farouq7assan0o/Attack-Sight

# AttackSight 🔴🔵 **AttackSight** 是一个紫队检测验证框架。 它会执行真实的（良性的）映射到 ATT&CK 的 payload，捕获其产生的日志，并根据 Sigma 规则测试这些日志 —— 明确告诉您哪些技术会被您的 SIEM 捕获，哪些会遗漏。 ## 它解决的问题 大多数 SOC 团队编写了 Sigma/SIEM 检测规则后就认为它们能正常工作。 他们没有针对真实的攻击行为对这些规则进行验证。 AttackSight 弥补了这一差距。 ``` Without AttackSight: Write rule → Deploy → Hope it works With AttackSight: Write rule → Execute technique → Verify detection → Ship with confidence ``` ## 工作原理 ``` 1. You select an ATT&CK technique (e.g. T1059.001 - PowerShell) 2. AttackSight executes a safe, benign atomic payload 3. It captures the logs generated (Sysmon, Windows Event Log, etc.) 4. It tests those logs against your Sigma rules 5. It outputs a coverage report: Detected / Missed / Partial ``` ## 快速开始 ``` # 安装 git clone https://github.com/farouq7assan0o/attacksight cd attacksight pip install -r requirements.txt # 列出可用技术 python cli.py list # 运行单个技术 python cli.py run --technique T1059.001 # 运行所有技术并生成报告 python cli.py run --all --report html # 根据捕获的日志测试您的 Sigma 规则 python cli.py validate --logs reports/last_run.json --rules sigma_rules/ ``` ## 输出示例 ``` ╔══════════════════════════════════════════════════════╗ ║ AttackSight — Coverage Report ║ ╠══════════════════════════════════════════════════════╣ ║ T1059.001 PowerShell Encoded Cmd ✅ DETECTED ║ ║ T1003.001 LSASS Memory Dump ❌ MISSED ║ ║ T1055.001 Process Injection ⚠️ PARTIAL ║ ║ T1547.001 Registry Run Key ✅ DETECTED ║ ║ T1070.004 File Deletion ❌ MISSED ║ ╠══════════════════════════════════════════════════════╣ ║ Coverage Score: 40% (2/5 techniques detected) ║ ║ Report saved: reports/2026-03-11_coverage.html ║ ╚══════════════════════════════════════════════════════╝ ``` ## Atomic YAML 格式 每种技术都在 `atomics/` 目录下的 YAML 文件中定义： ``` technique_id: T1059.001 name: PowerShell Encoded Command description: Simulates encoded PowerShell execution used in fileless attacks platforms: [windows] payloads: - name: Base64 encoded command executor: powershell command: powershell.exe -EncodedCommand JABzACAAPQAgACcAdABlAHMAdAAnAA== cleanup: "" expected_logs: - source: Microsoft-Windows-Sysmon/Operational event_id: 1 - source: Security event_id: 4688 sigma_rules: - sigma_rules/proc_creation_win_powershell_encoded.yml references: - https://attack.mitre.org/techniques/T1059/001/ ``` ## 项目结构 ``` attacksight/ ├── atomics/ # YAML technique definitions │ ├── T1059.001.yaml │ ├── T1003.001.yaml │ ├── T1055.001.yaml │ ├── T1547.001.yaml │ └── T1070.004.yaml ├── sigma_rules/ # Sigma detection rules ├── engine/ │ ├── executor.py # Executes atomic payloads safely │ ├── log_collector.py # Captures Windows/Syslog events │ ├── sigma_tester.py # Tests logs vs Sigma rules │ └── reporter.py # Generates HTML/JSON reports ├── reports/ # Output reports ├── tests/ # Unit tests ├── cli.py # Main entry point ├── requirements.txt └── README.md ``` ## 支持的平台 | 平台 | 状态 | |----------|--------| | Windows 10/11 | ✅ 完全支持 | | Windows Server 2019/2022 | ✅ 完全支持 | | Linux | 🔄 部分支持 (Syslog 技术) | ## Sigma 规则兼容性 AttackSight 在底层使用 `sigma-cli`，使其具有 **SIEM 无关性**。 将规则转换为您的目标后端： ``` # Splunk sigma convert -t splunk sigma_rules/ # Elastic sigma convert -t elasticsearch sigma_rules/ # Microsoft Sentinel sigma convert -t sentinelasim sigma_rules/ ``` ## 作者 **Farouq Hassan** — 网络安全专业学生，HTU Jordan 实习于 @ Special Communications Commission – Jordan Armed Forces [GitHub](https://github.com/farouq7assan0o) · [LinkedIn](https://linkedin.com/in/FarouqHassan02) · [Medium](https://medium.com/@12farouq12) ## 免责声明 AttackSight 专为**授权测试**而设计。 所有的 payload 都是良性的，专为受控实验室/SOC 环境设计。 切勿在您不拥有或未获得明确测试许可的系统上运行此工具。

标签：AMSI绕过, Atomic Red Team, Cloudflare, MITRE ATT&CK, OpenCanary, Python, Sigma 规则, Sysmon, 事件日志, 域名分析, 威胁检测, 安全运营, 扫描框架, 攻击模拟, 数据展示, 数据泄露检测, 无后门, 紫队, 红队, 覆盖度测试, 规则验证, 逆向工具, 驱动签名利用