joshuaguda281-stack/threat-hunter

GitHub: joshuaguda281-stack/threat-hunter

主动威胁狩猎框架，利用 MITRE ATT&CK 映射在端点发现并关联 IOC。

Stars: 0 | Forks: 0

# 威胁猎人 - 主动威胁狩猎框架 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Python 3.6+](https://img.shields.io/badge/python-3.6+-blue.svg)](https://www.python.org/downloads/) [![Platform](https://img.shields.io/badge/platform-Linux-blue)](https://www.kernel.org/) 一个主动威胁搜寻框架，用于在端点、进程、网络连接和日志中搜寻妥协指标（IOC）。将发现结果映射到 MITRE ATT&CK 框架。 ## 🚀 功能 ### 搜寻能力 | 搜寻类型 | 检测方法 | MITRE 映射 | |-----------|-------------------|---------------| | **进程搜寻** | 可疑进程名称、编码的 PowerShell、IOC 匹配 | T1059, T1204 | | **网络搜寻** | 可疑端口、外部连接、IOC IP 匹配 | T1071, T1021 | | **文件搜寻** | 可疑扩展名、文件名、哈希匹配 | T1105, T1204 | | **日志搜寻** | 暴力破解、权限提升、持久化、Web 攻击 | T1110, T1068, T1543, T1190 | ### 检测指标 - ✅ 可疑进程（mimikatz、nc、meterpreter 等） - ✅ 编码的 PowerShell 命令 - ✅ 可疑网络端口（4444、1337、31337 等） - ✅ 恶意文件扩展名（.ps1、.vbs、.js、.jar、.hta） - ✅ 暴力破解检测（失败登录 > 10 每 IP） - ✅ 权限提升（sudo 命令） - ✅ 持久化机制（cron 作业） - ✅ Web 攻击（SQL 注入、路径遍历） - ✅ IOC 匹配（哈希、IP、域名、字符串） ## 📋 要求 - **Python 3.6** 或更高版本 - **psutil** 用于进程/网络监控 - **Root 权限**（建议用于完整搜寻） ## 🔧 安装 ``` # 克隆仓库 git clone https://github.com/joshuaguda281-stack/threat-hunter.git cd threat-hunter # 安装依赖 pip install psutil # 或者一次性全部安装 pip install -r requirements.txt 📁 Report Format The tool generates a JSON report: { "timestamp": "2024-01-15T14:35:00", "target": "/", "total_findings": 8, "findings_by_type": { "SUSPICIOUS_PROCESS": 2, "SUSPICIOUS_CONNECTION": 1, "BRUTE_FORCE_DETECTED": 1, "SUSPICIOUS_FILE_EXTENSION": 3, "PRIVILEGE_ESCALATION": 1 }, "findings_by_severity": { "CRITICAL": 2, "HIGH": 4, "MEDIUM": 2 }, "mitre_mapping": { "T1059": { "name": "Command and Scripting Interpreter", "tactic": "Execution", "count": 2 } }, "timeline": [...], "detailed_findings": [...] } 🎯 Use Cases Incident Response - Hunt for IOCs after a security incident Threat Hunting - Proactively search for compromise indicators Compliance - Verify systems against known threats Forensic Analysis - Investigate suspicious systems Security Monitoring - Supplement existing detection capabilities 📋 MITRE ATT&CK Techniques Covered Technique Name Tactic T1059 Command and Scripting Interpreter Execution T1071 Application Layer Protocol C2 T1003 Credential Dumping Credential Access T1543 Create System Process Persistence T1110 Brute Force Credential Access T1190 Exploit Public-Facing Application Initial Access T1021 Remote Services Lateral Movement T1105 Ingress Tool Transfer C2 🔧 Troubleshooting Issue Solution ImportError: No module named psutil Run: pip install psutil Permission denied for /proc Run with sudo Slow scanning Reduce target path or increase skip directories No findings on known malware Update IOC file with known indicators 📝 License MIT License - See LICENSE file for details. 👤 Author Joshua Guda GitHub: @joshuaguda281-stack LinkedIn: Joshua Guda 🙏 Acknowledgments MITRE ATT&CK framework psutil library contributors Open source threat intelligence community ⭐ Support If this tool helps you find threats, please star the repository! ```

标签：CISA项目, Cloudflare, IOC, IP 地址批量处理, MITRE ATT&CK, PE 加载器, Python安全工具, Web报告查看器, Windows 调试器, 威胁情报, 安全狩猎, 工具集, 开发者工具, 异常检测, 搜索语句（dork）, 文件监控, 端点检测, 红队行动, 网络信息收集, 网络连接监控, 逆向工具