abdillahisaidismail-arch/threat-hunt-mitre

# Threat Hunt MITRE **MITRE ATT&CK 映射威胁狩猎工具包** 一个基于 Python 的威胁狩猎工具包，用于生成逼真的企业日志数据，跨 11 个战术搜寻 19 种 MITRE ATT&CK 技术，并将结果导出为 ATT&CK Navigator 图层。 ## 功能特性 - **日志数据集生成器** — 生成包含嵌入攻击模式的逼真 Windows Event Logs、网络流和端点遥测数据 - **11 个搜寻模块** — 每个 ATT&CK 战术对应一个模块，涵盖 19 种技术 - **搜寻引擎** — 加载日志，运行所有搜寻器，按置信度对发现进行评分 - **ATT&CK Navigator 导出** — 为 [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/) 生成 JSON 图层 - **终端仪表板** — Kill chain 可视化、热力图和发现结果表 - **完整测试套件** — 覆盖所有模块的 pytest ## 支持的技术 | Tactic (战术) | Techniques (技术) | |--------|-----------| | Initial Access | T1078 Valid Accounts, T1566 Phishing | | Execution | T1059 Command and Scripting, T1053 Scheduled Task | | Persistence | T1547 Boot/Logon Autostart, T1136 Create Account | | Privilege Escalation | T1548 Abuse Elevation Control | | Defense Evasion | T1070 Indicator Removal, T1036 Masquerading | | Credential Access | T1003 OS Credential Dumping, T1110 Brute Force | | Discovery | T1087 Account Discovery, T1046 Network Service Scan | | Lateral Movement | T1021 Remote Services | | Collection | T1005 Data from Local System | | Exfiltration | T1041 Exfil Over C2, T1048 Exfil Over Alt Protocol | | Command & Control | T1071 Application Layer Protocol, T1573 Encrypted Channel | ## 安装说明 ``` pip install -e . ``` 用于开发： ``` pip install -e ".[dev]" ``` ## 快速入门 ### 生成与搜寻（单条命令） ``` threat-hunt hunt -r output/report.json -l output/navigator_layer.json ``` ### 分步操作 ``` # 1. 生成合成日志数据集 threat-hunt generate -o output/logs.jsonl -c 5000 # 2. 对日志运行威胁狩猎 threat-hunt hunt -i output/logs.jsonl -r output/report.json -l output/layer.json # 3. 列出支持的技巧 threat-hunt techniques -v # 4. 从现有报告中导出 Navigator 层 threat-hunt navigator output/report.json -o output/layer.json ``` ### Python API ``` from threat_hunt_mitre.generators.log_generator import generate_dataset from threat_hunt_mitre.engine import HuntEngine # 生成包含嵌入攻击的日志 events = generate_dataset(num_normal_events=5000) # 运行 Hunt engine = HuntEngine() engine.load_events(events) findings = engine.run() # 打印结果 for f in findings: print(f"{f.technique_id} [{f.severity}] {f.description}") # 导出 ATT&CK Navigator 层 engine.export_navigator_layer("output/navigator_layer.json") ``` ## ATT&CK Navigator 集成 1. 运行搜寻并导出图层：`threat-hunt hunt -l layer.json` 2. 打开 [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/) 3. 点击 **Open Existing Layer** → **Upload from local** → 选择 `layer.json` ## 项目结构 ``` threat-hunt-mitre/ ├── threat_hunt_mitre/ │ ├── __init__.py │ ├── cli.py # Command-line interface │ ├── engine.py # Hunt orchestration engine │ ├── mitre_attack.py # ATT&CK technique mapping & Navigator export │ ├── generators/ │ │ └── log_generator.py # Synthetic log dataset generator │ ├── hunters/ │ │ ├── base.py # Base hunter class │ │ ├── initial_access.py # T1078, T1566 │ │ ├── execution.py # T1059, T1053 │ │ ├── persistence.py # T1547, T1136 │ │ ├── privilege_escalation.py # T1548 │ │ ├── defense_evasion.py # T1070, T1036 │ │ ├── credential_access.py # T1003, T1110 │ │ ├── discovery.py # T1087, T1046 │ │ ├── lateral_movement.py # T1021 │ │ ├── collection.py # T1005 │ │ ├── exfiltration.py # T1041, T1048 │ │ └── command_control.py # T1071, T1573 │ └── reports/ │ └── terminal.py # Terminal dashboard & heatmap ├── tests/ │ ├── test_mitre_attack.py │ ├── test_generators.py │ ├── test_hunters.py │ ├── test_engine.py │ └── test_cli.py ├── pyproject.toml ├── LICENSE └── README.md ``` ## 运行测试 ``` pytest -v ``` ## 许可证 MIT License — 详情请参阅 [LICENSE](LICENSE)。 ## 作者 **Abdillahi Said Ismail** — [@abdillahisaidismail-arch](https://github.com/abdillahisaidismail-arch)

标签：AMSI绕过, ATT&CK 导航器, Cloudflare, CSV导出, DNS 解析, Homebrew安装, HTTP工具, IP 地址批量处理, MITRE ATT&CK, PE 加载器, PoC, Python, Windows 事件日志, 侦察发现, 凭证访问, 初始访问, 协议分析, 合法账户, 命令与控制, 威胁检测, 子域名变形, 安全规则引擎, 安全运营, 执行, 扫描框架, 插件系统, 攻击链, 数据渗出, 文档结构分析, 无后门, 暴力破解, 杀伤链, 权限提升, 模拟数据, 横向移动, 私有化部署, 端点检测, 编程规范, 网络安全, 远程服务, 逆向工具, 防御规避, 隐私保护