riyazshaikplvd/3.Threat-Detection-Incident-Response-Lab-TryHackMe-

# 🚨 威胁检测与事件响应实验室 ### TryHackMe — SOC Level 1 分析师路径     ## 👤 关于本项目 | 详情 | 信息 | |--------|------| | **平台** | TryHackMe | | **路径** | SOC Level 1 Analyst | | **模拟角色** | SOC L1 分析师 | | **使用的 SIEM** | Splunk | | **分析的攻击** | 30+ 模拟场景 | | **涵盖技能** | 日志分析, 告警分诊, 事件响应, 威胁情报 | ## 🧠 什么是 SOC L1 分析师？ — 通俗解释 ``` A company has hundreds of computers. Every second → thousands of events happen. SOC L1 Analyst job: → Watch the SIEM dashboard all day → Read security alerts → Decide: Is this a real attack or a false alarm? → If real → escalate to senior analyst → Write an incident report ``` ## 🗂️ 完整路径覆盖 ## 模块 1 — 网络防御框架 ### 我学到了什么 ``` Before detecting attacks, you need to understand HOW attackers think and operate. ``` ### MITRE ATT&CK 框架 ``` ATT&CK = Adversarial Tactics, Techniques & Common Knowledge It is a big map of everything attackers do: TACTICS (the WHY): TECHNIQUES (the HOW): → Reconnaissance → Port scanning → Initial Access → Phishing email → Execution → Running malware → Persistence → Adding startup entry → Privilege Escalation → Sudo abuse → Defense Evasion → Deleting logs → Exfiltration → Sending data out ``` ### 网络杀伤链 ``` Step 1: Reconnaissance → Attacker researches target Step 2: Weaponization → Attacker builds the malware Step 3: Delivery → Email with malicious link sent Step 4: Exploitation → Victim clicks → malware runs Step 5: Installation → Malware installs itself Step 6: C2 (Command) → Attacker controls the machine Step 7: Actions → Data stolen / damage done ``` ### 痛苦金字塔 ``` Hash Values → Easiest for attacker to change IP Addresses → Easy to change Domain Names → Slightly harder Network Artifacts → Harder Tools → Hard TTPs → HARDEST to change ← best to detect ``` ## 模块 2 — 网络威胁情报 (CTI) ### 什么是威胁情报？ ``` Before a robbery: Police gets a tip — "3 men, black car, targeting banks" That tip = Threat Intelligence In cybersecurity: "This IP is known to send phishing emails" "This malware family targets healthcare" "This group uses RDP brute force in South Asia" ``` ### 练习过的工具 | 工具 | 功能 | |------|-------------| | **VirusTotal** | 检查文件/IP/URL 是否为恶意 | | **AbuseIPDB** | 检查 IP 是否被报告为攻击者 | | **AlienVault OTX** | 全球威胁共享数据库 | | **MISP** | 在组织间共享威胁情报 | | **Shodan** | 发现暴露在互联网上的设备 | ### IOC 与 TTP ``` IOC = Indicator of Compromise (evidence an attack happened) Examples of IOCs: → Suspicious IP address → Malicious file hash → Phishing domain name → Unusual outbound connection TTP = Tactics, Techniques, Procedures (how the attacker operates) Examples of TTPs: → Always attacks on weekends → Uses Mimikatz for credential dumping → Targets port 3389 (RDP) first ``` ## 模块 3 — 网络安全与流量分析 ### 我学到了什么 ``` Every packet of data that moves on a network leaves a trace. As SOC analyst, you read those traces to find attacks hiding in normal traffic. ``` ### Wireshark — 网络数据包分析 ``` Wireshark captures every packet: → Who sent it? (Source IP) → Who received it? (Destination IP) → What protocol? (HTTP, DNS, FTP, SSH) → What was inside? (Payload data) ``` ### 分析的场景 **场景 1 — 通过 DNS 进行数据渗出** ``` Normal DNS: Computer asks: "What is the IP of google.com?" DNS answers: "142.250.190.46" Hacker's DNS exfiltration: Computer asks: "What is secretpassword123.evil.com?" That 'subdomain' IS the stolen data! Hacker reads it from DNS logs. How I detected it: → Unusually long DNS queries → High volume of DNS requests → Unknown external domain ``` **场景 2 — 端口扫描检测** ``` Attacker scanned all 65,535 ports in 2 minutes. Signs in traffic: → SYN packets to hundreds of ports → No full TCP handshake → Same source IP, many destinations Identified as: Nmap SYN scan (T1046) ``` **场景 3 — C2 (命令与控制) 流量** ``` Malware on victim machine calls home every 60 seconds. This is called "beaconing." Signs: → Regular intervals (exactly every 60s) → Same destination IP → Small packet size → Odd hours (2am, 3am) Identified as: C2 beaconing behavior ``` ### 学习的关键协议 ``` HTTP/HTTPS → Web traffic DNS → Domain name lookups (common for C2) FTP → File transfers (often data exfiltration) SSH → Remote access (check for brute force) RDP → Remote desktop (check for brute force) SMB → File sharing (EternalBlue attacks) ICMP → Ping (used for data tunneling) ``` ## 模块 4 — 端点安全与日志分析 ### 什么是端点日志？ ``` Every computer keeps a diary of everything that happens. Windows calls it: Event Logs Linux calls it: Syslog / Auth.log / Audit.log SOC analyst reads these diaries to find suspicious activity. ``` ### Windows 事件 ID — 最重要的 | 事件 ID | 含义 | 为何重要 | |----------|--------------|----------------| | **4624** | 成功登录 | 追踪谁登录了 | | **4625** | 登录失败 | 暴力破解检测 | | **4648** | 使用显式凭据登录 | 哈希传递攻击 | | **4672** | 分配管理员权限 | 权限提升 | | **4688** | 创建新进程 | 恶意软件执行 | | **4698** | 创建计划任务 | 持久化机制 | | **4720** | 创建新用户账户 | 后门账户 | | **4732** | 用户被加入管理员组 | 权限滥用 | | **7045** | 安装新服务 | 恶意软件持久化 | ### Linux 日志文件 ``` /var/log/auth.log → All login attempts (SSH, sudo) /var/log/syslog → General system events /var/log/apache2/ → Web server access logs /var/log/kern.log → Kernel level events /var/log/cron.log → Scheduled tasks /var/log/audit/ → Detailed audit trail ``` ### Sysmon — Windows 增强日志记录 ``` Normal Windows logs miss a lot. Sysmon fills the gaps: Event 1 → Process created (what program ran?) Event 3 → Network connection (where did it connect?) Event 7 → DLL loaded (what library was used?) Event 11 → File created (what file was dropped?) Event 12 → Registry key created (persistence?) Event 22 → DNS query (what domain was looked up?) ``` ## 模块 5 — Splunk SIEM ### 什么是 Splunk？ ``` Splunk = the CCTV control room for your network Collects logs from: → Windows endpoints → Linux servers → Firewalls → Web servers → Applications Puts them all in ONE place. You search and analyze from one dashboard. ``` ### Splunk 搜索语言 (SPL) — 实验室中使用 ``` -- Find all failed logins index=windows EventCode=4625 | stats count by src_ip, user | sort -count -- Find brute force (10+ failures from same IP) index=windows EventCode=4625 | stats count by src_ip | where count > 10 -- Find successful login AFTER many failures (compromise!) index=windows EventCode=4625 OR EventCode=4624 | stats count(eval(EventCode=4625)) as failures, count(eval(EventCode=4624)) as successes by src_ip | where failures > 5 AND successes > 0 -- Find suspicious processes index=windows EventCode=4688 | search ParentImage="*cmd.exe*" OR ParentImage="*powershell*" | table _time, ComputerName, User, NewProcessName, CommandLine -- Find large data transfers (exfiltration) index=network | stats sum(bytes_out) as total_bytes by dest_ip | where total_bytes > 100000000 | sort -total_bytes ``` ### 使用的 Splunk 仪表板面板 ``` Panel 1: Alert Volume Over Time → spike = attack happening Panel 2: Top Source IPs → who is attacking most? Panel 3: Top Destination Ports → what services targeted? Panel 4: Failed vs Successful Logins → compromise indicator Panel 5: Geographic Map of IPs → where attacks come from Panel 6: Process Execution Tree → malware behavior ``` ## 模块 6 — 分析了 30+ 攻击场景 ### 场景 1 — 钓鱼邮件攻击 ``` ALERT: Suspicious email with attachment detected My Investigation Steps: 1. Checked sender domain → spoofed domain (paypa1.com vs paypal.com) 2. Checked attachment hash on VirusTotal → MALICIOUS ✅ 3. Checked if any user opened it → YES, 1 user opened 4. Checked what happened after opening → PowerShell spawned 5. Checked PowerShell command → downloaded malware from URL 6. Blocked the URL + isolated the machine MITRE Mapping: T1566.001 → Phishing with malicious attachment T1059.001 → PowerShell execution Severity: HIGH Action: Escalated to L2 + Isolated endpoint ``` ### 场景 2 — 暴力破解 + 账户沦陷 ``` ALERT: 847 failed SSH logins from 45.33.32.156 My Investigation Steps: 1. Confirmed brute force → 847 failures in 4 minutes 2. Checked if any success → YES! 1 successful login 3. Checked what attacker did after login: → ran: whoami, id, uname -a (reconnaissance) → ran: cat /etc/passwd (user enumeration) → created new user: backdoor_user 4. Blocked IP + disabled compromised account 5. Checked if backdoor_user used anywhere else MITRE Mapping: T1110.001 → Brute Force: Password Guessing T1078 → Valid Accounts (after compromise) T1136 → Create Account (backdoor) Severity: CRITICAL Action: Escalated immediately + Password reset all users ``` ### 场景 3 — 勒索软件检测 ``` ALERT: Mass file modification detected on file server My Investigation Steps: 1. Checked file extensions → .locked, .encrypted added to ALL files 2. Checked which process did it → svchost32.exe (fake svchost!) 3. Checked when it started → 3:47 AM (after hours) 4. Checked how it got in → RDP login from unknown IP at 3:44 AM 5. Traced back → RDP brute force 2 hours earlier Timeline: 01:30 AM → Brute force RDP starts 03:44 AM → Correct password found, attacker logs in 03:45 AM → Malware dropped and executed 03:47 AM → File encryption begins 03:52 AM → ALERT fires in Splunk 03:55 AM → I analyzed and escalated MITRE Mapping: T1486 → Data Encrypted for Impact (Ransomware) T1078 → Valid Accounts T1490 → Inhibit System Recovery Severity: CRITICAL Action: Escalated + Network isolation + IR team called ``` ### 场景 4 — 内部威胁 ``` ALERT: Employee accessing files outside working hours My Investigation Steps: 1. Checked time → 2:30 AM, 3:15 AM, 4:00 AM 2. Checked location → login from different country IP 3. Checked what files accessed → HR salary database 4. Checked volume → 500 files downloaded in 30 minutes 5. Compared with normal behavior → usually accesses 5-10 files Verdict: Either account compromised OR insider threat MITRE Mapping: T1078 → Valid Accounts T1213 → Data from Information Repositories T1048 → Exfiltration Over Alternative Protocol Severity: HIGH Action: Account suspended + HR notified + Investigation started ``` ### 场景 5 — 恶意软件 C2 通信 ``` ALERT: Repeated outbound connections to suspicious IP My Investigation Steps: 1. Checked destination IP → 185.234.219.XX (known C2 server) 2. Checked timing → every 60 seconds exactly (beaconing) 3. Checked which process → chrome.exe (malware hiding as Chrome) 4. Checked file location → C:\Users\Public\chrome.exe (wrong location!) 5. Real Chrome is at: C:\Program Files\Google\Chrome\ Fake Chrome is at: C:\Users\Public\ ← RED FLAG MITRE Mapping: T1071 → Application Layer Protocol (C2) T1036 → Masquerading (fake chrome.exe) T1543 → Create/Modify System Process Severity: HIGH Action: Isolated machine + Blocked C2 IP in firewall ``` ## 模块 7 — 告警分诊流程 ### 什么是告警分诊？ ``` 50 alerts come in one day. You cannot investigate all 50 equally. Triage = decide which ones are: → Real attack (investigate NOW) → False positive (ignore, mark as benign) → Low priority (investigate later) ``` ### 分诊决策流程 ``` Alert comes in ↓ Is the source IP known malicious? YES → High priority, investigate now NO ↓ Is the behavior normal for this user/system? NO → Investigate YES → Likely false positive ↓ Is it happening at unusual time? YES → Suspicious, investigate NO ↓ Is the volume/frequency unusual? YES → Suspicious NO → Probably false positive ``` ### 真阳性 vs 假阳性 ``` TRUE POSITIVE = Real attack, alert was correct ✅ Example: Hacker actually brute-forced login FALSE POSITIVE = Not an attack, alert was wrong ❌ Example: Employee forgot password 5 times → looks like brute force but isn't TRUE NEGATIVE = No attack, no alert ✅ (good) FALSE NEGATIVE = Real attack, NO alert fired 😱 (dangerous) ``` ## 模块 8 — 事件升级流程 ### SOC 升级级别 ``` L1 Analyst (Me) → First to see the alert → Basic triage → If confirmed threat → escalate to L2 L2 Analyst → Deeper investigation → Malware analysis → If critical → escalate to L3 L3 / Incident Response Team → Full investigation → Forensics → Containment and recovery ``` ### 何时立即升级 ``` 🔴 ESCALATE RIGHT NOW if: → Ransomware detected → Data exfiltration happening now → Critical server compromised → Admin account hijacked → Lateral movement detected (attacker moving to other machines) → Active attack in progress 🟡 ESCALATE SOON if: → Brute force with successful login → New admin account created unexpectedly → Malware detected on endpoint → Suspicious scheduled task created 🟢 LOG AND MONITOR if: → Failed logins (no success) → Port scan (no follow-up attack) → Single phishing email (not opened) ``` ### 事件报告格式 ``` ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ INCIDENT REPORT ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Ticket ID : INC-2026-0042 Date : 29 March 2026 Severity : HIGH Status : ESCALATED TO L2 Analyst : [Your Name] — SOC L1 SUMMARY: SSH brute force from 45.33.32.156 with 1 successful login detected. Backdoor account created post-compromise. TIMELINE: 02:14 AM → Brute force started 02:18 AM → Successful login (root) 02:19 AM → Recon commands run 02:21 AM → Backdoor user created 02:23 AM → Alert fired in Splunk 02:25 AM → Triaged and escalated IOCs: Source IP : 45.33.32.156 Username : root Backdoor user: sys_update99 Tool used : Hydra (detected in logs) MITRE: T1110.001 → Brute Force T1136.001 → Create Local Account ACTIONS TAKEN: ✅ IP blocked at firewall ✅ root account locked ✅ Backdoor account deleted ✅ Escalated to L2 analyst ✅ All other admin accounts audited ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ``` ## 📊 获得的技能 — 总结 | 技能 | 使用的工具 | 等级 | |-------|-----------|-------| | SIEM 分析 | Splunk | ✅ 实操 | | 日志分析 | Windows 事件, Syslog | ✅ 实操 | | 网络流量分析 | Wireshark | ✅ 实操 | | 威胁情报 | VirusTotal, AbuseIPDB | ✅ 实操 | | 告警分诊 | Splunk 仪表板 | ✅ 实操 | | 事件报告 | 手动文档记录 | ✅ 实操 | | MITRE ATT&CK 映射 | ATT&CK Navigator | ✅ 实操 | | 钓鱼分析 | 邮件头分析 | ✅ 实操 | ## 📁 仓库结构 ``` thm-soc-l1-lab/ │ ├── 01-frameworks/ │ ├── mitre-attack-notes.md │ └── cyber-killchain.md │ ├── 02-threat-intelligence/ │ ├── ioc-types.md │ └── tools-used.md │ ├── 03-network-analysis/ │ ├── wireshark-filters.md │ └── c2-beaconing-detection.md │ ├── 04-log-analysis/ │ ├── windows-event-ids.md │ ├── linux-log-locations.md │ └── sysmon-events.md │ ├── 05-splunk/ │ ├── spl-queries.md │ └── dashboard-panels.md │ ├── 06-attack-scenarios/ │ ├── phishing-analysis.md │ ├── brute-force-scenario.md │ ├── ransomware-detection.md │ ├── insider-threat.md │ └── c2-communication.md │ ├── 07-incident-reports/ │ ├── INC-2026-001.md │ ├── INC-2026-002.md │ └── template.md │ └── README.md ``` ## ⚠️ 免责声明 *TryHackMe — SOC Level 1 分析师路径 | Splunk SIEM | 2025–26*

标签：AMSI绕过, Cloudflare, CSV导出, Cyber Kill Chain, L1分析师, MITRE ATT&CK, OPA, TryHackMe, 企业安全, 初级安全分析师, 告警分流, 威胁检测, 子域名变形, 安全培训, 安全基线, 安全实验室, 安全运营, 安全运营中心, 库, 应急响应, 情报分析, 扫描框架, 插件系统, 教学环境, 杀伤链, 渗透测试框架, 红队行动, 网络安全, 网络安全实验, 网络映射, 网络诊断, 网络资产管理, 防御, 隐私保护, 靶场