movement | +25 | | Crypto Theft Chain | wallet_theft + crypto_clipper | +25 | | Container Escape + Persistence| container_escape + persistence | +25 | | Log4Shell Exploitation | log4j_exploit + reverse_shell | +25 | | PrintNightmare Chain | lpe_printspooler + lateral_movement | +25 | | Trojan + C2 Beacon | trojan_rat + beacon_pattern | +25 | | AS-REP + Pass-the-Ticket | as_rep_roasting + pass_the_ticket | +25 | | LOLBins Attack Chain | fileless_malware + amsi_bypass | +20 | | ... 以及另外 15 条 | | | ## 威胁评分 | 分数 | 等级 | 行动 | | ------ | ----------- | ------------------------------------ | | 80–100 | CRITICAL 🔴 | 需要立即进行应急响应 | | 60–79 | HIGH 🟠 | 需要紧急调查 | | 40–59 | MEDIUM 🟡 | 主动监控和审查 | | 20–39 | LOW 🟢 | 记录并跟踪 | | 0–19 | MINIMAL ⚪ | 继续常规监控 | ## 许可证 MIT License — 详见 [LICENSE](LICENSE)

标签：AMSI绕过, API接口, ATT&CK 框架映射, Beacon Object File, BurpSuite集成, CISA项目, Cloudflare, CSV导出, DAST, DNS 反向解析, DNS 解析, Google搜索, Go语言工具, HTTP/HTTPS抓包, HTTP工具, IOC 提取, IP 地址批量处理, MITRE ATT&CK, Modbus, Mr. Robot, PE 加载器, Python, Sigma 规则, STIX 2.1, StruQ, XXE攻击, 企业安全, 信息收集自动化, 后渗透, 图形用户界面, 域名分析, 威胁情报, 威胁检测, 安全信息和事件管理, 安全合规, 安全运营中心, 开发者工具, 态势感知, 恶意软件分析, 插件系统, 搜索语句（dork）, 攻击关联分析, 数字取证, 数据泄露, 数据集, 文档安全, 无后门, 无线安全, 模拟器, 知识库安全, 网络代理, 网络信息收集, 网络安全, 网络安全审计, 网络映射, 网络欺骗, 网络资产管理, 自动化脚本, 足迹分析, 逆向工具, 速率限制, 隐私保护