h0bib/sigmorph

# sigmorph **sigmorph** 是一个 Python 库，用于从可疑的 Windows 进程事件生成**可解释的 Sigma 检测规则**。 它专为希望快速将观察到的可疑行为转化为可重用检测规则的检测工程师和分析人员设计。 ## 功能 给定一组可疑事件，sigmorph 会： - 提取相关字段 - 衡量字段在样本间的稳定性 - 移除噪声或环境特定的数据 - 将模式泛化为 Sigma 兼容的条件 - 生成 Sigma 规则 - 提供： - 规则评分 - 决策解释 - 抗过拟合分析 ## 范围 (v0.1) 此版本是有意聚焦的： - 输入：JSON 事件 - 目标：Windows 进程创建日志 - 输出：Sigma 规则 (YAML) - 无机器学习 - 不依赖外部 SIEM ## 示例输入 ``` [ { "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "CommandLine": "powershell.exe -enc aGVsbG8=", "ParentImage": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "User": "LAB\\bob", "ComputerName": "WS-22", "EventID": 1 }, { "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "CommandLine": "powershell.exe -EncodedCommand ZGly", "ParentImage": "C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "User": "LAB\\alice", "ComputerName": "WS-30", "EventID": 1 } ] ## 示例输出 YAML title: Auto-generated suspicious process pattern logsource: product: windows category: process_creation detection: selection_1: Image|endswith: \powershell.exe selection_2: CommandLine|contains: - -enc - EncodedCommand - powershell selection_3: ParentImage|endswith: \winword.exe condition: selection_1 and selection_2 and selection_3 level: medium metadata: status: experimental profile: balanced selected_fields: - Image - CommandLine - ParentImage ## 安装与使用 Bash pip install -e . python -m sigmorph.cli examples/suspicious_powershell.json Python from sigmorph import SigmaSynth rule = ( SigmaSynth() .from_json("examples/suspicious_powershell.json") .for_logsource(product="windows", category="process_creation") .generate(profile="balanced") ) print(rule.yaml()) print(rule.score()) print(rule.explain()) print(rule.overfit_report()) ## 配置文件 strict → high precision, low noise balanced → default, best trade-off broad → more coverage, more noise ## 核心概念 Field stability: evaluates how consistent a field is across events Generalization: converts raw values into reusable Sigma conditions (contains, endswith, exact) Noise reduction: removes environment-specific fields like usernames and hostnames Overfit awareness: detects overly specific rules ## 作者 YAHIAOUI Hadj Habib GitHub: https://github.com/h0bib Email: chaos.hh@gmail.com ```

标签：AMSI绕过, BlueTeam, Homebrew安装, HTTP/HTTPS抓包, OpenCanary, SIEM规则, Sigma规则, Windows进程事件, YAML, 可解释性, 威胁检测, 安全库, 安全运营, 态势感知, 恶意行为分析, 扫描框架, 目标导入, 网络安全, 自动化规则生成, 逆向工具, 隐私保护