Chi-David575/SOC-Analyst-Lab-Notebook

# 🛡️ SOC 分析师实验室：端到端威胁检测管道 ## 🏗️ 实验室架构蓝图 在深入告警之前，理解遥测管道至关重要。以下是为该项目构建的三层防御环境的结构拓扑： ``` +-----------------------------------+ | The Endpoint Tier (Target) | | - Windows Virtual Machine | | - Advanced Security Auditing | +-----------------+-----------------+ | v [Local Security Logs] +-----------------+-----------------+ | The Collection Tier (Shipper) | | - Winlogbeat Native Service | | - Formats Logs into JSON | +-----------------+-----------------+ | v [Secure Network Forwarding] +-----------------+-----------------+ | The Analytics Tier (SIEM) | | - Centralized Kali Linux | | - Elasticsearch Database | | - Kibana Operations Console | +-----------------------------------+ ## 📌 项目概述 This project documents the engineering and deployment of a three-tier Home Security Operations Center (SOC) Lab. The objective was to build a resilient centralized logging architecture, simulate real-world adversary behavior, and author custom SIEM alert rules to isolate network-layer brute-force activity. --- ## 🛑 威胁检测手册：SMB/RDP 密码暴力破解 ### 1. 对手模拟（攻击） To replicate a network-layer credential stuffing or automated password brute-force attack, an active terminal loop was executed from an external attacker node (Kali Linux) using the `smbclient` utility to spray rapid authentication requests against the target's network shares. ```bash # 自动化 bash 循环模拟快速认证失败 for i in {1..7}; do smbclient -L //192.168.43.221 -U Administrator%WrongPassword123 done 2. SIEM Detection Logic (KQL) Windows logs ingested into the database are parsed via a custom Threshold Detection Rule designed to ignore single accidental logon mistypes and isolate true high-velocity attacks. Event ID: 4625 (An account failed to log on) SubStatus Code: 0xc000006a (Specified password is incorrect) Aggregation Strategy: Results are grouped by unique source.ip elements. Threshold Trigger: Fire an alert only when a single source host generates >= 3 unique failures within a rolling 60-second analysis window. Code snippet event.code : "4625" and winlog.event_data.SubStatus : "0xc000006a" 3. Rule Metrics & Engine Performance The internal rule execution engine monitors the performance of custom triggers to ensure high-fidelity scanning without degrading database cluster response times: Rule Run Frequency: Every 1 minute with a 1-minute lookback window. Operational Integrity: Maintained consistent "Succeeded" execution states across active testing windows, resolving initial database timeouts by restricting JVM heap sizes. --- ## 🚨 安全事件证据与分类处理 When the threshold of 3 failures is broken, a **High-Severity** triage alert is instantly generated in the SIEM dashboard. ### 📸 证据附录 #### 1. SIEM 安全警报触发 *The Kibana Alerts dashboard capturing the real-time true-positive alert generation from the adversary simulation:* [] #### 2. SIEM 检测规则健康监控 *The internal rule execution tracker showing successful automated run cycles and cluster health metrics:* [] --- ### 📋 分析师分类检查表 When this alert fires, an enterprise SOC analyst follows this investigative workflow: 1. **Source Attribution:** Inspect the `source.ip` or `winlog.event_data.IpAddress` fields to isolate the physical or logical network origin of the noisy authentication traffic. 2. **Determine Lateral Compromise:** Query adjacent timestamps for successful network logons (`event.code: "4624"`) mapping back to the same malicious source IP to determine if the threat actor successfully cracked a password. 3. **Account Profiling:** Check if the attack targeted critical administrative infrastructure accounts (`user.name: "Administrator"`) or sprayed across diverse domain users. *SIEM internal rule execution tracking metrics:* ```

标签：AMSI绕过, Elasticsearch, PB级数据处理, RDP暴力破解, SMB暴力破解, SOC工程, Windows虚拟机, Winlogbeat, 威胁检测, 安全运维, 应用安全, 攻击模拟, 日志管道, 暴力破解攻击, 自定义检测规则, 越狱测试, 驱动签名利用