mrezwanulbari/MITRE-ATT-CK-Threat-Defense-Framework

# MITRE ATT&CK 威胁防御框架 - 用于威胁检测和防御的综合框架     ## 📋 目录 - [概述](#overview) - [威胁狩猎方法论](#threat-hunting-methodology) - [仓库结构](#repository-structure) - [Sigma 检测规则](#sigma-detection-rules) - [YARA 规则](#yara-rules) - [狩猎查询 (SPL)](#hunting-queries-spl) - [狩猎查询 (KQL)](#hunting-queries-kql) - [狩猎剧本](#hunting-playbooks) - [MITRE ATT&CK 覆盖范围](#mitre-attck-coverage) - [检测工程](#detection-engineering) - [贡献](#contributing) ## 概述 **威胁狩猎 (Threat hunting)** 是一种主动的、假设驱动的实践，通过搜索网络和数据集来识别逃避自动化安全控制的威胁。本仓库为安全运营团队提供了经过实战检验的检测内容和结构化的方法论。 ### 包含内容 | 类别 | 数量 | 描述 | |---|---|---| | **Sigma 规则** | 25+ | 涵盖 Windows、Linux、云平台的供应商无关检测规则 | | **YARA 规则** | 15+ | 恶意软件和工具识别签名 | | **SPL 查询** | 20+ | 用于企业 SIEM 的 Splunk 狩猎查询 | | **KQL 查询** | 15+ | Microsoft Sentinel / Defender 狩猎查询 | | **剧本 (Playbooks)** | 8+ | 结构化的假设驱动狩猎程序 | | **ATT&CK 映射** | Full | 覆盖所有 14 项战术的覆盖矩阵 | ### 适用对象？ - 寻求主动检测内容的 **SOC 分析师** - 构建假设驱动狩猎程序的 **威胁猎人** - 开发和调优检测规则的 **检测工程师** - 评估检测覆盖盲区的 **安全架构师** - 评估 ATT&CK 覆盖指标的 **CISO/安全负责人** ## 威胁狩猎方法论 ### 狩猎循环 ``` ┌──────────────────────────────────────────────────────────┐ │ THREAT HUNTING LOOP │ │ │ │ ┌──────────────┐ │ │ │ 1. GENERATE │ ◄── Threat Intel, ATT&CK, Gaps │ │ │ HYPOTHESIS │ │ │ └──────┬───────┘ │ │ │ │ │ ┌──────▼───────┐ │ │ │ 2. DEVELOP │ ◄── SPL, KQL, Sigma, YARA │ │ │ ANALYTICS │ │ │ └──────┬───────┘ │ │ │ │ │ ┌──────▼───────┐ │ │ │ 3. EXECUTE │ ◄── Search data, correlate findings │ │ │ HUNT │ │ │ └──────┬───────┘ │ │ │ │ │ ┌──────▼───────┐ ┌──────────────┐ │ │ │ 4. ANALYZE │────►│ 5. AUTOMATE │ │ │ │ FINDINGS │ │ (New Rules) │ │ │ └──────┬───────┘ └──────────────┘ │ │ │ │ │ ┌──────▼───────┐ │ │ │ 6. DOCUMENT │ ──── Report, Lessons Learned │ │ │ & SHARE │ │ │ └──────────────┘ │ └──────────────────────────────────────────────────────────┘ ``` ### 狩猎成熟度模型 (HMM) | 级别 | 名称 | 描述 | 能力 | |---|---|---|---| | HM0 | 初始 | 主要为被动响应，无正式狩猎 | 仅限基于 IOC 的搜索 | | HM1 | 最低 | 使用基础工具的临时狩猎 | 手动日志搜索，基础查询 | | HM2 | 程序化 | 具备文档化的狩猎程序 | 剧本，可重复的狩猎 | | HM3 | 创新 | 自定义分析，假设驱动 | 机器学习辅助，高级关联 | | HM4 | 领先 | 自动化狩猎，持续改进 | 全面的 ATT&CK 覆盖，主动研发 | ## 仓库结构 ``` threat-hunting/ ├── README.md ├── sigma-rules/ │ ├── windows/ │ │ ├── process-creation/ │ │ │ ├── win-susp-powershell-encoded-cmd.yml │ │ │ ├── win-susp-lolbin-execution.yml │ │ │ ├── win-credential-dumping-lsass.yml │ │ │ └── win-susp-scheduled-task-creation.yml │ │ ├── registry/ │ │ │ ├── win-persistence-run-key.yml │ │ │ └── win-disable-defender-registry.yml │ │ ├── authentication/ │ │ │ ├── win-pass-the-hash.yml │ │ │ └── win-kerberoasting.yml │ │ └── network/ │ │ └── win-rdp-lateral-movement.yml │ ├── linux/ │ │ ├── linux-reverse-shell.yml │ │ ├── linux-privilege-escalation-suid.yml │ │ ├── linux-cron-persistence.yml │ │ └── linux-ssh-authorized-keys-modified.yml │ └── cloud/ │ ├── aws-root-account-usage.yml │ └── azure-ad-suspicious-signin.yml ├── yara-rules/ │ ├── malware/ │ │ ├── cobalt-strike-beacon.yar │ │ ├── mimikatz-indicators.yar │ │ ├── webshell-generic.yar │ │ └── ransomware-indicators.yar │ ├── tools/ │ │ └── hacking-tool-indicators.yar │ ├── documents/ │ │ └── malicious-macro-indicators.yar │ └── README.md ├── hunting-queries/ │ ├── splunk/ │ │ ├── initial-access/ │ │ │ └── phishing-detection.spl │ │ ├── execution/ │ │ │ └── suspicious-process-execution.spl │ │ ├── persistence/ │ │ │ └── persistence-mechanisms.spl │ │ ├── credential-access/ │ │ │ └── credential-harvesting.spl │ │ ├── lateral-movement/ │ │ │ └── lateral-movement-detection.spl │ │ ├── exfiltration/ │ │ │ └── data-exfiltration.spl │ │ └── command-and-control/ │ │ └── c2-detection.spl │ └── kql/ │ ├── identity-hunting.kql │ ├── endpoint-hunting.kql │ └── network-hunting.kql ├── playbooks/ │ ├── 01-initial-access-hunting.md │ ├── 02-persistence-hunting.md │ ├── 03-lateral-movement-hunting.md │ ├── 04-credential-access-hunting.md │ ├── 05-c2-communication-hunting.md │ ├── 06-data-exfiltration-hunting.md │ ├── 07-ransomware-precursor-hunting.md │ └── 08-insider-threat-hunting.md ├── mitre-attack/ │ ├── coverage-matrix.md │ ├── technique-to-detection-map.json │ └── gap-analysis-template.md ├── detection-engineering/ │ ├── detection-development-lifecycle.md │ ├── rule-testing-framework.md │ ├── false-positive-tuning-guide.md │ └── detection-metrics.md └── docs/ ├── hunting-program-guide.md ├── threat-intel-integration.md └── reporting-template.md ``` ## Sigma 检测规则 ### Windows — 可疑的 PowerShell 编码命令 ``` title: Suspicious PowerShell Encoded Command Execution id: f1e2d3c4-b5a6-7890-1234-567890abcdef status: stable level: high description: | Detects PowerShell execution with encoded commands, commonly used by attackers to obfuscate malicious scripts. author: Shakil Md. Rezwanul Bari logsource: category: process_creation product: windows detection: selection_encoded: CommandLine|contains: - '-enc ' - '-EncodedCommand' - '-ec ' Image|endswith: - '\powershell.exe' - '\pwsh.exe' selection_bypass: CommandLine|contains: - '-nop' - '-WindowStyle Hidden' - '-ep bypass' condition: selection_encoded and selection_bypass falsepositives: - Legitimate admin scripts using encoded commands - Configuration management tools (SCCM, Ansible) tags: - attack.execution - attack.t1059.001 - attack.defense_evasion - attack.t1027 ``` ### Windows — LSASS 凭证转储 ``` title: LSASS Memory Access for Credential Dumping id: a2b3c4d5-e6f7-8901-2345-678901bcdef0 status: stable level: critical description: | Detects attempts to access LSASS process memory, commonly used by Mimikatz, ProcDump, and comsvcs.dll to dump credentials. author: Shakil Md. Rezwanul Bari logsource: category: process_access product: windows detection: selection_target: TargetImage|endswith: '\lsass.exe' selection_access: GrantedAccess|contains: - '0x1010' - '0x1038' - '0x1F0FFF' filter_legitimate: SourceImage|endswith: - '\MsMpEng.exe' - '\csrss.exe' - '\wmiprvse.exe' condition: selection_target and selection_access and not filter_legitimate tags: - attack.credential_access - attack.t1003.001 ``` ### Windows — Kerberoasting 检测 ``` title: Kerberoasting - Service Ticket Request id: b3c4d5e6-f7a8-9012-3456-789012cdef01 status: stable level: high description: | Detects Kerberoasting attacks where service tickets are requested with weak RC4 encryption for offline password cracking. author: Shakil Md. Rezwanul Bari logsource: product: windows service: security detection: selection: EventID: 4769 TicketEncryptionType: '0x17' TicketOptions: '0x40810000' filter_machine: ServiceName|endswith: '$' filter_builtin: ServiceName: - 'krbtgt' - 'kadmin' condition: selection and not filter_machine and not filter_builtin tags: - attack.credential_access - attack.t1558.003 ``` ### Linux — 反向 Shell 检测 ``` title: Linux Reverse Shell Execution id: d5e6f7a8-b9c0-1234-5678-901234ef0123 status: stable level: critical description: | Detects common reverse shell patterns on Linux including bash, Python, Perl, nc/netcat techniques. author: Shakil Md. Rezwanul Bari logsource: category: process_creation product: linux detection: selection_bash: CommandLine|contains: - 'bash -i >& /dev/tcp/' - 'bash -c "sh -i >& /dev/tcp/' selection_python: CommandLine|contains: - 'python -c "import socket,subprocess,os' - 'python3 -c "import socket,subprocess,os' selection_netcat: CommandLine|contains: - 'nc -e /bin/sh' - 'nc -e /bin/bash' - 'ncat -e /bin/sh' condition: selection_bash or selection_python or selection_netcat tags: - attack.execution - attack.t1059.004 - attack.command_and_control - attack.t1071.001 ``` ## YARA 规则 ### Cobalt Strike Beacon 检测 ``` rule CobaltStrike_Beacon_Indicators { meta: author = "Shakil Md. Rezwanul Bari" description = "Detects Cobalt Strike Beacon payloads" severity = "critical" mitre_attack = "T1071.001, T1573.002" strings: $pipe1 = "\\\\.\\pipe\\msagent_" ascii wide $pipe2 = "\\\\.\\pipe\\MSSE-" ascii wide $pipe3 = "\\\\.\\pipe\\postex_" ascii wide $str1 = "beacon.dll" ascii wide $str2 = "beacon.x64.dll" ascii wide $str3 = "%02d/%02d/%02d %02d:%02d:%02d" ascii $c2_1 = "/submit.php?id=" ascii $c2_2 = "__cfduid=" ascii condition: uint16(0) == 0x5A4D and (2 of ($pipe*) or 2 of ($str*)) } ``` ### Mimikatz 指标 ``` rule Mimikatz_Indicators { meta: author = "Shakil Md. Rezwanul Bari" description = "Detects Mimikatz credential dumping tool" severity = "critical" mitre_attack = "T1003.001" strings: $cmd1 = "sekurlsa::logonpasswords" ascii wide nocase $cmd2 = "lsadump::dcsync" ascii wide nocase $cmd3 = "kerberos::golden" ascii wide nocase $cmd4 = "privilege::debug" ascii wide nocase $str1 = "gentilkiwi" ascii wide $str2 = "Benjamin DELPY" ascii wide $str3 = "mimikatz" ascii wide nocase condition: (3 of ($cmd*)) or (2 of ($str*) and any of ($cmd*)) } ``` ### Web Shell 检测 ``` rule WebShell_Generic { meta: author = "Shakil Md. Rezwanul Bari" description = "Detects common web shell patterns" severity = "high" mitre_attack = "T1505.003" strings: $php1 = " 30 | bucket _time span=5m | stats count as beacon_count, dc(_time) as time_intervals, stdev(_time) as time_stdev by query | eval regularity=round(time_stdev, 2) | where beacon_count > 50 AND regularity < 300 | sort -beacon_count ``` ### 数据渗出 — 异常出站流量 ``` index=firewall OR index=proxy action=allowed | where src_zone="internal" AND dest_zone="external" | stats sum(bytes_out) as total_bytes by src_ip, user | eval gb_out=round(total_bytes/1073741824, 2) | where gb_out > 1 | sort -gb_out ``` ### 横向移动 — RDP 暴力破解 ``` index=win sourcetype=WinEventLog:Security EventCode=4625 Logon_Type=10 | stats count as failures dc(Source_Network_Address) as src_count values(Source_Network_Address) as src_ips by Account_Name, ComputerName | where failures > 10 | join Account_Name ComputerName [ search index=win EventCode=4624 Logon_Type=10 | stats latest(_time) as success_time by Account_Name, ComputerName ] | where isnotnull(success_time) | sort -failures ``` ## 狩猎查询 (KQL) ### 身份 — 不可能旅行 ``` SigninLogs | where TimeGenerated >= ago(24h) | where ResultType == "0" | project TimeGenerated, UserPrincipalName, IPAddress, Lat = tostring(LocationDetails.geoCoordinates.latitude), Lon = tostring(LocationDetails.geoCoordinates.longitude), City = tostring(LocationDetails.city) | sort by UserPrincipalName, TimeGenerated asc | extend PrevTime = prev(TimeGenerated, 1), PrevLat = todouble(prev(Lat, 1)), PrevLon = todouble(prev(Lon, 1)), PrevUser = prev(UserPrincipalName, 1) | where UserPrincipalName == PrevUser | extend TimeDiffMin = datetime_diff('minute', TimeGenerated, PrevTime), DistKm = geo_distance_2points(todouble(Lon), todouble(Lat), PrevLon, PrevLat) / 1000 | where TimeDiffMin < 120 and DistKm > 500 ``` ### 终端 — 可疑进程链 ``` DeviceProcessEvents | where TimeGenerated >= ago(24h) | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe") | where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "rundll32.exe", "regsvr32.exe") | project TimeGenerated, DeviceName, AccountName, ParentProcess = InitiatingProcessFileName, ChildProcess = FileName, CommandLine = ProcessCommandLine | sort by TimeGenerated desc ``` ## 狩猎剧本 ### 剧本 07：勒索软件前体狩猎 ``` ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ HUNTING PLAYBOOK: Ransomware Precursors ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ OBJECTIVE: Identify ransomware operator activity BEFORE encryption PRECURSOR TIMELINE: Phase 1: Initial Compromise (Days -30 to -14) • Cobalt Strike / Brute Ratel beaconing • IcedID / QakBot initial payload delivery • Unusual RDP/VPN from new geolocations Phase 2: Reconnaissance (Days -14 to -7) • AdFind.exe or BloodHound AD enumeration • Network scanning (Advanced IP Scanner, nmap) • nltest /dclist: (domain controller discovery) • net group "Domain Admins" /domain Phase 3: Credential Theft (Days -7 to -3) • LSASS access (Mimikatz, ProcDump) • DCSync attacks (replication requests) • Kerberoasting / AS-REP Roasting Phase 4: Lateral Movement (Days -3 to -1) • PsExec / WMIC remote execution • RDP to multiple servers in sequence • SMB file shares accessed in bulk Phase 5: Data Exfiltration (Days -2 to 0) • Rclone or MegaSync upload activity • Large archive file creation (7z, rar) • Unusual outbound to cloud storage Phase 6: Impact (Day 0) • Shadow copy deletion (vssadmin, wmic) • Backup service termination • Mass file encryption + ransom note ``` ## MITRE ATT&CK 覆盖范围 ### 检测覆盖矩阵 | 战术 | 覆盖技术 | 覆盖率 | |---|---|---| | **初始访问** (TA0001) | T1566, T1190, T1078, T1133 | 高 | | **执行** (TA0002) | T1059, T1204, T1047 | 高 | | **持久化** (TA0003) | T1053, T1547, T1505 | 高 | | **权限提升** (TA0004) | T1548, T1068, T1134 | 中 | | **防御规避** (TA0005) | T1027, T1562, T1070 | 中 | | **凭证访问** (TA0006) | T1003, T1558, T1110 | 高 | | **发现** (TA0007) | T1087, T1082, T1083 | 中 | | **横向移动** (TA0008) | T1021, T1550, T1570 | 高 | | **收集** (TA0009) | T1560, T1114 | 中 | | **渗出** (TA0010) | T1048, T1567 | 中 | | **命令与控制** (TA0011) | T1071, T1573, T1572 | 高 | | **影响** (TA0040) | T1486, T1490, T1489 | 高 | ## 检测工程 ### 检测开发生命周期 ``` 1. IDENTIFY → Threat intel, gap analysis, ATT&CK mapping 2. RESEARCH → Study technique, data sources, patterns 3. DEVELOP → Write Sigma/YARA/SPL/KQL rules 4. TEST → Validate with Atomic Red Team 5. TUNE → Reduce false positives, optimize perf 6. DEPLOY → Push to production SIEM/EDR 7. MAINTAIN → Monitor effectiveness, update for evasion ``` ### 检测质量指标 | 指标 | 公式 | 目标 | |---|---|---| | 真阳性率 | TP / (TP + FN) | > 95% | | 假阳性率 | FP / (FP + TN) | < 5% | | 平均检测时间 | Avg(detect_time - attack_time) | < 30 分钟 | | ATT&CK 覆盖率 | Detected / Total techniques | > 60% | | 规则新鲜度 | Updated in 90d / Total rules | > 80% | ## 许可证 MIT 许可证

标签：ATT&CK映射, Cloudflare, DNS信息、DNS暴力破解, EDR, KQL查询, Microsoft Defender, Microsoft Sentinel, MITRE ATT&CK, Sigma规则, SPL查询, URL发现, YARA规则, 安全分析师, 安全剧本, 安全架构, 安全检测, 安全运营中心, 攻击者行为分析, 目标导入, 管理员页面发现, 网络威胁狩猎, 网络安全, 网络映射, 脆弱性评估, 速率限制处理, 隐私保护