cerberus8484/SIEM-Rules

# HuntingThreats — 企业狩猎包 **适用于 Splunk、QRadar、Google SecOps 和 Wazuh 的生产级 SIEM 检测规则。** ## 快速开始 ``` # 克隆 git clone https://github.com/cerberus8484/SIEM-Rules.git cd SIEM-Rules/hunts # 验证规则 (Python 3.9+) pip install -r tools/requirements.txt python tools/rule_linter.py # 生成覆盖率矩阵 python tools/coverage_matrix.py ``` ## 规则包 | 包 | 目录 | 描述 | Splunk | QRadar | SecOps | Wazuh | |---|---|---|---|---|---|---| | ⚙️ Windows 执行 | `splunk/execution/` | PowerShell, LOLBins, WMI, Office Macros | ✅ | ✅ | — | — | | 🔒 Windows 持久化 | `splunk/persistence/` | Registry Run, Scheduled Tasks, Services | ✅ | ✅ | — | — | | 🛡️ 防御规避 | `splunk/defense_evasion/` | Process Injection, Masquerading, AMSI bypass | ✅ | ✅ | — | — | | 🔑 凭据访问 | `splunk/credential_access/` | LSASS dump, DCSync, Kerberoasting | ✅ | ✅ | — | — | | 📡 命令与控制 | `splunk/c2/` | Beaconing, DNS tunneling, C2 ports | ✅ | ✅ | — | — | | ↔️ 横向移动 | `splunk/lateral_movement/` | PsExec, WMI remote, Pass-the-Hash | ✅ | ✅ | — | — | | 🔍 发现 | `splunk/discovery/` | AD enumeration, network scan, BloodHound | ✅ | ✅ | — | — | | 📤 数据窃取 | `splunk/exfiltration/` | Large POST, DNS exfil, cloud upload | ✅ | ✅ | — | — | | 💥 影响 | `splunk/impact/` | Ransomware execution, wiper, service kill | ✅ | ✅ | — | — | | ⬆️ 权限提升 | `splunk/privilege_escalation/` | Token manipulation, UAC bypass | ✅ | ✅ | — | — | | 🚪 初始访问 | `splunk/initial_access/` | Spearphishing, drive-by, exploit public-facing | ✅ | ✅ | — | — | | ☁️ 云 | `splunk/cloud/` | AWS CloudTrail, Azure AD, M365, GCP | ✅ | ✅ | ✅ | — | | 🐧 Linux | `splunk/linux/` | Persistence, privesc, defense evasion | ✅ | — | — | — | | 🌐 网络 | `splunk/network/` | Firewall anomalies, protocol abuse | ✅ | — | — | — | | 🕸️ Web 应用 | `splunk/web/` | SQLi, LFI/RFI, RCE, WAF evasion | ✅ | — | — | — | | 🎯 威胁情报 | `splunk/threat_intel/` | IOC matching, TI feed correlation | ✅ | — | — | — | | 👤 身份 / IAM | `splunk/identity/` | Entra ID, AWS IAM, Okta, Generic IdP | ✅ | ✅ | ✅ | ✅ | | 📦 容器 / K8s | `splunk/container/` | Kubernetes audit, container escape, RBAC | ✅ | — | — | — | | 🔧 DevOps / CI-CD | `splunk/devops/` | GitHub Actions, supply chain, secrets in logs | ✅ | — | — | — | | 💾 备份 / 恢复能力 | `splunk/backup/` | VSS deletion, backup kill, ransomware prep | ✅ | — | — | — | | 🖥️ Hypervisor / VMware | `splunk/hypervisor/` | ESXi, vCenter, Proxmox attacks | ✅ | — | — | — | | 📧 电子邮件安全 | `splunk/email/` | DMARC fail, macro attachments, BEC | ✅ | — | — | — | | 🗄️ 数据库 | `splunk/database/` | SQL injection, xp_cmdshell, mass SELECT | ✅ | — | — | — | | 🔐 VPN / 远程访问 | `splunk/vpn/` | Impossible travel, concurrent sessions, ZTNA | ✅ | — | — | — | | 🍎 macOS | `splunk/macos/` | LaunchAgent, TCC bypass, Gatekeeper disabled | ✅ | — | — | — | | 🚨 DLP / 数据窃取 | `splunk/dlp/` | Multi-vector exfil chains, staging, rclone | ✅ | — | — | — | | 🍯 欺骗 / Canary | `splunk/deception/` | Canary files, honey credentials, honeypot traps | ✅ | — | — | — | | 🔗 关联分析 | `splunk/correlation/` | Multi-stage kill chains, risk scoring | ✅ | — | — | — | | 📋 分析师查询 | `analyst_queries/` | Ad-hoc hunt queries for live investigations | ✅ | ✅ | ✅ | ✅ | ## 目录结构 ``` hunts/ ├── splunk/ # Splunk SPL rules │ ├── execution/ │ Packs A–F: Windows Execution / Persistence / C2 / ... │ ├── persistence/ │ │ ├── defense_evasion/ │ │ ├── credential_access/ │ │ ├── c2/ │ │ ├── lateral_movement/ │ │ ├── discovery/ │ │ ├── exfiltration/ │ │ ├── impact/ │ │ ├── privilege_escalation/ │ │ ├── initial_access/ │ │ ├── cloud/ │ Pack B–E: AWS, Azure, M365, GCP │ ├── linux/ │ Pack F: Linux │ ├── network/ │ │ ├── web/ │ │ ├── threat_intel/ │ │ ├── identity/ │ Pack G: Identity/IAM (Entra ID, AWS IAM, Okta) │ ├── container/ │ Pack H: Container/Kubernetes │ ├── devops/ │ Pack I: DevOps/CI-CD │ ├── backup/ │ Pack J: Backup/Ransomware-Resilience │ ├── hypervisor/ │ Pack K: Hypervisor/VMware/ESXi │ ├── email/ │ Pack L: Email Security │ ├── database/ │ Pack M: Database │ ├── vpn/ │ Pack N: VPN/ZTNA/Remote Access │ ├── macos/ │ Pack O: macOS │ ├── dlp/ │ Pack P: Data Exfiltration/DLP │ ├── deception/ │ Pack Q: Deception/Canary │ └── correlation/ │ Pack R: Correlation/Multi-Stage Kill Chain ├── qradar/ # QRadar AQL rules (identity + core packs) ├── secops/ # Google SecOps UDM rules ├── wazuh/ # Wazuh KQL rules ├── analyst_queries/ # Ad-hoc queries for live hunting (all 4 platforms) ├── playbooks/ # Analyst response playbooks ├── schema/ │ └── rule_metadata.yaml # S1: Canonical rule metadata schema ├── tools/ │ ├── rule_linter.py # S2: Python rule validator │ ├── coverage_matrix.py # S4: Coverage matrix generator │ └── requirements.txt └── tests/ └── fixtures/ # S3: Synthetic test events (TP + FP per rule) ├── splunk/ └── wazuh/ ``` ## 规则 ID 命名空间 | 前缀 | 平台 | 范围 | 包 | |---|---|---|---| | `SP-1xxxxx` | Splunk | 100000–199999 | Windows (Execution, Persistence, Evasion, ...) | | `SP-2xxxxx` | Splunk | 200000–299999 | Cloud (AWS=200, Azure=201, M365=202, GCP=203) | | `SP-3xxxxx` | Splunk | 300000–399999 | Linux | | `SP-4xxxxx` | Splunk | 400000–499999 | Network Infrastructure | | `SP-5xxxxx` | Splunk | 500000–599999 | Web Application | | `SP-6xxxxx` | Splunk | 600000–699999 | Threat Intelligence | | `SP-7xxxxx` | Splunk | 700000–709999 | Identity/IAM (Entra=700, AWS IAM=701, Okta=702) | | `SP-71xxxx` | Splunk | 710000–719999 | Container / Kubernetes | | `SP-72xxxx` | Splunk | 720000–729999 | DevOps / CI-CD | | `SP-73xxxx` | Splunk | 730000–739999 | Backup / Resilience | | `SP-74xxxx` | Splunk | 740000–749999 | Hypervisor / VMware | | `SP-75xxxx` | Splunk | 750000–759999 | Email Security | | `SP-76xxxx` | Splunk | 760000–769999 | Database | | `SP-77xxxx` | Splunk | 770000–779999 | VPN / Remote Access | | `SP-78xxxx` | Splunk | 780000–789999 | macOS | | `SP-79xxxx` | Splunk | 790000–799999 | DLP / Exfiltration | | `SP-80xxxx` | Splunk | 800000–809999 | Deception / Canary | | `SP-81xxxx` | Splunk | 810000–819999 | Correlation / Multi-Stage | | `QR-xxxxxx` | QRadar | same sub-ranges | QRadar AQL equivalents | | `GS-xxxxxx` | Google SecOps | same sub-ranges | UDM Search equivalents | | `WZ-xxxxxx` | Wazuh | same sub-ranges | KQL equivalents | | `PB-xxx` | All | playbooks/ | Analyst Response Playbooks | | `AQ-xxx-xxx` | All | analyst_queries/ | Live Hunt Queries | ## 平台集成指南 ### Splunk 1. 将 `splunk//` 中的 `.spl` 文件复制到您的 Splunk 环境中 2. 为每个 `comment()` 块创建保存的搜索或告警 3. 每条规则使用 `eval rule_id=`、`tactic=`、`technique=`、`severity=`、`confidence=` 字段 4. 将 ``、`` 占位符替换为您实际的值 ``` `comment("SP-700001 | Identity | Entra ID Global Admin direkt zugewiesen")` index=azure:aad:audit operationName="Add member to role" | ... | eval rule_id="SP-700001", tactic="Privilege Escalation", severity="CRITICAL", confidence=90 ``` ### QRadar AQL 1. 将 `qradar//` 中的 `.aql` 文件作为自定义规则导入 2. AQL 查询使用 `logsourcetypename(logsourceid) ILIKE` 进行日志源过滤 3. 规则元数据作为 `/* SP-XXXXXX | ... */` 注释块嵌入 ### Google SecOps (Chronicle) 1. 来自 `secops//` 的 UDM Search 查询可在 Chronicle Search UI 中运行 2. 使用 `metadata.product_name`、`metadata.product_event_type`、`target.user.*` 字段 3. 规则 ID 使用 `GS-` 前缀 ### Wazuh 1. 来自 `wazuh//` 的 KQL 查询可在 Wazuh Dashboard (OpenSearch KQL) 中运行 2. 使用 `rule.groups: "azure"/"amazon"/"okta"`、`data.aws.*`、`data.okta.*` 字段 3. Wazuh `rule.level` >= 10 对应 HIGH，>= 12 对应 CRITICAL ## 规则质量与 Linting ### 运行 Linter ``` # Lint 所有规则 python tools/rule_linter.py # 用于 CI 的 JSON 输出 python tools/rule_linter.py --json # 严格模式（即使有警告也会失败） python tools/rule_linter.py --strict # 按平台或 pack 过滤 python tools/rule_linter.py --platform splunk --pack identity ``` ### Linter 检查 | 检查项 | 级别 | 描述 | |---|---|---| | 缺少 `rule_id` | ERROR | 每个规则块都必须有 rule_id | | 缺少 `tactic` | ERROR | 必须提供 MITRE tactic | | 缺少 `severity` | ERROR | Severity 必须为 CRITICAL/HIGH/MEDIUM/LOW/INFO | | 缺少 `confidence` | ERROR | 必须提供 0–100 的置信度分数 | | 无效的 severity 值 | ERROR | 必须匹配枚举值 | | Confidence 超出范围 | ERROR | 必须在 0–100 之间 | | CRITICAL + 低置信度 | WARNING | CRITICAL 应具有 >= 85 的置信度 | | 重复的 rule ID | ERROR | ID 必须全局唯一 | | Bug 占位符 (TODO/FIXME) | WARNING | 未解决的开发标记 | | 无效的 ID 格式 | WARNING | 必须匹配 SP/QR/GS/WZ-[0-9]{6,} | ### 生成覆盖率矩阵 ``` # 写入 COVERAGE.md + coverage.json python tools/coverage_matrix.py # 仅 Markdown，打印到 stdout python tools/coverage_matrix.py --md-only --stdout ``` ## 编写新规则 ### 1. 选择正确的规则 ID 参见上方的命名空间表。下一个可用的 ID 记录在 `schema/rule_metadata.yaml` 中。 ### 2. 必需的元数据 (Splunk) ``` `comment("SP-XXXXXX | | ")` | eval rule_id="SP-XXXXXX" | eval tactic="" | eval technique="" | eval severity="" | eval confidence=<0-100> ``` ### 3. 置信度校准 | 置信度 | 使用时机 | 分析师操作 | |---|---|---| | 90–100 | 已知的恶意模式，零/极低 FP | 立即升级 | | 75–89 | 极有可能是恶意的，极少 FP | 在 1 小时内审查 | | 55–74 | 可疑，预期会有一些 FP | 建立工单，交班审查 | | 30–54 | 弱信号，高 FP 率 | 仅记录日志 | | < 30 | 对生产环境而言过于嘈杂 | 不要使用 | ### 4. 添加测试夹具 在 `tests/fixtures/splunk//tp_.json` 中添加至少一个 TP 夹具。 对于具有已知 FP 模式的规则：添加 `fp_.json` 并附带调整建议。 ### 5. 运行 linter ``` python tools/rule_linter.py --pack ``` ## MITRE ATT&CK 覆盖率 该狩猎包涵盖了**所有 12 个 MITRE ATT&CK 战术**： | 战术 | 关键技术 | |---|---| | Initial Access | T1566 (Phishing), T1195 (Supply Chain), T1190 (Exploit Public App) | | Execution | T1059 (PowerShell/Cmd), T1047 (WMI), T1204 (User Execution) | | Persistence | T1547 (Registry Run), T1053 (Scheduled Tasks), T1543 (Services) | | Privilege Escalation | T1134 (Token), T1548 (UAC), T1611 (Container Escape) | | Defense Evasion | T1055 (Process Injection), T1562 (Impair Defenses), T1218 (LOLBins) | | Credential Access | T1003 (LSASS), T1558 (Kerberoasting), T1621 (MFA Fatigue) | | Discovery | T1087 (Account Discovery), T1069 (Permission Groups), T1046 (Netscan) | | Lateral | T1021 (Remote Services), T1550 (Pass-the-Hash) | | Collection | T1114 (Email Collection), T1213 (Data from Repos) | | Command & Control | T1071 (App Layer), T1095 (Non-App Layer), T1571 (Non-Standard Port) | | Exfiltration | T1041 (Exfil over C2), T1048 (Exfil Alt Protocol), T1567 (Cloud Storage) | | Impact | T1486 (Ransomware), T1490 (Inhibit Recovery), T1531 (Account Access Removal) | 扩展覆盖率（超出 Windows 范围）： - **Identity/IAM:** T1078.004, T1556.006, T1528 (Token Theft), T1098 (Account Manipulation) - **Cloud:** T1537, T1530, T1619 (Cloud Enumeration) - **Container:** T1611, T1552.007 (K8s Secrets), T1543 (Container as Service) - **Deception (Detection):** 所有 Q-pack 规则的置信度为 97–98（在正确部署时零 FP） ## 仓库统计 | 指标 | 数量 | |---|---| | 规则文件总数 | 81 | | Splunk SPL 规则 | ~987 | | QRadar AQL 规则 | ~200 | | Google SecOps 规则 | ~100 | | Wazuh KQL 规则 | ~200 | | 测试夹具 (TP+FP) | 11 | | 覆盖的 MITRE 技术 | 80+ | | 覆盖的 MITRE 战术 | 12 / 12 | ## 许可证 MIT — 详见 [LICENSE](../LICENSE)。 规则按原样提供。在生产部署之前，请在您的环境中进行测试。 *由 [HuntingThreats](https://huntingthreats.de) 构建 — 面向现代 SOC 的威胁狩猎。*

标签：IP 地址批量处理, PE 加载器, QRadar, 后端开发, 安全运营, 扫描框架, 检测规则, 网络资产发现, 逆向工具