ahmadahmadizadeh85/SOC-Brute-Force-Detection-Lab

# 用户想要将 Markdown 文档从英文翻译成简体中文。 **Constraints Checklist & Confidence Score:** 1. Keep code placeholders (``, etc.)? Yes. 2. Keep HTML image block placeholders (``, etc.)? Yes. 3. Keep link URL placeholders (``, etc.)? Yes. 4. Translate link text inside `[]`? Yes. 5. Translate alt text for inline images `![]()`? Yes. 6. Preserve HTML blocks/tags? Yes. 7. Keep Markdown structure? Yes. 8. Translate headings? Yes. 9. Keep technical terms (Wazuh, SIEM, Windows, Kali Linux, MITRE ATT&CK, etc.)? Yes. Confidence Score: 5/5 **Mental Sandbox Simulation:** - *Heading:* "SOC-Brute-Force-Detection-Lab" -> "SOC 暴力破解检测实验室" (or keep as title if it's a proper name, but usually titles are translated or kept if they are specific project names. The prompt says "Keep professional terms... in their original form". "SOC" is a term. "Brute Force" is a term. However, headings *must* be translated. I will translate the descriptive parts but keep acronyms like SOC. "SOC 暴力破解检测实验室" seems appropriate). - *Sub-heading:* "SOC-Incident-Response-Brute-Force Wazuh-Brute-Force-Analysis SOC-Login-Attack-Investigation". This looks like a list of keywords/tags. I should probably keep the structure but translate the words if they form a sentence, or keep them if they are specific module names. Given the instruction "Headings: you MUST translate the text of every heading", I will translate them. "SOC 事件响应-暴力破解 Wazuh 暴力破解分析 SOC 登录攻击调查". - *Table:* - "Victim Machine" -> "受害机器" - "Windows (Agent 002)" -> "Windows (Agent 002)" - "Attacker Machine" -> "攻击机器" - "Kali Linux" -> "Kali Linux" - *MITRE ATT&CK:* "Tactic" -> "策略", "Technique" -> "技术". - *Timeline:* Keep times and descriptions. - *Detection Logic:* "IF failed_logins > 3 within 5 seconds" -> "IF failed_logins > 3 within 5 seconds" (This is pseudo-code/logic, usually kept as is or translated. The prompt says "Keep all code placeholders... Do not translate". This isn't a placeholder, it's inline text. However, it looks like code logic. I will translate the surrounding text but keep the logic statement in English as it's technical logic, or translate it if it's natural language. "IF ... THEN ..." is standard logic. I'll translate it to Chinese logic: "如果 5 秒内 failed_logins > 3，则触发暴力破解警报". Wait, rule 9 says "Keep... Command names and flags...". This isn't a command. It's a description of logic. I will translate it to Chinese for better readability as it's a "Detection Logic" section description). - *IOCs:* "Indicators of Compromise" -> "威胁指标 (IOC)". - *Tools:* "Wazuh (SIEM)" -> "Wazuh (SIEM)". **Refining the Translation:** - Title: SOC-Brute-Force-Detection-Lab -> SOC 暴力破解检测实验室 - Subtitle: SOC-Incident-Response-Brute-Force Wazuh-Brute-Force-Analysis SOC-Login-Attack-Investigation -> SOC 事件响应-暴力破解 Wazuh 暴力破解分析 SOC 登录攻击调查 - "SOC Level 1 project simulating and detecting a brute-force attack using Wazuh SIEM, including incident analysis, timeline, and detection logic." -> "这是一个 SOC Level 1 项目，使用 Wazuh SIEM 模拟并检测暴力破解攻击，包括事件分析、时间线和检测逻辑。" - "SOC Incident Report – Brute Force Detection Lab" -> "SOC 事件报告 – 暴力破解检测实验室" - "Overview" -> "概述" - "Incident ID" -> "事件 ID" - "Analyst Role" -> "分析师角色" - "Tool Used" -> "使用工具" - "Lab Setup" -> "实验室环境" - "Component" -> "组件" - "Description" -> "描述" - "Victim Machine" -> "受害机器" - "Attacker Machine" -> "攻击机器" - "Attack Scenario" -> "攻击场景" - "Event Details" -> "事件详情" - "Event ID" -> "事件 ID" - "Target User" -> "目标用户" - "Source IP" -> "源 IP" - "Alert Level" -> "警报级别" - "Failed Attempts" -> "失败尝试" - "MITRE ATT&CK Mapping" -> "MITRE ATT&CK 映射" - "Tactic" -> "策略" - "Technique" -> "技术" - "Timeline of Events" -> "事件时间线" - "Technical Analysis" -> "技术分析" - "Detection Logic" -> "检测逻辑" - "Indicators of Compromise (IOCs)" -> "威胁指标 (IOCs)" - "Tools Used" -> "使用工具" - "Evidence" -> "证据" - "Actions Taken" -> "采取的行动" - "Recommendations" -> "建议" - "Conclusion" -> "结论" - "Author" -> "作者" - "Aspiring SOC Analyst" -> "立志成为 SOC 分析师" **Specific Checks:** - "0 Indicators of Compromise (IOCs)" -> The "0" might be a typo in the source (maybe meant to be a bullet point or just a header). I will keep it as "0 威胁指标 (IOCs)" or just "威胁指标 (IOCs)" if I interpret "0" as a bullet style. Looking at the source "## 0 Indicators of Compromise (IOCs)", it seems to be a heading. I will translate it as "## 0 威胁指标 (IOCs)" to be faithful to the source text, assuming the user wants the "0" there (perhaps indicating a section number or just a quirk). Actually, looking at the context, it's likely a typo for a bullet point or just a header. I will translate the text. "## 0 威胁指标 (IOCs)". - "IF failed_logins > 3 within 5 seconds THEN trigger brute-force alert" -> "如果 5 秒内 failed_logins > 3，则触发暴力破解警报". - "Ahmad Ahmadizadeh" -> Keep as is (Proper noun). **Final Polish:** Ensure the tone is professional and technical terms are preserved. One detail: "SOC-Incident-Response-Brute-Force Wazuh-Brute-Force-Analysis SOC-Login-Attack-Investigation". This looks like a string of keywords often found in GitHub repository descriptions or titles. I will translate the words but keep the format. "SOC 事件响应-暴力破解 Wazuh 暴力破解分析 SOC 登录攻击调查" Let's generate the output. # SOC 暴力破解检测实验室 ## SOC 事件响应-暴力破解 Wazuh 暴力破解分析 SOC 登录攻击调查 ## 这是一个 SOC Level 1 项目，使用 Wazuh SIEM 模拟并检测暴力破解攻击，包括事件分析、时间线和检测逻辑。 # SOC 事件报告 – 暴力破解检测实验室 ## 概述 本项目模拟了针对 Windows 机器的暴力破解攻击，并展示了 SOC 分析师如何使用 SIEM 检测和调查该事件。 - **事件 ID:** 2026-04-04-002 - **日期:** 2026 年 4 月 4 日 - **分析师角色:** SOC Level 1 - **使用工具:** Wazuh SIEM ## 实验室环境 | 组件 | 描述 | |-----------------|------------| | 受害机器 | Windows (Agent 002) | | 攻击机器| Kali Linux | | SIEM | Wazuh | ## 攻击场景 模拟了从攻击机器发起的针对 Windows 端点的暴力破解攻击，使用了自动化的登录尝试。 ## 事件详情 - **事件 ID:** 4625 (登录失败) - **目标用户:** testuser - **源 IP:** 192.168.56.xxx - **警报级别:** 中 (5) - **失败尝试:** 约 2 秒内 4 次尝试 ## MITRE ATT&CK 映射 - **策略:** 初始访问 - **技术:** T1110 – 暴力破解 - T1110.001 – 密码猜测 ## ⏱ 事件时间线 23:21:09 - 失败的登录尝试 1 23:21:10 - 失败的登录尝试 2 23:21:10 - 失败的登录尝试 3 23:21:11 - 失败的登录尝试 4 ## 技术分析 连续的失败登录尝试表明存在自动化的暴力破解活动。 - 检测到高频的身份验证失败 - 未观察到成功的登录（未出现事件 ID 4624） - 源头确认为内部实验室攻击者 (Kali Linux) ## 检测逻辑 如果 5 秒内 failed_logins > 3 则触发暴力破解警报 ## 0 威胁指标 (IOCs) - **源 IP:** 192.168.56.xxx - **目标用户名:** testuser - **事件 ID:** 4625 ## 使用工具 - Wazuh (SIEM) - Windows 事件日志 - Kali Linux (攻击模拟) ## 证据 - Wazuh 警报仪表板 - 失败的登录日志 - 事件 ID 4625 日志 ## 采取的行动 - 监控日志以发现成功的登录尝试 - 确认未发生账户泄露 - 验证攻击源自实验室环境 ## 建议 - 实施账户锁定策略 - 强制执行强密码 - 启用多因素身份验证 (MFA) - 监控重复的登录失败 - 封禁可疑的 IP 地址 ## 结论 该事件被识别为一次暴力破解攻击模拟。尽管未发生泄露，但它突显了监控身份验证日志和实施强访问控制的重要性。 ## 作者 **Ahmad Ahmadizadeh** 立志成为 SOC 分析师

标签：Brute Force, BurpSuite集成, Incident Response, IOC, Level 1 分析师, PoC, T1110, Wazuh, Windows安全日志, 事件ID 4625, 信息收集自动化, 初始访问, 告警分析, 失陷指标, 子域枚举, 安全信息和事件管理, 安全实验, 安全运营中心, 密码猜测, 暴力破解, 网络映射, 网络靶场, 身份验证失败, 速率限制