Imperatib/threat-hunting-playbooks

# 威胁狩猎剧本 **作者：** Brandon Imperati | CySA+ | PenTest+ | SSCP **工具：** Splunk · KQL (Sentinel) · Bash · Python · MITRE ATT&CK Navigator **重点：** 主动威胁狩猎 · APT TTP 检测 · 横向移动 · 持久化 ## 概述 一个结构化的威胁狩猎剧本库，结合了 Splunk SPL 查询、Microsoft Sentinel KQL 以及 Bash/Python 自动化脚本。每个剧本针对特定的对手 TTP（映射到 MITRE ATT&CK 框架），实现超越被动告警检测的主动狩猎。 基于在企业 MSP 环境中狩猎 APT 和横向移动的实战经验构建而成。 ## 仓库结构 ``` threat-hunting-playbooks/ ├── playbooks/ │ ├── hunt_lateral_movement.md # PsExec, WMI, SMB, Pass-the-Hash │ ├── hunt_persistence.md # Registry, scheduled tasks, services, WMI subs │ ├── hunt_credential_access.md # LSASS dumping, Kerberoasting, DCSync │ ├── hunt_c2_beaconing.md # Periodic outbound, DNS tunneling, HTTP C2 │ └── hunt_data_exfiltration.md # Staging, compression, exfil channels ├── splunk-queries/ │ ├── lateral_movement.spl │ ├── persistence_hunting.spl │ ├── credential_access.spl │ └── c2_beaconing.spl ├── sentinel-queries/ │ ├── lateral_movement.kql │ └── persistence_hunting.kql ├── scripts/ │ ├── baseline_network_traffic.py # Build normal traffic baseline for anomaly hunting │ ├── hunt_rare_processes.sh # Find statistically rare processes across fleet │ └── extract_iocs_from_logs.py # Pull structured IOCs from raw log files └── docs/ ├── hunting_methodology.md └── mitre_coverage_map.md ``` ## 狩猎方法论 每个剧本都遵循结构化的五阶段方法： ``` 1. HYPOTHESIS → What adversary behavior are we hunting? 2. DATA SOURCES → Which logs/telemetry do we need? 3. HUNT QUERIES → SPL/KQL queries to surface anomalies 4. TRIAGE → How to distinguish true positives from noise 5. RESPONSE → If confirmed, what's the IR action? ``` ## 剧本索引（MITRE ATT&CK 映射） | 剧本 | MITRE 战术 | 涵盖的技术 | |----------|-------------|-------------------| | 横向移动 | 横向移动 | T1570, T1021.002, T1550.002 | | 持久化 | 持久化 | T1053, T1547, T1543, T1546 | | 凭证访问 | 凭证访问 | T1003.001, T1558.003, T1557 | | C2 信标 | 命令与控制 | T1071, T1048, T1095 | | 数据泄露 | 泄露 | T1560, T1041, T1048 | ## 示例查询 — C2 信标检测（Splunk） ``` | tstats count AS connection_count, avg(duration) AS avg_duration, stdev(duration) AS stdev_duration WHERE index=network_traffic BY src_ip, dest_ip, dest_port, _time span=1h | eval jitter_ratio = stdev_duration / avg_duration | where connection_count > 10 AND jitter_ratio < 0.15 AND avg_duration BETWEEN 25 AND 3600 | eval hunt_finding = "Suspected C2 Beaconing — Low Jitter Periodic Callback" | eval mitre = "T1071 / T1095" | sort - connection_count ``` *狩猎低抖动、周期性的出站连接——这是自动化 C2 信标与人为流量的区别特征。* ## 示例查询 — LSASS 凭证转储（KQL / Sentinel） ``` DeviceProcessEvents | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("wininit.exe", "csrss.exe", "services.exe") | where InitiatingProcessCommandLine has_any ("minidump", "sekurlsa", "procdump", "-ma lsass") | extend RiskScore = case( InitiatingProcessFileName =~ "mimikatz.exe", 100, InitiatingProcessCommandLine has "procdump", 85, true, 60) | where RiskScore >= 60 | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, RiskScore | sort by RiskScore desc ``` ## 快速开始 ``` # 导入 Splunk queries # 将 .spl 文件复制到 Splunk → Settings → Searches, Reports & Alerts → Import # 运行 process rarity hunter chmod +x scripts/hunt_rare_processes.sh ./scripts/hunt_rare_processes.sh --host CORP-WKS-047 --days 7 # 构建 network baseline python scripts/baseline_network_traffic.py \ --input network_logs.csv \ --baseline-days 14 \ --output baseline_profile.json ```

标签：APT检测, C2通信检测, Cloudflare, EDR检测, IP 地址批量处理, KQL查询, Microsoft Sentinel, MITRE ATT&CK, PE 加载器, Python安全工具, Web报告查看器, 凭证访问, 威胁情报, 安全运营中心, 应用安全, 开发者工具, 异常检测, 恶意行为分析, 数据外泄, 无线安全, 横向移动, 混合加密, 红队攻防, 编程规范, 网络信息收集, 网络安全, 网络安全审计, 网络映射, 网络流量分析, 蓝队防御, 逆向工具, 隐私保护