Muninn

日志解析器 • SIGMA 引擎 • 威胁检测 • IOC 富化
由 corax 团队开发

English • Русский

## 概述 Muninn 是一款独立的应急响应和取证日志分析工具。单个二进制文件，支持 15+ 种日志格式，包含 3,273 条 SIGMA 规则，覆盖 377 种 MITRE ATT&CK 技术，具备登录分析、异常检测、攻击关联、Kaspersky OpenTIP 集成、自动化失陷评估、证据完整性校验 (SHA-256) 以及实时监控功能 —— 零外部依赖。无需 SIEM。 只需提供日志目录 —— Muninn 会自动检测格式，将事件加载到 SQLite 数据库中并运行分析。使用 `--dbfile` 将结果保存到持久化数据库，随时可以重新打开：应用新的 SIGMA 规则、运行 SQL 查询、检查 IOC —— 无需重新解析源文件。 ### 可分析内容 | 来源 | 示例 | |---|---| | **Windows Event Logs** | Security (4624/4625/4688/4720), Sysmon (1/3/11/13/22), PowerShell (4104), System (7045), `.evtx` 文件 | | **Linux / Unix** | auth.log, syslog, auditd, journald 导出文件 | | **网络** | Zeek/Bro (dns, http, conn, ssl), Suricata EVE JSON, Snort (需要日志为支持的基础格式：JSON, CSV, Syslog, CEF, LEEF) | | **防火墙** | iptables, Palo Alto, Fortinet, Check Point (需要日志为支持的基础格式：CSV, Syslog, CEF, LEEF) | | **云** | AWS CloudTrail, Azure Activity, GCP Audit, M365, Okta — JSON | | **Web** | IIS (W3C), Apache/Nginx 访问日志, 代理日志 | | **EDR / XDR** | 任何导出为 JSON, CSV 或 Syslog 的遥测数据 | | **归档** | `.gz`, `.zip`, `.bz2`, `.tar.gz`, `.tgz`, `.rar`, `.7z` — 自动解压，支持密码 (`--archive-password`) | ## 下载与运行 预编译二进制文件：[Releases](https://github.com/corax-team/muninn/releases) **Linux:** ``` curl -sL https://github.com/corax-team/muninn/releases/latest/download/muninn-linux-amd64 -o muninn chmod +x muninn ./muninn -e /path/to/logs/ -r sigma_rules/ --stats ``` **Windows:** ``` Invoke-WebRequest -Uri "https://github.com/corax-team/muninn/releases/latest/download/muninn-windows-amd64.exe" -OutFile muninn.exe .\muninn.exe -e C:\Logs\ -r sigma_rules\ --stats ``` ## 快速开始 ``` # 1. 下载 SIGMA 规则（一次性） muninn --download-rules all # 2. 运行完整分析 muninn -e ./evidence/ -r sigma-rules/ --stats --timeline --killchain --threat-score ``` ## 使用示例

入门 — 推荐工作流

``` # 1. 下载 SIGMA 规则 muninn --download-rules all # 2. 将日志解析为持久化数据库（一次性操作） # 这会将所有事件保存到 SQLite — 仅需一次解析，即可无限次查询 muninn -e ./evidence/ --dbfile case001.db # 3. 对已保存的数据库运行分析（即时，无需重新解析） muninn --load-db case001.db -r sigma-rules/ --summary --ioc-extract --login-analysis # 4. 调查 — 快速交互式查询 muninn --load-db case001.db --keyword "mimikatz" muninn --load-db case001.db --sql "SELECT * FROM events WHERE EventID = '4688'" muninn --load-db case001.db --distinct Image muninn --load-db case001.db --field "User=%admin%" # 5. 根据威胁情报检查 IOC muninn --load-db case001.db --ioc-extract --opentip-check YOUR_KEY --opentip-types hash ```

替代方案 — 直接扫描（无数据库）

``` # 使用所有规则进行基本扫描 muninn -e ./evidence/ -r sigma-rules/ # 带统计信息的扫描 muninn -e ./evidence/ -r sigma-rules/ --stats # 扫描特定日志文件 muninn -e ./Security.evtx -r sigma-rules/rules/windows/ # 静默模式（仅显示检测结果） muninn -e ./evidence/ -r sigma-rules/ -q # 自定义 JSON 输出 muninn -e ./evidence/ -r sigma-rules/ -o results.json ```

搜索 — 关键词、字段、正则、SQL

``` # 关键字搜索（对所有字段进行全文搜索） muninn -e ./evidence/ -k "mimikatz" muninn -e ./evidence/ -k "powershell" muninn -e ./evidence/ -k "cmd.exe" muninn -e ./evidence/ -k "admin" # 字段搜索（LIKE 语法：% = 通配符, _ = 单个字符） muninn -e ./evidence/ -f "EventID=4624" muninn -e ./evidence/ -f "Image=%cmd.exe" muninn -e ./evidence/ -f "User=%admin%" muninn -e ./evidence/ -f "SourceIp=192.168.%" muninn -e ./evidence/ -f "CommandLine=%whoami%" muninn -e ./evidence/ -f "LogonType=10" # 正则表达式搜索 muninn -e ./evidence/ --regex "CommandLine=.*-[eE]nc[oO]?d?e?d?C?o?m?m?a?n?d?\s+[A-Za-z0-9+/=]{20,}" muninn -e ./evidence/ --regex "Image=.*\\\\(cmd|powershell|pwsh)\.exe$" muninn -e ./evidence/ --regex "DestinationIp=^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)" # 原始 SQL 查询 muninn -e ./evidence/ --sql "SELECT * FROM events WHERE \"CommandLine\" LIKE '%whoami%'" muninn -e ./evidence/ --sql "SELECT \"Image\", COUNT(*) as cnt FROM events GROUP BY \"Image\" ORDER BY cnt DESC LIMIT 20" muninn -e ./evidence/ --sql "SELECT DISTINCT \"User\" FROM events WHERE \"EventID\" = '4624'" muninn -e ./evidence/ --sql "SELECT * FROM events WHERE \"EventID\" IN ('4624','4625','4648') LIMIT 100" # 从文件执行 SQL muninn -e ./evidence/ --sql-file queries.sql # 统计与探索 muninn -e ./evidence/ --stats muninn -e ./evidence/ --distinct EventID muninn -e ./evidence/ --distinct Image muninn -e ./evidence/ --distinct User muninn -e ./evidence/ --distinct SourceIp muninn -e ./evidence/ --distinct Channel # 限制结果数量 muninn -e ./evidence/ -k "error" --limit 50 ```

SIGMA 检测 — 过滤与性能分析

``` # 最低严重级别过滤 muninn -e ./evidence/ -r sigma-rules/ --min-level high # only high + critical muninn -e ./evidence/ -r sigma-rules/ --min-level critical # only critical muninn -e ./evidence/ -r sigma-rules/ --min-level medium # medium and above # 排除嘈杂规则 muninn -e ./evidence/ -r sigma-rules/ --rulefilter "sysmon config" muninn -e ./evidence/ -r sigma-rules/ --rulefilter "sysmon" --rulefilter "defender" # 规则性能分析 muninn -e ./evidence/ -r sigma-rules/ --profile-rules # 指定规则目录 muninn -e ./evidence/ -r sigma-rules/rules/windows/process_creation/ muninn -e ./evidence/ -r sigma-rules/rules/windows/powershell/ muninn -e ./evidence/ -r sigma-rules/rules/linux/ muninn -e ./evidence/ -r sigma-rules/rules/cloud/aws/ muninn -e ./evidence/ -r sigma-rules/rules/network/ # 使用自定义规则 muninn -e ./evidence/ -r ./custom-rules/my-rule.yml muninn -e ./evidence/ -r ./custom-rules/ # 事件哈希 muninn -e ./evidence/ -r sigma-rules/ --hashes ```

高级分析 — MITRE、时间线、异常、IOC、评分

``` # 完整分析流水线 muninn -e ./evidence/ -r sigma-rules/ --stats --timeline --killchain --threat-score --anomalies --ioc-extract --correlate --transforms # MITRE ATT&CK muninn -e ./evidence/ -r sigma-rules/ --killchain # console + auto-save .txt muninn -e ./evidence/ -r sigma-rules/ --killchain kc.html # save as HTML report muninn -e ./evidence/ -r sigma-rules/ --navigator layer.json # ATT&CK Navigator export # 攻击时间线 muninn -e ./evidence/ -r sigma-rules/ --timeline # console + auto-save .txt muninn -e ./evidence/ -r sigma-rules/ --timeline tl.html # save as HTML # 异常检测（无需规则） muninn -e ./evidence/ --anomalies # console + auto-save .txt muninn -e ./evidence/ --anomalies anomalies.json # save as JSON muninn -e ./evidence/ --anomalies anomalies.html # save as HTML # IOC 提取 muninn -e ./evidence/ --ioc-extract # console + auto-save .txt muninn -e ./evidence/ --ioc-extract iocs.html # save as HTML # 结合威胁情报进行 IOC 富化 muninn -e ./evidence/ --ioc-extract --vt-key YOUR_VT_KEY muninn -e ./evidence/ --ioc-extract --abuseipdb-key YOUR_ABUSEIPDB_KEY muninn -e ./evidence/ --ioc-extract --opentip-key YOUR_OPENTIP_KEY # Kaspersky OpenTIP 深度检查（并行，详细报告：TXT + HTML + JSON） muninn -e ./evidence/ --ioc-extract --opentip-check YOUR_KEY # check all IOC types muninn -e ./evidence/ --ioc-extract --opentip-check YOUR_KEY --opentip-types hash # hashes only muninn -e ./evidence/ --ioc-extract --opentip-check YOUR_KEY --opentip-types ip # IPs only muninn -e ./evidence/ --ioc-extract --opentip-check YOUR_KEY --opentip-types hash,ip # hashes + IPs muninn -e ./evidence/ --ioc-extract --opentip-check YOUR_KEY --opentip-max 500 # up to 500 checks # 登录分析（Windows 安全事件 4624/4625/4672） muninn -e ./evidence/ --login-analysis # brute force, lateral movement, privesc # 执行摘要（自动化事件判定） muninn -e ./evidence/ -r sigma-rules/ --summary # Clean / Suspicious / Compromised / Breach # 每个主机/用户的威胁评分 muninn -e ./evidence/ -r sigma-rules/ --threat-score # console + auto-save .txt muninn -e ./evidence/ -r sigma-rules/ --threat-score scores.html # HTML report # 攻击链关联 muninn -e ./evidence/ -r sigma-rules/ --correlate # console + auto-save .txt muninn -e ./evidence/ -r sigma-rules/ --correlate chains.json # save as JSON # 字段转换（base64 解码, LOLBin 检测, DNS 熵, 混淆） muninn -e ./evidence/ --transforms -r sigma-rules/ # 对比两组证据集 muninn -e ./evidence-before/ -r sigma-rules/ --diff ./evidence-after/ ```

持久化数据库 — 解析一次，多次查询

解析 4 GB 的 EVTX 日志大约需要 8 分钟。将结果保存到 SQLite 数据库一次 —— 之后可以立即运行任何分析，无需重新解析。内存自适应：自动调整并行度，并对大文件使用磁盘支持引擎，以防止在内存受限的系统上发生 OOM。 ``` # ── 步骤 1：解析日志并保存到数据库（一次性） ────────────────── muninn -e ./evidence/ --dbfile # auto-named: muninn_db_YYYY-MM-DD_HH-MM-SS.db muninn -e ./evidence/ --dbfile case001.db # custom name muninn -e archive.zip --dbfile case001.db # from archive muninn -e encrypted.rar --archive-password "infected" --dbfile case001.db # encrypted archive # ── 步骤 2：查询数据库（即时） ──────────────────────────────── # 搜索 muninn --load-db case001.db --keyword "mimikatz" muninn --load-db case001.db --field "EventID=4624" muninn --load-db case001.db --regex "CommandLine=.*whoami" muninn --load-db case001.db --distinct Image # SQL 查询 muninn --load-db case001.db --sql "SELECT COUNT(*) FROM events" muninn --load-db case001.db --sql "SELECT Image, COUNT(*) as cnt FROM events GROUP BY Image ORDER BY cnt DESC LIMIT 20" muninn --load-db case001.db --sql "SELECT * FROM events WHERE CommandLine LIKE '%mimikatz%'" # ── 步骤 3：运行 SIGMA 规则 ──────────────────────────────────────────── muninn --load-db case001.db -r sigma-rules/ --summary --threat-score muninn --load-db case001.db -r sigma-rules/ --gui report.html # ── 步骤 4：提取并检查 IOC ───────────────────────────────────── # 提取 IOC（IP, 域名, URL, 哈希, 邮件, 文件路径, 注册表键, 服务, 任务, 管道） muninn --load-db case001.db --ioc-extract # 针对 Kaspersky OpenTIP 检查提取的 IOC muninn --load-db case001.db --ioc-extract --opentip-check YOUR_API_KEY # 仅检查哈希 muninn --load-db case001.db --ioc-extract --opentip-check YOUR_API_KEY --opentip-types hash # 仅检查 IP muninn --load-db case001.db --ioc-extract --opentip-check YOUR_API_KEY --opentip-types ip # 检查哈希 + 域名，限制 100 条 muninn --load-db case001.db --ioc-extract --opentip-check YOUR_API_KEY --opentip-types hash,domain --opentip-max 100 # ── 步骤 5：IR 分析 ──────────────────────────────────────────────── muninn --load-db case001.db --login-analysis # authentication analysis muninn --load-db case001.db --anomalies # statistical anomalies muninn --load-db case001.db -r sigma-rules/ --correlate # attack chains ``` `--ioc-extract --opentip-check` 生成的输出文件： - `muninn_iocs_*.txt` — IOC 列表 (文本) - `muninn_iocs_*.csv` — IOC 列表 (CSV, 适用于 Excel/LibreOffice) - `muninn_iocs_*.opentip.txt` — OpenTIP 报告 (文本) - `muninn_iocs_*.opentip.html` — OpenTIP 报告 (交互式 HTML，包含区域和门户链接) - `muninn_iocs_*.opentip.json` — OpenTIP 报告 (结构化 JSON)

导出 — HTML, SIEM, SQLite, CSV

``` # HTML 交互式报告 muninn -e ./evidence/ -r sigma-rules/ --gui report.html # 导出至 Splunk muninn -e ./evidence/ -r sigma-rules/ --template splunk --template-output detections.json # 导出至 ELK/OpenSearch muninn -e ./evidence/ -r sigma-rules/ --template elk --template-output detections.ndjson # 导出至 Timesketch muninn -e ./evidence/ -r sigma-rules/ --template timesketch --template-output timeline.jsonl # 导出为 CSV muninn -e ./evidence/ -r sigma-rules/ --template csv --template-output detections.csv # 导出为 SARIF（用于 GitHub Security 标签页等） muninn -e ./evidence/ -r sigma-rules/ --template sarif --template-output results.sarif # 导出 SQLite 数据库以进行自定义查询 muninn -e ./evidence/ --dbfile case.db sqlite3 case.db "SELECT \"Image\", COUNT(*) FROM events GROUP BY \"Image\" ORDER BY COUNT(*) DESC LIMIT 20" # 将扁平化事件导出为 JSONL muninn -e ./evidence/ --keepflat events.jsonl # ATT&CK Navigator 层 muninn -e ./evidence/ -r sigma-rules/ --navigator layer.json ```

过滤 — 时间、文件、字段

``` # 基于时间的过滤（ISO 8601） muninn -e ./evidence/ -r sigma-rules/ --after "2025-01-15T00:00:00" muninn -e ./evidence/ -r sigma-rules/ --before "2025-01-16T00:00:00" muninn -e ./evidence/ -r sigma-rules/ --after "2025-01-15T08:00:00" --before "2025-01-15T18:00:00" # 通过 glob 选择文件 muninn -e ./evidence/ -s "*.evtx" -r sigma-rules/ # only EVTX muninn -e ./evidence/ -s "Security*" -r sigma-rules/ # only Security logs muninn -e ./evidence/ -a "*.csv" -r sigma-rules/ # exclude CSV files # 字段映射（重命名所有事件中的字段） muninn -e ./evidence/ -r sigma-rules/ --field-map mapping.yaml # mapping.yaml: { "EventID": "event_id", "SourceIp": "src_ip" } ```

性能调优

``` # 控制并行度 muninn -e ./evidence/ -r sigma-rules/ --workers 4 # 4 threads muninn -e ./evidence/ -r sigma-rules/ --workers 16 # 16 threads # 限制内存使用 muninn -e ./evidence/ -r sigma-rules/ --max-events 500000 # cap at 500K events muninn -e ./evidence/ -r sigma-rules/ --batch-size 100000 # larger batches # 创建索引以加快查询速度 muninn -e ./evidence/ -r sigma-rules/ --add-index EventID --add-index Image # 单文件并行处理 muninn -e ./evidence/ -r sigma-rules/ --per-file ```

交互模式与实时模式

``` # 交互式终端 UI（需要 --features tui） muninn -e ./evidence/ -r sigma-rules/ --tui # 实时监控（需要 --features live） muninn -e /var/log/ -r sigma-rules/ --live # YAML 配置文件（保留所有设置） muninn --config muninn.yaml # muninn.yaml: # events: ./evidence/ # rules: sigma-rules/ # min_level: medium # stats: true # timeline: true # killchain: true # threat_score: true ```

## 功能特性 ### 核心 | | | |---|---| | **15+ 种格式** | EVTX, JSON, CSV, XML, Syslog, CEF, LEEF, Zeek, W3C, Auditd, macOS — 自动检测 | | **3200+ 条 SIGMA 规则** | 完整的 [SigmaHQ](https://github.com/SigmaHQ/sigma) 规则集 — 使用 `--download-rules` 下载 | | **SIGMA 编译器** | YAML → SQL，支持修饰符：`contains`, `endswith`, `startswith`, `re`, `base64`, `base64offset`, `windash`, `cidr`, `all`, `gt/gte/lt/lte` | | **搜索引擎** | 基于 SQLite：关键词、字段、正则表达式、原始 SQL | | **单一二进制** | 静态编译，无运行时依赖 | | **跨平台** | Linux x86_64, Windows x86_64 | | **独立 CLI** | 单个二进制文件，零外部依赖 | ### 分析与应急响应 | 功能 | 参数 | 描述 | |---------|------|-------------| | **MITRE ATT&CK 映射** | *(自动)* | 根据规则标签将检测结果映射到技术/战术 | | **ATT&CK Navigator** | `--navigator layer.json` | 导出 ATT&CK Navigator 的层级文件 | | **杀伤链视图** | `--killchain [FILE]` | 按战术分类的 ASCII 杀伤链可视化 | | **攻击时间线** | `--timeline [FILE]` | 按时间顺序排列的攻击时间线 | | **异常检测** | `--anomalies [FILE]` | 罕见进程、非工作时间登录、异常父-子进程关系、暴力破解检测、命令混淆评分 | | **IOC 提取** | `--ioc-extract [FILE]` | 提取 IP、域名、URL、哈希、电子邮件、文件路径、注册表键、服务、任务、管道 | | **IOC 富化** | `--vt-key` / `--abuseipdb-key` / `--opentip-key` | VirusTotal, AbuseIPDB, Kaspersky OpenTIP (基础富化) | | **OpenTIP 深度检查** | `--opentip-check ` | 全面的 Kaspersky OpenTIP 分析，包含完整报告 (TXT + HTML + JSON)，并行请求 | | **OpenTIP 类型过滤** | `--opentip-types hash,ip,domain,url` | 仅检查特定的 IOC 类型 (默认：全部) | | **登录分析** | `--login-analysis [FILE]` | 身份验证分析：成功/失败比率、暴力破解、异常时间、横向移动、权限提升 | | **执行摘要** | `--summary [FILE]` | 自动化事件定性与建议 | | **证据完整性** | *(自动)* | 所有源文件的 SHA-256 哈希，包含在 JSON 报告中 | | **持久化数据库** | `--dbfile [FILE]` | 将解析后的事件保存到 SQLite 数据库以备后用 | | **加载数据库** | `--load-db ` | 加载之前保存的数据库 — 跳过解析，即时查询 | | **威胁评分** | `--threat-score [FILE]` | 每个主机/用户的风险评分 (绝对范围 0-100) | | **攻击关联** | `--correlate [FILE]` | 将检测分组为带有持续时间的攻击链 | | **差异模式** | `--diff /path/to/second/` | 比较两组证据集 | | **字段转换** | `--transforms` | Base64 解码、LOLBin 检测 (44 个二进制文件)、DNS 熵、混淆评分 | | **字段映射** | `--field-map map.yaml` | 重命名所有事件中的字段 | | **早期过滤** | *(自动)* | 根据规则中的 EventID/Channel 预先过滤事件 | | **单文件模式** | `--per-file` | 并行处理，每个文件使用独立的 SQLite 数据库 | | **时间过滤** | `--after` / `--before` | 根据时间戳过滤事件 | | **规则性能分析** | `--profile-rules` | 显示规则执行时间排名 | | **配置文件** | `--config muninn.yaml` | 用于所有设置的 YAML 配置 | | **规则下载** | `--download-rules ` | 从 SigmaHQ 下载 SIGMA 规则 (core, core+, all, emerging) | ### 导出与输出 | 格式 | 参数 | 描述 | |--------|------|-------------| | **JSON 报告** | *(自动)* | 自动生成，包含 MITRE 映射、标签、描述 | | **HTML 报告** | `--gui report.html` | 交互式 HTML：仪表板、MITRE 时间线、ATT&CK 矩阵、事件查看器 | | **Splunk** | `--template splunk` | 带有 `source`, `sourcetype`, `_time` 的 NDJSON | | **ELK** | `--template elk` | 带有 `@timestamp`, `_index` 的 NDJSON | | **Timesketch** | `--template timesketch` | 用于 Timesketch 导入的 JSONL | | **CSV** | `--template csv` | 标准 CSV 导出 | | **SARIF** | `--template sarif` | 静态分析结果交换格式 | | **SQLite** | `--dbfile case.db` | 完整的事件数据库 (可使用 `--load-db` 重新加载) | | **JSONL** | `--keepflat events.jsonl` | 扁平化事件导出 | | **IOC CSV** | *(随 `--ioc-extract` 自动生成)* | 导出所有提取的 IOC 的 CSV 文件 | | **OpenTIP HTML** | *(随 `--opentip-check` 自动生成)* | 带有颜色编码区域和门户链接的交互式 HTML 报告 | | **OpenTIP JSON** | *(随 `--opentip-check` 自动生成)* | 包含完整 API 响应的结构化 JSON | ### 性能 | 功能 | 参数 | 描述 | |---------|------|-------------| | **并行解析** | *(自动)* | 使用 rayon 并行解析文件 | | **并行 SIGMA 编译** | *(自动)* | 规则并行编译为 SQL | | **工作线程控制** | `--workers N` | 线程池大小 (默认：min(CPU_cores / 2, 4)) | | **内存限制** | `--max-events N` | 限制加载的事件总数 | | **批量加载** | `--batch-size N` | SQLite 插入批次大小 (默认：50,000) | | **结果限制** | `--limit N` | 限制每次查询的结果行数 | | **自定义索引** | `--add-index Field` | 在特定字段上创建 SQLite 索引 | ### 可选功能 (编译时) | 功能 | 参数 | 描述 | |---------|------|-------------| | **归档支持** | `--features archive` | 解析 .gz/.zip/.bz2/.tar.gz/.tgz/.rar/.7z 文件 | | **交互式 TUI** | `--features tui` | 带有检测浏览器的终端 UI | | **实时监控** | `--features live` | 实时监控目录中的新事件 | | **规则下载** | `--features download` | 从 SigmaHQ 发布版下载 SIGMA 规则 | | **IOC 富化** | `--features ioc-enrich` | VT/AbuseIPDB/OpenTIP API 查询 | ### 交互式 HTML 报告 (`--gui`) 使用 `--gui report.html` 生成一个独立的 HTML 报告： ``` muninn -e evidence/ -r sigma-rules/ --gui report.html ``` 该报告包含四个交互式视图： | 视图 | 描述 | |------|-------------| | **仪表板** | 摘要卡片（文件、事件、按严重性分类的检测）、严重性分布条、前 10 个检测列表 | | **时间线** | MITRE ATT&CK 泳道时间线 — 战术为行，检测在轴上，按严重性颜色编码。支持缩放、平移、点击以检查事件 | | **检测结果** | 带有严重性/战术过滤器的可搜索表格、技术徽章、点击展开的事件查看器，包含完整字段详情 | | **MITRE ATT&CK** | 14 列热力图矩阵 — 技术单元格按检测计数着色，悬停显示规则名称 | 所有数据均内嵌 — 无需服务器，可离线工作。深色 Norse/Corax 主题。 ## 示例输出 ``` ███ ███ ██ ██ ███ ██ ██ ███ ██ ███ ██ ████ ████ ██ ██ ████ ██ ██ ████ ██ ████ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ████ ██ ████ ██ ██ ██████ ██ ███ ██ ██ ███ ██ ███ Memory of Corax -= SIGMA Detection Engine for EVTX/JSON/Syslog/CEF/Zeek v0.6.0 =- [+] Processing [>] Files 42 [>] Events 847293 [>] Formats 312450 EVTX, 52441 Syslog, 482402 JSON Lines [>] Duration 3.20s (264778 events/s) [>] Workers 8 threads [+] 2384 SIGMA rules loaded [+] Executing ruleset: 12 rules matched ┌──────────────┬────────────────────────────────────────────────────┬────────┬──────────────┐ │ Severity │ Rule │ Events │ ATT&CK │ ├──────────────┼────────────────────────────────────────────────────┼────────┼──────────────┤ │ CRITICAL │ Mimikatz Command Line │ 14 │ T1003 │ │ HIGH │ Suspicious Encoded PowerShell │ 23 │ T1059.001 │ │ HIGH │ Remote Thread in LSASS │ 3 │ T1003.001 │ │ MEDIUM │ WhoAmi Execution │ 47 │ T1033 │ │ MEDIUM │ Scheduled Task Created via CLI │ 8 │ T1053.005 │ │ LOW │ Sysmon Configuration Change │ 2 │ │ └──────────────┴────────────────────────────────────────────────────┴────────┴──────────────┘ [*] Summary Duration 3.20s Files 42 Events 847293 Throughput 264778 events/s Detections 1 CRITICAL 2 HIGH 2 MEDIUM 1 LOW Coverage 12/2384 rules matched (0.5%) Matched 116 events across 12 rules Top Hits CRITICAL Mimikatz Command Line (14) HIGH Suspicious Encoded PowerShell (23) ATT&CK Coverage Execution #################### 2 technique(s) (70 hits) Credential Access ########## 2 technique(s) (17 hits) Persistence ##### 1 technique(s) (8 hits) Discovery ################ 1 technique(s) (47 hits) -> muninn_report_2026-03-11_14-30-00.json ``` ## 取证 SQL 手册

应急响应 — 横向移动

``` # 远程登录（网络 + RDP） muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '4624' AND \"LogonType\" IN ('3','10')" # PsExec 检测 muninn -e evidence/ -k "psexec" # 哈希传递 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '4624' AND \"LogonType\" = '3' AND \"AuthenticationPackageName\" = 'NTLM'" # WMI 横向移动 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"ParentImage\" LIKE '%wmiprvse.exe' AND \"EventID\" = '1'" # 远程服务创建 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '7045' AND \"ServiceFileName\" LIKE '%\\\\%'" # RDP 会话 muninn -e evidence/ --sql "SELECT \"TargetUserName\",\"IpAddress\",\"LogonType\" FROM events WHERE \"EventID\" = '4624' AND \"LogonType\" = '10'" # SMB 文件复制 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '5145' AND \"RelativeTargetName\" LIKE '%.exe'" ```

威胁追踪 — 可疑进程

``` # 编码的 PowerShell muninn -e evidence/ --regex "CommandLine=.*-[eE]nc[oO]?d?e?d?C?o?m?m?a?n?d?\s+[A-Za-z0-9+/=]{20,}" # LOLBins 下载文件 muninn -e evidence/ --sql "SELECT \"Image\",\"CommandLine\" FROM events WHERE \"CommandLine\" LIKE '%http%' AND (\"Image\" LIKE '%certutil%' OR \"Image\" LIKE '%mshta%' OR \"Image\" LIKE '%regsvr32%' OR \"Image\" LIKE '%bitsadmin%')" # Office 生成进程 muninn -e evidence/ --sql "SELECT \"Image\",\"CommandLine\",\"ParentImage\" FROM events WHERE \"ParentImage\" LIKE '%WINWORD%' OR \"ParentImage\" LIKE '%EXCEL%' OR \"ParentImage\" LIKE '%OUTLOOK%' OR \"ParentImage\" LIKE '%POWERPNT%'" # 侦察命令 muninn -e evidence/ --sql "SELECT \"CommandLine\",\"User\",\"Image\" FROM events WHERE \"Image\" LIKE '%whoami%' OR \"Image\" LIKE '%net.exe' OR \"Image\" LIKE '%ipconfig%' OR \"Image\" LIKE '%systeminfo%' OR \"Image\" LIKE '%nltest%' OR \"Image\" LIKE '%tasklist%' OR \"Image\" LIKE '%qprocess%'" # 可疑的 PowerShell 下载 muninn -e evidence/ --sql "SELECT \"CommandLine\" FROM events WHERE \"CommandLine\" LIKE '%Invoke-WebRequest%' OR \"CommandLine\" LIKE '%wget%' OR \"CommandLine\" LIKE '%curl%' OR \"CommandLine\" LIKE '%DownloadString%' OR \"CommandLine\" LIKE '%DownloadFile%'" # 进程注入指标（Sysmon 8 — CreateRemoteThread） muninn -e evidence/ --sql "SELECT \"SourceImage\",\"TargetImage\" FROM events WHERE \"EventID\" = '8'" # 来自临时目录的未签名进程 muninn -e evidence/ --sql "SELECT \"Image\",\"CommandLine\" FROM events WHERE \"Image\" LIKE '%\\Temp\\%' OR \"Image\" LIKE '%\\tmp\\%' OR \"Image\" LIKE '%\\AppData\\%'" # 重命名的系统二进制文件 muninn -e evidence/ --sql "SELECT \"Image\",\"OriginalFileName\",\"CommandLine\" FROM events WHERE \"OriginalFileName\" IS NOT NULL AND \"Image\" NOT LIKE '%\\' || \"OriginalFileName\"" ```

持久化

``` # 计划任务 muninn -e evidence/ --sql "SELECT \"CommandLine\" FROM events WHERE \"EventID\" = '1' AND \"CommandLine\" LIKE '%schtasks%create%'" # 新服务 muninn -e evidence/ --sql "SELECT \"ServiceName\",\"ImagePath\",\"ServiceType\" FROM events WHERE \"EventID\" = '7045'" # 注册表 Run 键（Sysmon 13） muninn -e evidence/ --sql "SELECT \"Image\",\"TargetObject\",\"Details\" FROM events WHERE \"EventID\" = '13' AND \"TargetObject\" LIKE '%\\Run\\%'" # WMI 事件订阅 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" IN ('19','20','21')" # 启动文件夹文件创建（Sysmon 11） muninn -e evidence/ --sql "SELECT \"Image\",\"TargetFilename\" FROM events WHERE \"EventID\" = '11' AND \"TargetFilename\" LIKE '%Startup%'" # DLL 劫持（Sysmon 7 — Image Load） muninn -e evidence/ --sql "SELECT \"Image\",\"ImageLoaded\" FROM events WHERE \"EventID\" = '7' AND \"Signed\" = 'false'" ```

凭证访问

``` # LSASS 访问（Sysmon 10） muninn -e evidence/ --sql "SELECT \"SourceImage\",\"GrantedAccess\" FROM events WHERE \"EventID\" = '10' AND \"TargetImage\" LIKE '%lsass.exe'" # Kerberoasting（RC4 加密的 TGS） muninn -e evidence/ --sql "SELECT \"TargetUserName\",\"ServiceName\",\"TicketEncryptionType\" FROM events WHERE \"EventID\" = '4769' AND \"TicketEncryptionType\" = '0x17'" # AS-REP Roasting muninn -e evidence/ --sql "SELECT \"TargetUserName\" FROM events WHERE \"EventID\" = '4768' AND \"TicketEncryptionType\" = '0x17'" # SAM 数据库访问 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '10' AND \"TargetImage\" LIKE '%\\lsass.exe' AND \"GrantedAccess\" IN ('0x1010','0x1038','0x1fffff')" # SSH 暴力破解 muninn -e auth.log -k "Invalid user" --stats # 登录失败 muninn -e evidence/ --sql "SELECT \"TargetUserName\",\"IpAddress\",COUNT(*) as cnt FROM events WHERE \"EventID\" = '4625' GROUP BY \"TargetUserName\",\"IpAddress\" ORDER BY cnt DESC" # DCSync（目录复制） muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '4662' AND \"Properties\" LIKE '%1131f6ad%'" ```

网络分析 — IP、域名、C2

``` # 外部 IP（排除 RFC1918） muninn -e evidence/ --sql " SELECT DISTINCT \"DestinationIp\" FROM events WHERE \"DestinationIp\" IS NOT NULL AND \"DestinationIp\" != '' AND \"DestinationIp\" NOT LIKE '10.%' AND \"DestinationIp\" NOT LIKE '172.16.%' AND \"DestinationIp\" NOT LIKE '172.17.%' AND \"DestinationIp\" NOT LIKE '172.18.%' AND \"DestinationIp\" NOT LIKE '172.19.%' AND \"DestinationIp\" NOT LIKE '172.2_.%' AND \"DestinationIp\" NOT LIKE '172.30.%' AND \"DestinationIp\" NOT LIKE '172.31.%' AND \"DestinationIp\" NOT LIKE '192.168.%' AND \"DestinationIp\" NOT LIKE '127.%' " # C2 常用端口 muninn -e evidence/ --sql " SELECT \"DestinationIp\",\"DestinationPort\",\"Image\" FROM events WHERE \"DestinationPort\" IN ('4444','5555','8080','8443','1337','9001','6666','1234') " # 可疑的 TLD muninn -e evidence/ --sql " SELECT \"QueryName\",\"Image\" FROM events WHERE \"EventID\" = '22' AND (\"QueryName\" LIKE '%.xyz' OR \"QueryName\" LIKE '%.top' OR \"QueryName\" LIKE '%.tk' OR \"QueryName\" LIKE '%.pw' OR \"QueryName\" LIKE '%.onion' OR \"QueryName\" LIKE '%.bit') " # 高频 DNS 查询（可能的信标活动） muninn -e evidence/ --sql "SELECT \"QueryName\", COUNT(*) as cnt FROM events WHERE \"EventID\" = '22' GROUP BY \"QueryName\" HAVING cnt > 100 ORDER BY cnt DESC" # 长 DNS 名称（可能的隧道） muninn -e evidence/ --sql "SELECT \"QueryName\" FROM events WHERE \"EventID\" = '22' AND LENGTH(\"QueryName\") > 50" # 按进程分类的出站连接 muninn -e evidence/ --sql "SELECT \"Image\", COUNT(DISTINCT \"DestinationIp\") as ips FROM events WHERE \"EventID\" = '3' GROUP BY \"Image\" ORDER BY ips DESC LIMIT 20" # 所有唯一的外部 IP muninn -e evidence/ --distinct DestinationIp # 所有唯一的 DNS 查询 muninn -e evidence/ --distinct QueryName ```

防御规避

``` # Sysmon 配置篡改 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '16'" # 日志清除 muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" IN ('1102','104')" # 禁用 Windows Defender muninn -e evidence/ --sql "SELECT * FROM events WHERE \"CommandLine\" LIKE '%DisableRealtimeMonitoring%' OR \"CommandLine\" LIKE '%Set-MpPreference%'" # AMSI 绕过尝试 muninn -e evidence/ -k "AmsiUtils" muninn -e evidence/ --sql "SELECT \"CommandLine\" FROM events WHERE \"CommandLine\" LIKE '%amsi%bypass%' OR \"CommandLine\" LIKE '%AmsiInitFailed%'" # Timestomping（Sysmon 2 — FileCreateTime 已更改） muninn -e evidence/ --sql "SELECT \"Image\",\"TargetFilename\" FROM events WHERE \"EventID\" = '2'" # 进程镂空（Sysmon 25 — ProcessTampering） muninn -e evidence/ --sql "SELECT * FROM events WHERE \"EventID\" = '25'" ```

Linux 与云

``` # Linux — sudo 滥用 muninn -e /var/log/auth.log -k "sudo" --stats # Linux — SSH 暴力破解 muninn -e /var/log/auth.log --sql "SELECT * FROM events WHERE \"_raw\" LIKE '%Failed password%'" # Linux — cron 持久化 muninn -e /var/log/syslog -k "CRON" --stats # Linux — 新用户 muninn -e /var/log/auth.log -k "useradd" # AWS CloudTrail — 无 MFA 的控制台登录 muninn -e cloudtrail/ --sql "SELECT * FROM events WHERE \"eventName\" = 'ConsoleLogin' AND \"additionalEventData\" NOT LIKE '%MFAUsed%Yes%'" # AWS — IAM 变更 muninn -e cloudtrail/ --sql "SELECT \"eventName\",\"userIdentity\",\"requestParameters\" FROM events WHERE \"eventSource\" = 'iam.amazonaws.com'" # Azure — 风险登录 muninn -e azure-logs/ --sql "SELECT * FROM events WHERE \"riskState\" = 'atRisk'" # Zeek — DNS 查询 muninn -e zeek-logs/dns.log --distinct query muninn -e zeek-logs/dns.log --sql "SELECT \"query\", COUNT(*) as cnt FROM events GROUP BY \"query\" ORDER BY cnt DESC LIMIT 30" ```

数据探索与导出

``` # 字段统计 muninn -e evidence/ --stats muninn -e evidence/ --distinct EventID muninn -e evidence/ --distinct Image muninn -e evidence/ --distinct User muninn -e evidence/ --distinct Channel muninn -e evidence/ --distinct LogonType # 导出到 SQLite 以进行高级分析 muninn -e evidence/ --dbfile case.db sqlite3 case.db "SELECT \"Image\", COUNT(*) as cnt FROM events WHERE \"EventID\" = '1' GROUP BY \"Image\" ORDER BY cnt DESC LIMIT 20" sqlite3 case.db ".schema events" # 按数量排名的热门进程 muninn -e evidence/ --sql "SELECT \"Image\", COUNT(*) as cnt FROM events WHERE \"Image\" IS NOT NULL GROUP BY \"Image\" ORDER BY cnt DESC LIMIT 30" # 事件时间线（每小时分布） muninn -e evidence/ --sql "SELECT SUBSTR(\"SystemTime\",1,13) as hour, COUNT(*) as cnt FROM events WHERE \"SystemTime\" IS NOT NULL GROUP BY hour ORDER BY hour" # 活动最多的用户 muninn -e evidence/ --sql "SELECT \"User\", COUNT(*) as cnt FROM events WHERE \"User\" IS NOT NULL GROUP BY \"User\" ORDER BY cnt DESC LIMIT 20" ```

完整调查工作流

``` # 步骤 1：下载规则 muninn --download-rules all # 步骤 2：快速分类 muninn -e ./evidence/ -r sigma-rules/ --min-level high --stats # 步骤 3：完整分析 muninn -e ./evidence/ -r sigma-rules/ --stats --timeline --killchain --threat-score --anomalies --ioc-extract --correlate --gui report.html # 步骤 4：导出以进行 SIEM 接收 muninn -e ./evidence/ -r sigma-rules/ --template splunk --template-output splunk-import.json # 步骤 5：使用 TUI 进行深入研究 muninn -e ./evidence/ -r sigma-rules/ --tui # 步骤 6：导出富化的 IOC muninn -e ./evidence/ --ioc-extract --vt-key YOUR_KEY -o ioc-report.json # 步骤 7：比较修复前后的差异 muninn -e ./evidence-before/ -r sigma-rules/ --diff ./evidence-after/ ```

## SIGMA 规则 **3,273 条检测规则** — 覆盖 377 种 MITRE ATT&CK 技术，14 个战术，430 个 CVE 漏洞利用。SigmaHQ 社区规则 + Corax Team 原始威胁情报 (Head Mare, PhantomCore APT)。 ``` # 从 SigmaHQ 下载规则（需要 --features download） muninn --download-rules all # all 3200+ rules → sigma-rules/ muninn --download-rules core # curated core ruleset muninn --download-rules core+ # core + extended muninn --download-rules emerging # emerging threats addon muninn --download-rules all --rules-dir ./my-rules/ # custom output directory ``` | 类别 | 规则数 | |----------|------:| | Windows (进程, 注册表, PowerShell, 文件, 网络) | 2,253 | | 云 (AWS, Azure, GCP, M365, Okta) | 204 | | Linux (auditd, syslog, 进程) | 147 | | 应用程序 (JVM, Web 框架) | 77 | | macOS | 48 | | 网络 (Zeek, DNS, 防火墙) | 45 | | Web (IIS, Apache, Nginx) | 42 | | 身份识别 | 20 | | 类别 (跨平台) | 7 | | CVE 漏洞利用 (2010–2025) | 430 | ``` muninn -e events.json -r sigma-rules/ # all rules muninn -e events.json -r sigma-rules/rules/windows/process_creation/ # Windows process creation muninn -e events.json -r sigma-rules/rules/linux/ # Linux only muninn -e events.json -r sigma-rules/rules/cloud/ # cloud only ```

支持的 SIGMA 修饰符

| 修饰符 | 示例 | 描述 | |----------|---------|-------------| | `contains` | `CommandLine\|contains: 'whoami'` | 子字符串匹配 | | `startswith` | `Image\|startswith: 'C:\Windows'` | 前缀匹配 | | `endswith` | `Image\|endswith: '\cmd.exe'` | 后缀匹配 | | `re` | `CommandLine\|re: '.*-enc\s+'` | 正则表达式 | | `all` | `CommandLine\|contains\|all:` | 所有值必须匹配 | | `base64` | `CommandLine\|base64: 'whoami'` | Base64 编码值 | | `base64offset` | `CommandLine\|base64offset: 'admin'` | 带偏移变体的 Base64 | | `windash` | `CommandLine\|windash\|contains: '-enc'` | 破折号变体 (`-`, `/`, `--`) | | `cidr` | `SourceIp\|cidr: '10.0.0.0/8'` | IP 范围 | | `gt/gte/lt/lte` | `EventID\|gte: 4624` | 数值比较 |

规则由 SigmaHQ 根据 [DRL 1.1](https://github.com/SigmaHQ/Detection-Rule-License) 授权。 ## CLI 参考 ``` muninn [OPTIONS] (-e | --load-db ) INPUT / OUTPUT: -e, --events Log file or directory (recursive) --load-db Load previously saved SQLite database (skip parsing) -r, --rules SIGMA rules (file or directory) -o, --output JSON output file --dbfile [FILE] Save events to SQLite database (auto-named if no path) --keepflat [FILE] Export flattened events as JSONL (auto-named if no path given) --no-report Disable auto-report -q, --quiet Suppress output SEARCH: -k, --keyword Full-text keyword search -f, --field Field search (LIKE: %, _) --regex Regex search --sql Raw SQL query --sql-file SQL queries from file --stats Field statistics --distinct Unique field values SIGMA: --min-level Minimum severity [default: low] --rulefilter Exclude rules matching pattern (repeatable) --profile-rules Show rule execution time ranking --hashes Compute event hashes ANALYSIS (all support optional FILE path — .txt default, .html/.json by extension): --timeline [FILE] Show attack timeline and save to file --killchain [FILE] Kill chain visualization and save to file --anomalies [FILE] Detect statistical anomalies and save to file --ioc-extract [FILE] Extract IOCs (IPs, domains, URLs, hashes, emails, file paths, registry keys, services, tasks, pipes) --ioc-max Max unique IOCs to track (default: 100000) --login-analysis [FILE] Analyze login events (4624/4625/4672): brute force, lateral movement --summary [FILE] Executive incident assessment with automated verdict --threat-score [FILE] Per-host/user threat scoring (absolute 0-100) --correlate [FILE] Correlate events into attack chains with duration --transforms Field transforms (base64 decode, LOLBin, DNS entropy) IOC ENRICHMENT (requires --features ioc-enrich): --vt-key VirusTotal API key --abuseipdb-key AbuseIPDB API key --opentip-key Kaspersky OpenTIP API key (basic) --opentip-check Kaspersky OpenTIP deep check (TXT + HTML + JSON reports) --opentip-types IOC types to check: hash,ip,domain,url (default: all) --opentip-max Max IOCs to check (default: 2000, daily quota: 2000) EXPORT: --navigator [FILE] ATT&CK Navigator layer JSON (auto-named if no path given) --template Export: splunk, elk, timesketch, csv, sarif --template-output [FILE] Template output path (auto-named if no path given) --gui [FILE] Interactive HTML report: dashboard, timeline, MITRE matrix, events FILTERING: -s, --select Only matching files -a, --avoid Exclude matching files --after Only events after timestamp (ISO 8601) --before Only events before timestamp (ISO 8601) --field-map YAML field rename mapping ARCHIVE: --archive-password Password for encrypted archives (zip, rar, 7z) PERFORMANCE: --workers Parallel workers (default: min(CPU_cores / 2, 4)) --max-events Maximum events to load --batch-size Events per batch (default: 50000) --limit Limit result rows per query --add-index Create index on field(s) --remove-index Remove index by name --per-file Per-file parallel processing RULES DOWNLOAD (requires --features download): --download-rules Download SIGMA rules: core, core+, all, emerging --rules-dir Output directory for downloaded rules [default: sigma-rules] MODE: --diff Compare with second evidence set --config YAML config file --tui Interactive terminal UI (requires --features tui) --live Real-time monitoring (requires --features live) ``` ## 从源码构建 ``` # 标准构建 cargo build --release --features "all-parsers,cli" # 包含所有可选功能的完整构建 cargo build --release --features "all-parsers,cli,archive,download,tui,live,ioc-enrich" # 运行测试 cargo test --features "all-parsers,cli,archive,download,tui,live,ioc-enrich" ```

功能标志、Docker、交叉编译

| 功能 | 描述 | |---------|-------------| | `all-parsers` | 所有格式解析器 (默认) | | `cli` | CLI 二进制文件 | | `archive` | .gz/.zip/.bz2/.tar.gz/.tgz/.rar/.7z 支持 (flate2, zip, bzip2, tar, unrar, sevenz-rust) | | `download` | 从 SigmaHQ 发布版下载 SIGMA 规则 | | `ioc-enrich` | 通过 VirusTotal, AbuseIPDB, OpenTIP 进行 IOC 富化 | | `tui` | 交互式终端 UI (ratatui, crossterm) | | `live` | 实时目录监控 | | `parser-evtx` | Windows EVTX | | `parser-syslog` | Syslog RFC 3164/5424 | | `parser-cef` | 通用事件格式 | | `parser-leef` | 日志事件扩展格式 | | `parser-zeek` | Zeek/Bro TSV | | `parser-w3c` | W3C 扩展日志 | ``` # Docker docker build -t muninn . docker run -v ./evidence:/case/evidence -v ./sigma_rules:/case/sigma_rules muninn -e /case/evidence/ -r /case/sigma_rules/ --stats # 交叉编译为 Windows rustup target add x86_64-pc-windows-msvc cargo build --release --features "all-parsers,cli" --target x86_64-pc-windows-msvc ```

## 公开日志数据集 | 数据集 | 格式 | 链接 | |---------|--------|------| | EVTX-ATTACK-SAMPLES | EVTX | [sbousseaden/EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) | | Hayabusa Sample EVTX | EVTX | [Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx) | | EVTX-to-MITRE-Attack | EVTX | [mdecrevoisier/EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) | | SecRepo auth.log | Syslog | [secrepo.com](https://www.secrepo.com/auth.log/) | | SecRepo Zeek DNS/HTTP | Zeek TSV | [secrepo.com](https://www.secrepo.com/maccdc2012/) | | Mordor / Security Datasets | JSON | [OTRF/Security-Datasets](https://github.com/OTRF/Security-Datasets) | ``` git clone --depth=1 https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git muninn -e EVTX-ATTACK-SAMPLES/ -r sigma_rules/windows/ --timeline --killchain --threat-score ``` ## 性能表现 | 指标 | 数值 | |--------|-------| | 解析速度 | ~250K 事件/秒 (并行, JSON Lines) | | SQLite 加载 | 100K 事件 < 5 秒 | | 二进制大小 | 单个静态二进制文件 (release, LTO, 调试信息已剥离) | | 内存 | 基于 SQLite，可处理数百万级事件 | | 并行性 | 文件解析 + SIGMA 编译通过 rayon | ## 许可证 **AGPL-3.0** — 详见 [LICENSE](LICENSE)。 `sigma_rules/` 中的 SIGMA 规则由 SigmaHQ 根据 [DRL 1.1](https://github.com/SigmaHQ/Detection-Rule-License) 授权。 ## 概述 Muninn — инструмент для расследования инцидентов и анализа логов. Один бинарник, 15+ форматов, 3273 SIGMA-правила, 377 техник MITRE ATT&CK, анализ аутентификации, детекция аномалий, корреляция атак, проверка IOC через Kaspersky OpenTIP, оценка компрометации и мониторинг в реальном времени. SIEM не нужен. Укажите директорию с логами — Muninn сам определит формат, загрузит события в SQLite и выполнит анализ. Результаты можно сохранить в базу и возвращаться к ним сколько угодно: прогонять новые SIGMA-правила, делать SQL-запросы, проверять индикаторы — без повторного парсинга. ### 可分析内容 | Источник | Примеры | |---|---| | **Windows Event Logs** | Security (4624/4625/4688/4720), Sysmon (1/3/11/13/22), PowerShell (4104), System (7045), файлы `.evtx` | | **Linux / Unix** | auth.log, syslog, auditd, экспорт journald | | **Сетевые сенсоры** | Zeek/Bro (dns, http, conn, ssl), Suricata EVE JSON, Snort (логи в JSON, CSV, Syslog, CEF или LEEF) | | **Межсетевые экраны** | iptables, Palo Alto, Fortinet, Check Point (логи в CSV, Syslog, CEF или LEEF) | | **Облако** | AWS CloudTrail, Azure Activity, GCP Audit, M365, Okta — JSON | | **Веб-серверы** | IIS (W3C), Apache/Nginx, прокси-серверы | | **EDR / XDR** | Любая телеметрия в JSON, CSV или Syslog | | **Архивы** | `.gz`, `.zip`, `.bz2`, `.tar.gz`, `.tgz`, `.rar`, `.7z` — автораспаковка, поддержка паролей (`--archive-password`) | ### 安装 Готовые бинарники: [Releases](https://github.com/corax-team/muninn/releases) **Linux:** ``` curl -sL https://github.com/corax-team/muninn/releases/latest/download/muninn-linux-amd64 -o muninn chmod +x muninn ./muninn -e /path/to/logs/ -r sigma_rules/ --stats ``` **Windows:** ``` Invoke-WebRequest -Uri "https://github.com/corax-team/muninn/releases/latest/download/muninn-windows-amd64.exe" -OutFile muninn.exe .\muninn.exe -e C:\Logs\ -r sigma_rules\ --stats ``` ### 快速入门 — 推荐方法 ``` # 1. 下载 SIGMA 规则 muninn --download-rules all # 2. 解析日志并保存到数据库（一次性） muninn -e ./evidence/ --dbfile case001.db # 从归档文件，包括加密的归档 muninn -e ./evidence.zip --dbfile case001.db muninn -e ./evidence.rar --archive-password "infected" --dbfile case001.db # 3. 操作数据库 — 即时，无需重复解析 muninn --load-db case001.db -r sigma-rules/ --summary --ioc-extract --login-analysis # 4. 交互式查询 muninn --load-db case001.db --keyword "mimikatz" muninn --load-db case001.db --sql "SELECT * FROM events WHERE EventID = '4688'" muninn --load-db case001.db --distinct Image # 5. 通过 Kaspersky OpenTIP 检查 IOC muninn --load-db case001.db --ioc-extract --opentip-check YOUR_KEY muninn --load-db case001.db --ioc-extract --opentip-check YOUR_KEY --opentip-types hash muninn --load-db case001.db --ioc-extract --opentip-check YOUR_KEY --opentip-types ip,domain ``` ### 功能 #### 核心 | | | |---|---| | **15+ форматов** | EVTX, JSON, CSV, XML, Syslog, CEF, LEEF, Zeek, W3C, Auditd, macOS — формат определяется автоматически | | **3200+ SIGMA-правил** | Полный набор [SigmaHQ](https://github.com/SigmaHQ/sigma), загрузка через `--download-rules` | | **Компилятор SIGMA** | YAML → SQL, модификаторы: `contains`, `endswith`, `startswith`, `re`, `base64`, `base64offset`, `windash`, `cidr`, `all`, `gt/gte/lt/lte` | | **Поисковый движок** | SQLite: ключевые слова, поля, регулярки, произвольный SQL | | **Один бинарник** | Статическая сборка, ничего не тянет за собой | | **Кроссплатформенный** | Linux x86_64, Windows x86_64 | | **Standalone CLI** | Один бинарник, без внешних зависимостей | #### 分析与事件响应 | Функция | Флаг | Описание | |---------|------|----------| | **Маппинг MITRE ATT&CK** | *(авто)* | Привязка детектов к техникам и тактикам по тегам правил | | **ATT&CK Navigator** | `--navigator layer.json` | Экспорт слоя для ATT&CK Navigator | | **Kill chain** | `--killchain [FILE]` | ASCII-визуализация по тактикам | | **Таймлайн атаки** | `--timeline [FILE]` | Хронология детектов | | **Детекция аномалий** | `--anomalies [FILE]` | Редкие процессы, нетипичное время логона, подозрительные parent→child, обнаружение брутфорса, оценка обфускации команд | | **Извлечение IOC** | `--ioc-extract [FILE]` | IP, домены, URL, хэши, email, пути, реестр, службы, задачи, пайпы | | **Обогащение IOC** | `--vt-key` / `--abuseipdb-key` / `--opentip-key` | VirusTotal, AbuseIPDB, Kaspersky OpenTIP | | **Глубокая проверка OpenTIP** | `--opentip-check ` | Полный анализ через Kaspersky OpenTIP: отчёты TXT/HTML/JSON, параллельные запросы | | **Фильтр типов OpenTIP** | `--opentip-types hash,ip,domain,url` | Проверять только указанные типы IOC | | **Анализ логонов** | `--login-analysis [FILE]` | Аутентификация: brute force, нетипичные часы, lateral movement, privilege escalation | | **Executive summary** | `--summary [FILE]` | Вердикт (Clean / Suspicious / Compromised / Breach) и рекомендации | | **Целостность улик** | *(авто)* | SHA-256 исходных файлов, попадает в JSON-отчёт | | **Сохранение БД** | `--dbfile [FILE]` | Дамп событий в SQLite для повторного анализа | | **Загрузка БД** | `--load-db ` | Загрузка сохранённой базы — без парсинга, мгновенный доступ | | **Threat scoring** | `--threat-score [FILE]` | Оценка угроз по хостам и пользователям (ла 0–100) | | **Корреляция атак** | `--correlate [FILE]` | Группировка детектов в цепочки атак | | **Diff-режим** | `--diff /path/second/` | Сравнение двух наборов логов | | **Трансформации** | `--transforms` | Base64-декод, LOLBin-детект (44 бинарника), DNS-энтропия, деобфускация | | **Маппинг полей** | `--field-map map.yaml` | Переименование полей при загрузке | | **Ранняя фильтрация** | *(авто)* | Пре-фильтр по EventID/Channel из правил | | **Per-file режим** | `--per-file` | Параллельная обработка, отдельный SQLite на файл | | **Фильтр времени** | `--after` / `--before` | Отсечка по таймстампу | | **Профилирование правил** | `--profile-rules` | Замер скорости каждого правила | | **YAML-конфиг** | `--config muninn.yaml` | Все параметры в YAML | | **Скачивание правил** | `--download-rules ` | Загрузка SIGMA-правил из SigmaHQ (core, core+, all, emerging) | #### 导出 | Формат | Флаг | Описание | |--------|------|----------| | **JSON-отчёт** | *(авто)* | MITRE-маппинг, теги, описания | | **HTML-отчёт** | `--gui report.html` | Дашборд, MITRE-таймлайн, матрица ATT&CK, просмотр событий | | **Splunk** | `--template splunk` | NDJSON с `source`, `sourcetype`, `_time` | | **ELK** | `--template elk` | NDJSON с `@timestamp`, `_index` | | **Timesketch** | `--template timesketch` | JSONL для импорта в Timesketch | | **CSV** | `--template csv` | Стандартный CSV | | **SARIF** | `--template sarif` | Static Analysis Results Interchange Format | | **SQLite** | `--dbfile case.db` | Полная БД событий, повторный доступ через `--load-db` | | **JSONL** | `--keepflat events.jsonl` | Flat-события в JSONL | | **IOC CSV** | *(авто с `--ioc-extract`)* | CSV со всеми извлечёнными индикаторами | | **OpenTIP HTML** | *(авто с `--opentip-check`)* | HTML-отчёт с цветовыми зонами и ссылками на портал | | **OpenTIP JSON** | *(авто с `--opentip-check`)* | JSON с полными ответами API | #### 性能 | Функция | Флаг | Описание | |---------|------|----------| | **Параллельный парсинг** | *(авто)* | Файлы парсятся параллельно (rayon) | | **Параллельная компиляция** | *(авто)* | SIGMA-правила компилируются параллельно | | **Контроль потоков** | `--workers N` | Размер пула потоков (по умолчанию: min(CPU_cores/2, 4)) | | **Лимит памяти** | `--max-events N` | Максимум загружаемых событий | | **Батчевая загрузка** | `--batch-size N` | Размер батча SQLite (по умолчанию: 50 000) | | **Лимит результатов** | `--limit N` | Максимум строк на запрос | | **Индексы** | `--add-index Field` | SQLite-индексы для ускорения запросов | ### 日志来源 - `.evtx` — забрать из `C:\Windows\System32\winevt\Logs\` - SIEM (Splunk, Elastic, QRadar) — экспорт в JSON/CSV - Zeek — `/opt/zeek/logs/` - CloudTrail — `aws s3 sync s3://bucket/AWSLogs/ ./cloudtrail/` - auditd — `ausearch --start today --format text > audit.log` ### 从源代码构建 ``` # 标准构建 cargo build --release --features "all-parsers,cli" # 包含所有可选功能的完整构建 cargo build --release --features "all-parsers,cli,archive,download,tui,live,ioc-enrich" # 运行测试 cargo test --features "all-parsers,cli,archive,download,tui,live,ioc-enrich" ``` ### 许可证 **AGPL-3.0** — см. [LICENSE](LICENSE). SIGMA-правила в `sigma_rules/` — [DRL 1.1](https://github.com/SigmaHQ/Detection-Rule-License) от SigmaHQ. Оригинальные правила Corax Team — AGPL-3.0.

标签：AMSI绕过, Cloudflare, IOC富化, Kaspersky OpenTIP, Linux审计, MITRE ATT&CK, PE 加载器, SIGMA规则, SQLite, Sysmon, Windows事件日志, Zeek日志, 可视化界面, 威胁检测, 库, 应急响应, 异常检测, 搜索引擎, 攻击关联, 数字取证, 无需SIEM, 网络安全, 自动化脚本, 通知系统, 隐私保护