Piyush1786/watchtower-dfir

# watchtower-dfir 开源 DFIR 平台 — 解析 Windows artifacts，运行 2,900+ 条 Sigma 规则，通过 ML 检测威胁，并生成交互式 HTML 报告。 # DFIR 平台 — SOC 级数字取证与事件响应 ``` ██████╗ ███████╗██╗██████╗ ██████╗ ██╗ █████╗ ████████╗███████╗ ██████╗ ██████╗ ███╗ ███╗ ██╔══██╗██╔════╝██║██╔══██╗ ██╔══██╗██║ ██╔══██╗╚══██╔══╝██╔════╝██╔═══██╗██╔══██╗████╗ ████║ ██║ ██║█████╗ ██║██████╔╝ ██████╔╝██║ ███████║ ██║ █████╗ ██║ ██║██████╔╝██╔████╔██║ ██║ ██║██╔══╝ ██║██╔══██╗ ██╔═══╝ ██║ ██╔══██║ ██║ ██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║ ██████╔╝███████╗██║██║ ██║ ██║ ███████╗██║ ██║ ██║ ██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║ ╚═════╝ ╚══════╝╚═╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ``` **开源、SOC 就绪的 DFIR 调查平台**，其能力接近 Velociraptor、Chainsaw、Hayabusa 和 Timesketch — 完全使用 Python 构建。 ## 架构 ``` dfir_platform/ ├── core/ # Engine, models, pipeline, scoring │ ├── engine.py # DFIREngine — 9-stage async pipeline │ ├── models.py # Pydantic v2 data models │ ├── pipeline.py # Stage orchestrator │ ├── config.py # PlatformConfig (YAML + env) │ ├── threat_scorer.py # Composite 0–100 threat score │ └── timeline.py # Attack timeline reconstruction │ ├── modules/ # Artifact parsers │ ├── evtx/parser.py # .evtx, JSON, CSV (python-evtx) │ ├── registry/parser.py # Registry hive (regipy) │ ├── filesystem/ │ │ ├── prefetch.py # Windows Prefetch (libscca) │ │ └── mft.py # MFT CSV export (MFTECmd) │ ├── network/firewall.py # Firewall / DNS / Proxy logs │ └── velociraptor/importer.py # Velociraptor JSON exports │ ├── detectors/ # Threat detection engines │ ├── sigma/engine.py # Sigma rules (900+ built-in + dynamic load) │ ├── lolbins/detector.py # 13 LOLBin signatures │ ├── ransomware/detector.py # Shadow deletion, mass encryption │ ├── lateral_movement/ # PtH, PsExec, WMI, RDP, SMB │ ├── kerberos/detector.py # Kerberoasting, AS-REP, Golden Ticket │ ├── ueba/engine.py # Statistical + Isolation Forest ML │ └── usb/detector.py # USB insertion events │ ├── enrichment/ │ ├── ioc_extractor.py # Regex IOC extraction (IP/hash/domain/URL) │ └── enricher.py # VT / AbuseIPDB / OTX (rate-limited + cache) │ ├── reporting/ │ ├── generator.py # Jinja2 HTML + WeasyPrint PDF reports │ └── dashboard.html # Full SOC dashboard (standalone HTML) │ ├── siem/exporter.py # Elasticsearch / OpenSearch / Splunk HEC ├── api/main.py # FastAPI REST backend ├── main.py # CLI entry point ├── tests/test_platform.py # 37 unit tests └── requirements.txt ``` ## 快速开始 ### 1. 安装依赖 ``` pip install -r requirements.txt ``` ### 2. 运行完整调查 ``` python main.py investigate \ --artifacts /path/to/evidence/ \ --case-id IR-2025-001 \ --case-name "Suspected APT Intrusion" \ --analyst "J. Smith" \ --output ./output/ ``` ### 3. 启动 SOC Dashboard ``` python main.py dashboard --port 8000 # 打开 http://localhost:8000/dashboard.html ``` ### 4. 运行演示（无需 Artifacts） ``` python main.py demo --output ./output/ ``` ## 调查流水线 ``` [1] Artifact Ingest → Validate .evtx, .json, .csv, registry, prefetch, MFT [2] Parallel Parse → Multi-threaded, all artifact types simultaneously [3] Threat Detection → Sigma + LOLBins + Ransomware + Lateral Movement + Kerberos + USB [4] IOC Extraction → Regex: IPv4, SHA256/SHA1/MD5, URLs, domains [5] IOC Enrichment → VirusTotal v3, AbuseIPDB, AlienVault OTX (cached, rate-limited) [6] Timeline Build → Chronological attack timeline from all alerts [7] UEBA Analysis → Brute force, after-hours, privilege abuse, Isolation Forest ML [8] Threat Scoring → Composite 0–100 score (Sigma 35% + Behavioral 30% + UEBA 20% + IOC 15%) [9] Report Generation → Interactive HTML report + PDF ``` ## 检测覆盖范围 | 模块 | 检测内容 | MITRE ATT&CK | |-----------------------|------------------------------------------------------|----------------------| | **Sigma Engine** | 900+ 内置规则 + 动态 YAML 加载 | 多个 | | **LOLBins** | certutil, mshta, regsvr32, bitsadmin, powershell... | T1218, T1197, T1059 | | **Ransomware** | Shadow 删除、已知勒索软件进程、批量写入 | T1490, T1486 | | **Lateral Movement** | PtH, PsExec, WMI 订阅, RDP, SMB admin$ | T1550, T1021, T1047 | | **Kerberos** | Kerberoasting, AS-REP, Golden Ticket | T1558.001–.004 | | **UEBA Statistical** | 暴力破解、非工作时间、权限提升 | T1110, T1078 | | **UEBA ML** | Isolation Forest 异常检测 | — | | **USB** | 大容量存储设备插入、策略阻止 | T1091 | ## 威胁评分 ``` Score = Sigma(35%) + Behavioral(30%) + UEBA(20%) + IOC(15%) Critical ≥ 65 High ≥ 35 Medium ≥ 15 Low < 15 ``` ## 配置 ``` # config.yaml case_id: IR-2025-001 case_name: Ransomware Investigation analyst: SOC Team sigma_rules_path: /opt/sigma-rules/ enrich_iocs: true output_dir: ./output/ siem_export: true siem_url: http://elasticsearch:9200/_bulk siem_index_prefix: dfir ``` ``` python main.py investigate --artifacts /evidence/ --config config.yaml ``` ### 环境变量 ``` export VT_API_KEY=your_virustotal_api_key export ABUSEIPDB_API_KEY=your_abuseipdb_key export OTX_API_KEY=your_otx_key ``` ## REST API | Method | Endpoint | 描述 | |--------|-----------------------------------|--------------------------| | GET | `/api/health` | 健康检查 | | POST | `/api/cases` | 创建调查案件| | GET | `/api/cases` | 列出所有案件 | | GET | `/api/cases/{id}/summary` | 威胁评分 + 统计 | | GET | `/api/cases/{id}/alerts` | 所有检测告警 | | GET | `/api/cases/{id}/iocs` | 提取的 IOC | | GET | `/api/cases/{id}/timeline` | 攻击时间轴 | | GET | `/api/cases/{id}/report/html` | 下载 HTML 报告 | | POST | `/api/investigate` | 开始调查 | | POST | `/api/iocs/search` | 跨案件搜索 IOC | | POST | `/api/demo` | 加载演示 APT 场景 | 交互式文档：`http://localhost:8000/api/docs` ## SOC Dashboard 功能 - **概览** — 威胁评分仪表、严重性图表、MITRE 热力图、告警计数器 - **告警** — 可过滤表格，包含严重性、检测器、技术列 - **时间轴** — 按时间顺序重建攻击链 - **IOC** — 富化指标，包含 VT/AbuseIPDB/OTX 评分 - **进程树** — 父子进程可视化 (D3.js) - **攻击图** — 攻击者行为的力导向图 (D3.js) - **Sigma 规则** — 带有 MITRE 映射的实时规则浏览器 - **MITRE ATT&CK** — 检测到的技术热力图 ## 测试 ``` # 完整测试套件（需要安装 pydantic） pytest tests/test_platform.py -v # 仅逻辑测试（无依赖） python tests/test_platform.py ``` **37 个测试** 覆盖：模型、评分、Sigma 检测、勒索软件、LOLBins、 Kerberos 攻击、横向移动、UEBA、IOC 提取、USB 检测。 ## 扩展平台 ### 添加自定义 Sigma 规则 ``` # rules/custom/my_rule.yml title: Custom Detection id: custom-001 status: experimental level: high tags: - attack.execution - attack.t1059.001 logsource: product: windows category: process_creation detection: selection: CommandLine|contains: 'evil_string' condition: selection ``` ``` python main.py investigate --artifacts /evidence/ --sigma ./rules/ ``` ### 添加自定义检测器 ``` # detectors/custom/my_detector.py from core.models import Alert, Severity class MyDetector: def detect(self, result) -> None: for event in result.events: if "suspicious" in (event.command_line or ""): result.alerts.append(Alert( title="Custom Detection", severity=Severity.HIGH, detector="custom", timestamp=event.timestamp, )) ``` ## 演示案件 — Operation Dark Horizon 包含完整的合成 APT 场景 (`python main.py demo`)： ``` 02:30 [LOW] After-hours login: jsmith @ WORKSTATION-042 03:00 [HIGH] Brute force: 47 failures against administrator @ DC-01 03:02 [LOW] Net user /domain reconnaissance 03:05 [MEDIUM] USB device inserted: SanDisk Ultra 64GB 03:10 [CRITICAL] Kerberoasting: 23 RC4 TGS requests, 8 service accounts 03:15 [CRITICAL] Office macro: WINWORD.EXE → PowerShell 03:17 [HIGH] Encoded PowerShell execution 03:20 [HIGH] certutil.exe downloaded payload.exe from 185.220.101.47 03:26 [CRITICAL] Mimikatz: sekurlsa::logonpasswords 03:40 [CRITICAL] C2 beacon to evil-c2.darkweb.ru:443 03:50 [CRITICAL] Pass-the-Hash: jsmith → DC-01 (NTLM KeyLength=0) 04:15 [HIGH] WMI remote execution on FILESERVER-01 04:30 [CRITICAL] Golden Ticket created (KRBTGT hash) 04:48 [CRITICAL] vssadmin delete shadows — all shadow copies destroyed Threat Score: 87.4/100 | Level: CRITICAL | 7 malicious IOCs ``` ## 许可证 MIT License — 免费供 SOC 团队、事件响应人员和安全研究人员使用。

标签：AMSI绕过, Apex, HTML报告, Python, Sigma规则, SOC平台, Watchtower, Windows工件分析, 威胁检测, 子域名变形, 安全运营, 库, 应急响应, 开源安全工具, 扫描框架, 数字取证, 无后门, 无线安全, 机器学习, 目标导入, 网络安全审计, 自动化脚本, 逆向工具, 逆向工程平台