robertsdarin79-max/Blue-Team-Home-Lab-SIEM-Deployment-Honeypot-Monitoring-Custom-Detection-Rules

# 自定义检测规则 此目录包含以 **Sigma** （通用格式）和 **Splunk SPL** 编写的自定义检测规则。规则映射到 MITRE ATT&CK 技术。 ## 规则索引 | 规则 | 严重性 | MITRE ATT&CK | 格式 | |------|----------|-------------|--------| | SSH 暴力破解 | High | T1110.001 | Sigma + SPL | | 密码喷洒 | High | T1110.003 | Sigma + SPL | | 新建管理员账户 | High | T1136.001 | Sigma | | 计划任务创建 | Medium | T1053.005 | Sigma | | PowerShell 编码命令 | Medium | T1059.001 | Sigma + SPL | | 连接到 TOR 的出站连接 | High | T1090.003 | Sigma | | 检测到端口扫描 | Medium | T1046 | SPL | | 大文件渗出 | Medium | T1041 | SPL | | 检测到蜜罐访问 | Critical | T1078 | SPL | | 通过 Sudo 提权 | High | T1548.003 | Sigma | ## 规则文件 - [`sigma-rules/`](sigma-rules/) — Sigma 格式 (可转换为任何 SIEM) - [`splunk-alerts/`](splunk-alerts/) — 即开即用的 SPL 查询 ## 如何使用 Sigma 规则 ### 转换为 Elasticsearch 查询 ``` pip install sigma-cli sigma convert -t elasticsearch -p ecs_windows sigma-rules/ssh_brute_force.yml ``` ### 转换为 Splunk SPL ``` sigma convert -t splunk sigma-rules/ssh_brute_force.yml ``` ### 转换为 KQL (Kibana) ``` sigma convert -t kibana sigma-rules/ssh_brute_force.yml ``` ## 规则：SSH 暴力破解检测 **文件：** `sigma-rules/ssh_brute_force.yml` ``` title: SSH Brute Force Attack id: a8b2c3d4-e5f6-7890-abcd-ef1234567890 status: stable description: Detects repeated SSH authentication failures indicating a brute force attack references: - https://attack.mitre.org/techniques/T1110/001/ author: Blue Team Lab date: 2024/01/15 tags: - attack.credential_access - attack.t1110.001 logsource: product: linux service: auth detection: selection: process.name: sshd event.outcome: failure timeframe: 60s condition: selection | count() by src_ip > 10 falsepositives: - Legitimate users mistyping passwords repeatedly level: high ``` ## 规则：新建管理员账户 **文件：** `sigma-rules/new_admin_account.yml` ``` title: New Administrator Account Created id: b9c3d4e5-f6a7-8901-bcde-fa2345678901 status: stable description: Detects creation of a new user account with admin/sudo privileges references: - https://attack.mitre.org/techniques/T1136/001/ author: Blue Team Lab date: 2024/01/15 tags: - attack.persistence - attack.t1136.001 logsource: product: linux service: auth detection: selection: message|contains: - 'new user' - 'useradd' filter_legit: - user: 'root' timeframe: outside_business_hours condition: selection and not filter_legit falsepositives: - Legitimate system administration activity - Automated provisioning scripts level: high ``` ## 规则：PowerShell 编码命令 **文件：** `sigma-rules/powershell_encoded.yml` ``` title: PowerShell Encoded Command Execution id: c0d4e5f6-a7b8-9012-cdef-ab3456789012 status: stable description: Detects PowerShell execution with encoded commands, commonly used to obfuscate malicious scripts references: - https://attack.mitre.org/techniques/T1059/001/ author: Blue Team Lab date: 2024/01/15 tags: - attack.execution - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - ' -EncodedCommand ' - ' -enc ' - ' -e ' filter_legit: ParentImage|endswith: - '\sccm.exe' - '\msiexec.exe' condition: selection and not filter_legit falsepositives: - Legitimate administrative scripts - Software installers using encoded commands level: medium ``` ## 规则：TOR 出站连接 **文件：** `sigma-rules/tor_connection.yml` ``` title: Outbound Connection to Known TOR Exit Node id: d1e5f6a7-b8c9-0123-defa-bc4567890123 status: stable description: Detects outbound network connections to known TOR exit nodes, which may indicate C2 communications or data exfiltration references: - https://attack.mitre.org/techniques/T1090/003/ author: Blue Team Lab date: 2024/01/15 tags: - attack.command_and_control - attack.t1090.003 logsource: category: network_connection product: linux detection: selection: dst_port: - 9001 - 9030 - 9050 - 9051 condition: selection falsepositives: - Intentional TOR usage for privacy level: high ``` ## Splunk SPL 查询 ### SSH 暴力破解 (60s 内失败 >10 次) ``` index=linux_logs source="/var/log/auth.log" "Failed password" | rex field=_raw "from (?\d+\.\d+\.\d+\.\d+)" | bucket _time span=60s | stats count as failures by src_ip, _time | where failures > 10 | table _time, src_ip, failures | sort -failures ``` ### 密码喷洒 (同一 IP 导致 1 次失败涉及多个用户) ``` index=linux_logs "Failed password" | rex field=_raw "for (?\S+) from (?\d+\.\d+\.\d+\.\d+)" | bucket _time span=300s | stats dc(username) as unique_users, count as attempts by src_ip, _time | where unique_users > 5 AND attempts < 20 | table _time, src_ip, unique_users, attempts ``` ### 蜜罐访问告警 ``` index=cowrie_logs OR index=opencanary_logs | eval honeypot_service=if(index="cowrie_logs","SSH",coalesce(service,"Unknown")) | stats count as hits, values(src_ip) as attacking_ips by honeypot_service | sort -hits | table honeypot_service, hits, attacking_ips ``` ### 大文件渗出 ``` index=network_logs | where dest_bytes > 10000000 | eval mb_transferred=round(dest_bytes/1048576,2) | table _time, src_ip, dest_ip, dest_port, mb_transferred | sort -mb_transferred ``` ### 端口扫描检测 ``` index=firewall_logs action=blocked | bucket _time span=60s | stats dc(dest_port) as unique_ports, count as packets by src_ip, _time | where unique_ports > 20 | table _time, src_ip, unique_ports, packets | sort -unique_ports ``` ## 告警调优说明 所有规则均经过 30 天实时数据测试。误报率： | 规则 | 真阳性 | 假阳性 | 备注 | |------|---------------|-----------------|-------| | SSH 暴力破解 | 94 | 2 | 管理员两次输错密码 | | 密码喷洒 | 12 | 0 | 干净 | | 新建管理员账户 | 8 | 3 | 合法配置；已添加过滤器 | | PowerShell 编码命令 | 31 | 7 | SCCM 导致假阳性；已添加过滤器 | | TOR 连接 | 3 | 1 | 开发人员使用 TOR 浏览器；已记录 |

标签：AMSI绕过, Cloudflare, Elasticsearch, ELK Stack, KQL, Linux 安全, MITRE ATT&CK, OpenCanary, PB级数据处理, PoC, Python3.6, Sigma 规则, SPL, SSH 安全, Tor 检测, Windows 事件, 协议分析, 域名分析, 威胁情报, 威胁检测, 安全实验室, 安全运维, 密码喷洒, 开发者工具, 插件系统, 数据渗出, 数据统计, 暴力破解, 权限提升, 横向移动, 端口扫描, 编程规范, 网络安全, 蜜罐, 证书利用, 越狱测试, 防御实训, 隐私保护