mars13-tech/home-soc-lab

# 家庭 SOC 实验室 — Elastic SIEM **作者：** Karthikeyan **目标角色：** SOC 分析师（蓝队） **平台：** Elastic Cloud · Elasticsearch · Kibana · Elastic Agent **端点：** Windows 11 **状态：** 活跃中 🔗 [LinkedIn](https://www.linkedin.com/in/karthi-keyan-9042862bb) · 🐙 [GitHub](https://github.com/mars13-tech) --- ## 这是什么 一个从零开始搭建于 Elastic SIEM 之上的、功能完整的家庭 SOC 实验室。 真实的 Windows 端点遥测数据。真实的检测规则。真实的告警。真实的调查流程。 旨在培养 L1/L2 SOC 分析师每轮班次都会用到的实操技能——不是照搬教程，而是理解从告警触发到工单关闭之间到底发生了什么。 --- ## 实验室架构 ``` Windows 11 Endpoint ↓ Elastic Agent (Fleet managed) ↓ Elastic Cloud (Elasticsearch) ↓ Kibana (Discover · Alerts · Timeline) ↓ Detection Rules (KQL / EQL) ↓ Security Alerts → Investigation → Response ``` --- ## 仓库结构 ``` home-soc-lab/ │ ├── README.md │ ├── setup/ │ ├── elastic-cloud-setup.md — Elastic Cloud deployment walkthrough │ ├── agent-install.md — Fleet agent installation on Windows │ └── troubleshooting.md — Real issues hit and how they were fixed │ ├── architecture/ │ ├── data-flow.md — End-to-end data flow explanation │ └── siem-architecture.png — Visual architecture diagram │ ├── dashboards/ │ ├── discover.png — Kibana Discover live telemetry view │ ├── discover-overview.png — Full Discover dashboard overview │ ├── encoded-powershell-alert.png — Alert fired for encoded PowerShell │ ├── fleet-agent.png — Fleet agent health confirmed │ ├── logged-in-events.png — Authentication event monitoring │ ├── lolbin-hunt.png — LOLBin threat hunting session │ ├── powershell-detection.png — PowerShell execution detection │ ├── powershell-logs.png — Raw PowerShell logs captured │ ├── process-chain.png — Parent-child process analysis │ └── timeline-analysis.png — Full attack timeline reconstruction │ ├── notes/ │ ├── notes-index.md — Index and summary of all learning notes │ ├── day2-learning-notes.md — Elastic Cloud setup, first agent connection │ ├── day3-notes.md — ECS fields, Kibana Discover navigation │ ├── day4-notes.md — First KQL queries, PowerShell log analysis │ ├── day5-notes.md — Detection rule creation, alert configuration │ ├── day6-notes.md — Alert tuning, false positive reduction │ ├── discover-notes.md — Kibana Discover workflow reference │ └── ecs-fields.md — ECS field reference for SOC analyst use │ ├── detection-rules/ │ ├── encoded-powershell.md — T1059.001 — Encoded PowerShell detection │ ├── brute-force.md — T1110 — Brute force login detection │ ├── lolbin-detection.md — T1218 — LOLBin abuse detection │ └── word-powershell.md — T1566.001 — Office macro spawning PowerShell │ ├── queries/ │ ├── kql-detections.md — KQL queries tied to detection rules │ └── kql-threat-hunting.md — KQL queries for active threat hunting │ ├── investigations/ │ ├── alert-triage-process.md — L1 analyst alert triage workflow │ ├── attack-timeline.md — Full attack timeline reconstruction │ ├── case-management-notes.md — Ticket and case lifecycle documentation │ ├── encoded-powershell-investigation.md — Full encoded PowerShell walkthrough │ ├── incident-response-report.md — Formal IR report │ ├── phishing-investigation.md — Phishing attack investigation │ └── threat-hunting-report.md — Proactive threat hunting session │ └── alerts/ ├── alert-tuning.md — False positive reduction documentation └── alert-workflow.md — End-to-end alert handling process ``` --- ## 检测规则 | 规则 | MITRE 技术 | ID | 严重程度 | |---|---|---|---| | 编码 PowerShell 执行 | 命令与脚本解释器：PowerShell | T1059.001 | 高 | | 暴力登录尝试 | 暴力破解 | T1110 | 中等 | | Office 应用生成 PowerShell | 钓鱼：鱼叉式钓鱼附件 | T1566.001 | 高 | | LOLBin 滥用 | 签名二进制代理执行 | T1218 | 高 | --- ## 关键 KQL 查询 ### 编码 PowerShell 检测 ``` process.command_line: (*EncodedCommand* or *-enc* or *-e * or *-ec *) ``` ### LOLBin 滥用检测 ``` process.name: ("certutil.exe" or "rundll32.exe" or "mshta.exe" or "wscript.exe" or "cscript.exe" or "regsvr32.exe") ``` ### Office 生成 PowerShell ``` process.parent.name: ("winword.exe" or "excel.exe" or "powerpnt.exe") and process.name: "powershell.exe" ``` ### 暴力破解检测 ``` event.action: "logon-failed" ``` --- ## 完成的调查 | 调查项 | 攻击类型 | MITRE | |---|---|---| | 编码 PowerShell 调查 | PowerShell 混淆 | T1059.001，T1027 | | 钓鱼调查 | Office 宏执行 | T1566.001 | | 威胁狩猎报告 | LOLBin 滥用狩猎 | T1218 | | 攻击时间线重建 | 完整杀伤链分析 | 多个 | | 告警分类流程 | L1 分析师工作流 | — | | 案件管理记录 | 工单生命周期 | — | | 应急响应报告 | 正式 IR 文档 | 多个 | --- ## 本实验室使用的 ECS 字段 | ECS 字段 | 用途 | |---|---| | `host.name` | 标识受影响系统 | | `user.name` | 标识用户活动 | | `process.name` | 标识已执行的进程 | | `process.command_line` | 显示完整命令执行内容 | | `process.parent.name` | 显示父进程——对链路分析至关重要 | | `source.ip` | 显示源 IP 地址 | | `destination.ip` | 显示目标 IP | | `event.action` | 描述执行的操作 | | `event.category` | 对事件类型进行分类 | | `event.outcome` | 显示成功或失败 | --- ## 展示的技能 | 技能 | 证据 | |---|---| | SIEM 部署 | setup/ — 完整记录了 Elastic Cloud 部署过程 | | 检测工程 | detection-rules/ — 4 条规则及 MITRE 映射 | | KQL 威胁狩猎 | queries/ — 7 个类别下 20+ 条狩猎查询 | | 告警调优 | alerts/alert-tuning.md — 误报减少 | | 事件调查 | investigations/ — 7 个调查文件 | | 日志分析 | notes/ — 8 篇学习笔记及索引 | | 架构理解 | architecture/ — 数据流图 + 架构图 | | ECS 规范化 | notes/ecs-fields.md — 字段参考文档 | --- ## 我在任何教程中学不到的东西 编写一条检测规则花了 20 分钟。 把它调优到不对合法 PowerShell 活动产生告警，却花了更长的时间。 一个对所有东西都产生告警的检测规则只是噪音。噪音会被忽略。被忽略的告警会漏掉真正的攻击。安全事件就是这样发生的。 另一件事——调试日志为何未被摄取，让我比阅读任何文档都更深刻地理解了 Elastic Agent 和 Elasticsearch 之间的通信机制。 --- ## 未来改进 - [ ] 集成 Sysmon 以获得更深入的端点可见性 - [ ] Sigma 规则转换以实现跨平台检测 - [ ] 基于序列攻击的进阶 EQL 检测 - [ ] 威胁情报源集成 - [ ] Linux 端点遥测数据 - [ ] 自动化响应工作流 --- ## 作者 **Karthikeyan** 网络安全工程专业学生 | 蓝队 | 未来的 SOC 分析师 🔗 [LinkedIn](https://www.linkedin.com/in/karthi-keyan-9042862bb) 🐙 [GitHub](https://github.com/mars13-tech)

标签：AI合规, AMSI绕过, BurpSuite集成, Conpot, Elastic Agent, Elasticsearch, Elastic SIEM, Elastic Stack, Fleet管理, KQL, SIEM实践, SOC分析师, SOC实验室, Windows安全, 事件调查, 告警分析, 告警调优, 威胁检测, 安全日志分析, 安全运营中心, 家庭实验室, 检测规则, 流量重放, 端点遥测, 网络安全, 网络映射, 网络资产发现, 越狱测试, 隐私保护