arthiya2002/edr-simulation

# EDR 策略模拟与端点事件响应工作流 **在包含 20 个 Windows/Linux 端点的实验环境中模拟 Sysmon 遥测数据，运行与 MITRE ATT&CK 对齐的检测规则，触发自动化事件响应，并生成完整的 EDR 分析仪表板。** 遵循 NIST SP 800-61 IR 生命周期和 CIS Benchmark。 ## 本项目的作用 1. **模拟**来自 20 个混合 Windows/Linux 端点的 Sysmon 遥测数据 —— 包含正常事件与注入的攻击模式 2. **检测**使用与 MITRE ATT&CK 技术对齐的 10 条检测规则来发现威胁 3. **响应**自动化 —— 隔离端点、收集取证工件、创建事件记录 4. **报告**在 EDR 风格的仪表板中展示所有内容，包括检测结果、IR 指标和 ATT&CK 覆盖率 ## 检测规则 — MITRE ATT&CK 覆盖范围 | 规则 | 技术 | 战术 | 严重性 | 自动响应 | |------|-----------|--------|----------|---------------| | EDR-001 | T1003.001 — LSASS Access | Credential Access | CRITICAL | Isolate | | EDR-002 | T1059.001 — PowerShell Encoded | Execution | HIGH | Isolate | | EDR-003 | T1021.002 — PsExec | Lateral Movement | HIGH | Isolate | | EDR-004 | T1547.001 — Registry Run Key | Persistence | HIGH | Contain | | EDR-005 | T1140 — Certutil Decode | Defense Evasion | HIGH | Contain | | EDR-006 | T1071.004 — DNS C2 | Command & Control | MEDIUM | Block Network | | EDR-007 | T1486 — Ransomware | Impact | CRITICAL | Isolate | | EDR-008 | T1055.002 — Process Injection | Privilege Escalation | CRITICAL | Isolate | | EDR-009 | T1053.005 — Scheduled Task | Persistence | MEDIUM | Contain | | EDR-010 | T1069.001 — Net User Enum | Discovery | LOW | Alert | ## 项目结构 ``` edr-simulation/ ├── main.py # Entry point ├── config/ │ └── settings.py # Detection rules, response actions, paths ├── simulator/ │ └── sysmon_simulator.py # Generates Sysmon-style event telemetry ├── detector/ │ └── detection_engine.py # Runs ATT&CK-aligned detection rules ├── responder/ │ └── incident_responder.py # Automated IR — isolate, contain, forensics ├── reports/ │ └── dashboard.py # EDR analytics dashboard ├── powershell/ │ ├── Deploy-Sysmon.ps1 # Deploys Sysmon with ATT&CK config │ └── Invoke-Containment.ps1 # Network isolation / containment script ├── bash/ │ └── collect_linux_artifacts.sh # Linux forensic artifact collection ├── docs/ │ └── SOP.md # Full IR SOP (NIST SP 800-61 aligned) ├── tests/ │ └── test_edr.py # Unit tests (pytest) ├── requirements.txt └── README.md ``` ## 快速开始 ``` git clone https://github.com/arthiya2002/edr-simulation.git cd edr-simulation pip install -r requirements.txt # 完整 pipeline python3 main.py --all # 或分步进行 python3 main.py --simulate # Generate Sysmon event stream python3 main.py --detect # Run detection rules python3 main.py --respond # Execute automated response python3 main.py --dashboard # Build dashboard ``` 在浏览器中打开 `reports/dashboard.html`。 ## 示例输出 ``` [*] Running detection engine against 247 events... [CRITICAL] EDR-001 CORP-WIN-007 T1003.001 Credential Dumping via LSASS Access [CRITICAL] EDR-007 LAPTOP-012 T1486 Ransomware — Mass File Encryption [HIGH] EDR-002 WS-003 T1059.001 Suspicious PowerShell Encoded Command [HIGH] EDR-003 DESKTOP-015 T1021.002 Lateral Movement via PsExec DETECTION SUMMARY Total Detections : 8 CRITICAL : 3 HIGH : 4 MEDIUM : 1 Rules Fired : 7 / 10 [*] Processing 8 detection alerts... [CRITICAL] EDR-001 CORP-WIN-007 → ISOLATED — CORP-WIN-007 cut from network [CRITICAL] EDR-007 LAPTOP-012 → ISOLATED — LAPTOP-012 cut from network Forensics collected: 5 processes, 3 files ``` ## PowerShell — 实际部署 ``` # 使用 ATT&CK-aligned config 部署 Sysmon .\powershell\Deploy-Sysmon.ps1 # 检测到 CRITICAL 后隔离端点 .\powershell\Invoke-Containment.ps1 -Action isolate -IncidentID INC-DET-0001 # 修复后恢复 .\powershell\Invoke-Containment.ps1 -Action restore -IncidentID INC-DET-0001 ``` ## Linux — 取证收集 ``` sudo bash bash/collect_linux_artifacts.sh INC-DET-0001 ``` 收集内容：进程列表、网络连接、认证日志、cron jobs、SUID binaries、修改过的文件。 ## 相关项目 由三个项目组成的端点安全套件： 1. **[cis-benchmark-tool](https://github.com/arthiya2002/cis-benchmark-tool)** — Linux CIS 审计与修复 2. **[zero-trust-intune](https://github.com/arthiya2002/zero-trust-intune)** — 通过 Intune 实现 Windows Zero Trust 3. **[drift-detector](https://github.com/arthiya2002/ML-Powered-Endpoint-Security-Metrics-Configuration-Drift-Detector)** — ML 异常检测 4. **edr-simulation**（本项目）— EDR 检测与事件响应 ## 作者 **Arthiya Arun Praveen** 应用网络安全与数字取证硕士 — 伊利诺伊理工学院 arthiyaarunpraveen31@gmail.com

标签：AI合规, EDR, OpenCanary, SIEM仪表盘, Sysmon, 安全模拟, 安全规则引擎, 安全运营, 应用安全, 扫描框架, 终端检测与响应, 脆弱性评估, 自动化应急响应, 逆向工具