Heera-V/YARA-L-Detection-Rules

# YARA-L 检测规则 用于安全监控和威胁检测的 YARA-L 检测规则。 规则：Multiple_Failed_logins { meta: author = "Heera Verma" description = " 用户多次登录失败" ``` events: $f.metadata.event_type = "USER_LOGIN" $f.security_result.action = "BLOCK" $f.principal.user.userid = $userid $f.principal.ip = $ip match: count($f) >= 5 and $userid, $ip over 10m outcome: $risk_score = 70 ``` } 规则：Successful_Login_After_Failures { meta: author = "Heera Verma" description = " 同一用户/IP 在 3 次被阻止的登录后成功登录" ``` events: $f.metadata.event_type = "USER_LOGIN" $f.security_result.action = "BLOCK" $f.target.user.userid = $userid $f.principal.ip = $ip $s.metadata.event_type = "USER_LOGIN" $s.security_result.action = "ALLOW" $s.target.user.userid = $userid $s.principal.ip = $ip match: count($f) >= 3 and $userid, $ip over 1h outcome: $risk_score = 80 ``` } 规则：Detect_Powershell_Encoded_Command { meta: author = "Heera Verma" description = "检测 Powershell 编码命令" ``` events: $e.event_type = "PROCESS_EXEC" $e.process.process_name = "powershell.exe" $e.process.command_line = /-encodedCommand\b/i match: $e over 1h outcome: risk_score = 70 } ``` 规则：Suspicious_Parent_Child_Process { meta: author = "Heera Verma" description = "检测敏感子进程是否由异常父进程生成" ``` events: $e.metadata.event_type = "PROCESS_EXEC" $e.process.process_name = "cmd.exe" $e.process.parent.process_name = "rundll32.exe" $e.principal.asset.asset_id = $asset_id $e.principal.user.userid = $userid match: $asset_id, $userid over 1h outcome: $risk_score = 80 ``` }

标签：AMSI绕过, Chronicle SIEM, DNS 反向解析, Google SecOps, IPv6, OpenCanary, PoC, PowerShell, YARA-L, 凭证访问, 命令行检测, 威胁检测, 安全编排与自动化, 安全运营, 扫描框架, 暴力破解, 检测规则, 私有化部署, 红队行动, 网络安全, 网络资产发现, 防御规避, 隐私保护