depalmar/ai-dfir-toolkit

# AI/ML DFIR 检测包 **用于检测 AI/ML 攻击和数据泄露的开源检测签名。** 这是一个供应商中立的 Sigma、YARA 和 Suricata 规则集合，用于检测 LLM 应用、MCP 服务器、机器学习供应链、AI 基础设施、AI 驱动的内部威胁以及 RAG/向量数据库的入侵。 有关包含攻击背景、取证痕迹、Mermaid 攻击链图和实际调查流程的配套调查指南，请参阅 [`docs/ai-dfir-investigation-guide.md`](./docs/ai-dfir-investigation-guide.md)。 许可证：Apache 2.0。 ## 免责声明 ## 为何存在 现有的大多数检测内容要么锁定在供应商 SIEM 系统内，要么分散在博客文章中。AI/ML 攻击需要涵盖以下方面的检测覆盖： - **端点**（Claude Desktop / Cursor / Copilot 配置篡改） - **云 SaaS 日志**（Bedrock、Azure OpenAI、M365 Copilot） - **网络**（向量数据库数据渗出、模型渗出、ShadowRay C2） - **文件痕迹**（被投毒的 pickle 模型、恶意 MCP 配置） 本检测包**仅使用开放标准**，因此规则可以通过 Sigma/YARA/Suricata 开放工具部署在任何现代检测堆栈中。 ## 结构 ``` ai-dfir-toolkit/ ├── 01-llm-prompt-injection/ # Prompt injection, jailbreaks, indirect injection ├── 02-mcp-attacks/ # MCP tool poisoning, config tampering, rug pulls ├── 03-model-supply-chain/ # Pickle exploits, HuggingFace, dependency confusion ├── 04-ai-infrastructure/ # ShadowRay, Triton, MLflow, GPU abuse ├── 05-copilot-assistant-abuse/ # M365 Copilot, GitHub Copilot, Claude, Cursor ├── 06-rag-vector-db/ # Vector DB exposure, RAG poisoning ├── tests/ # Sample events / test files ├── MAPPINGS.md # ATLAS + OWASP cross-reference └── README.md ``` 每个类别目录包含一个 `README.md` 文件，描述涵盖的威胁，以及以各自原生格式保存的规则文件（Sigma 为 `.yml`，YARA 为 `.yar`，Suricata 为 `.rules`）。 ## 规则格式 | 格式 | 用途 | 部署位置 | |--------|----------|------------------| | **Sigma** (`.yml`) | 通用的基于日志的检测 | 通过 [pySigma](https://github.com/SigmaHQ/pySigma) 后端部署到任何 SIEM | | **YARA** (`.yar`) | 文件 / 内存取证痕迹 | EDR 平台、恶意软件分析、文件扫描流水线 | | **Suricata** (`.rules`) | 网络流量 | Suricata、Snort（兼容子集）、Zeek（通过转换） | **所有规则均采用开放格式。** 无供应商特定的查询语言，无专有字段架构。使用 pySigma 后端将其转换到您的平台。 ## 快速开始 ### " ``` pip install sigma-cli pysigma-backend-elasticsearch sigma convert -t lucene --without-pipeline ai-dfir-toolkit/**/*.yml > ai-dfir-toolkit.lucene ``` 这些规则是供应商中立的 Sigma 规则——请参阅 [pySigma 后端](https://github.com/SigmaHQ/pySigma) 列表以转换为任何其他 SIEM 查询语言。 ### YARA 扫描 ``` # - This has generic words: "Scan", "a", "model directory". "Scan" should be translated, "model" might be technical but "directory" is generic. In the example, "Running" is translated to "运行". So, "Scan" can be translated to "扫描" in Chinese. "model directory" – "model" could be a technical term, but in context, it might refer to a data model or something. Since it's not specified, I'll assume "model" is a technical term and keep it in English? But in the example, "Naabu" is kept, but "model" is more generic. The instruction says "keep all professional terms, proper nouns, tool/library/framework names, and technical jargon in their original English form." So, "model" might not be a proper noun; it could be a common word. In "model directory", "directory" is common, but "model" might be part of the term. To be safe, I'll translate the generic parts and keep technical jargon. But in this case, "model" could be ambiguous. I think in technical contexts, "model" is often kept in English, especially in phrases like "model directory". But for translation, I should translate the whole phrase. Let's see: in Chinese, it might be "扫描模型目录" where "模型" is Chinese for "model". But if "model" is a specific tool or framework name, I should keep it. The heading is "Scan a model directory", which seems like an action. I'll translate it as "扫描模型目录" but keep "model" in English if it's a term. The instruction isn't clear on this. In the example, 'Running Naabu' has "Naabu" as a proper noun, so kept. Here, "model" might not be a proper noun. I'll assume it's a generic term and translate it to "模型". But to be consistent, let's see the third heading. yara -r ai-dfir-toolkit/03-model-supply-chain/*.yar /path/to/models/ # 3. "Scan an MCP config" yara ai-dfir-toolkit/02-mcp-attacks/mcp_tool_poisoning.yar \ ~/Library/Application\ Support/Claude/claude_desktop_config.json ``` ### - "Scan" same as above. "MCP" – this could be an acronym for something, like a tool or protocol. In technical contexts, acronyms are often kept in English. The instruction says to keep tool/library/framework names in English. "MCP" might stand for "Model Control Panel" or something, but I don't know. Since it's not specified, I'll treat it as a technical jargon and keep it in English. "config" is short for configuration, which is common. So, "an MCP config" – translate "Scan" to "扫描", keep "MCP" in English, and "config" might be translated to "配置" or kept as "config". In Chinese, "配置" is common for configuration. But in technical settings, "config" is often used as is. To be safe, I'll translate "config" to "配置". So, it could be "扫描 MCP 配置". ``` cp ai-dfir-toolkit/**/*.rules /etc/suricata/rules/ echo 'rule-files: [ai-dfir.rules]' >> /etc/suricata/suricata.yaml suricata -T -c /etc/suricata/suricata.yaml # validate systemctl reload suricata ``` ## 覆盖范围概述 43 个规则文件包含 114 个独立签名，涵盖六个类别： | 类别 | 文件数 | 签名数 | ATLAS 技术 | OWASP LLM | |----------|-------|-----------:|------------------|-----------| | LLM 提示注入 | 8 | 10 | T0051, T0054, T0029 | LLM01, LLM07, LLM10 | | MCP 攻击 | 5 | 14 | T0010, T0110, T0086 | LLM03, LLM06 | | 模型供应链 | 8 | 23 | T0010, T0018, T0020 | LLM03, LLM04 | | AI 基础设施 | 9 | 31 | T0011, T0017, T0019 | LLM10 | | Copilot/助手滥用 | 8 | 19 | T0086, T0024 | LLM02, LLM06 | | RAG / 向量数据库 | 5 | 17 | T0020 | LLM08 | | **总计** | **43** | **114** | | | *签名计数包括多文档 Sigma YAML、单个 YARA 文件内的多个 `rule` 块，以及单个 Suricata `.rules` 文件内的多个 `alert` 行。一个文件通常覆盖多个相关变体。* 参阅 [MAPPINGS.md](./MAPPINGS.md) 了解每条规则的映射关系。 ## 调优说明 这些规则编写时倾向于信号而非噪声，但每个环境各不相同。每条规则均包含： - `falsepositives:` 部分，列出已知的误报场景 - `level:` 字段（`low` / `medium` / `high` / `critical`）——在生产环境中建议从 `high` 级别开始 - 可调选择器，以便您限定到特定组织/用户/命名空间 建议的部署流程： 1. 部署到测试索引/工作区运行 7 天 2. 对命中结果进行分类，调优 `selection` 和 `filter` 块 3. 根据适当的重要级别提升到生产环境 ## 测试 `tests/` 目录包含用于验证规则正确性的样本文件（恶意和良性）。运行： ``` cd tests/ ./validate.sh ``` 预期结果：7 项通过，0 项失败。 ## 参考资料 - [MITRE ATLAS](https://atlas.mitre.org/) - [OWASP Top 10 for LLM Applications 2025](https://genai.owasp.org/llm-top-10/) - [NIST AI RMF](https://www.nist.gov/itl/ai-risk-management-framework) - [Sigma HQ](https://github.com/SigmaHQ/sigma) - [AI Incident Database](https://incidentdatabase.ai/) ## 许可证 Apache License 2.0 — 参阅 [LICENSE](./LICENSE)。 您可以自由地在商业和非商业环境中使用、修改和重新分发这些规则。感谢注明出处，但非必需。 **维护者：** Raymond DePalma — 独立安全研究员。 这是一个个人项目，与任何雇主无关。

标签：AI基础设施安全, AI安全, AMSI绕过, Chat Copilot, DFIR工具, DNS信息、DNS暴力破解, Linux系统监控, MCP服务器安全, Metaprompt, ML供应链安全, PFX证书, RAG攻击检测, Sigma规则, Suricata规则, YARA规则, 供应商中立, 供应链攻击, 内部威胁检测, 向量数据库安全, 威胁情报, 威胁检测, 密钥泄露防护, 开发者工具, 开源安全工具, 提示注入, 攻击检测, 数字取证, 机器学习安全, 模型安全, 目标导入, 网络安全, 自动化脚本, 规则集合, 逆向工具, 逆向工程平台, 配置篡改检测, 隐私保护, 集群管理, 零日漏洞检测