Abhishek-Sidde-Gowda/apt28-detection-engineering

GitHub: Abhishek-Sidde-Gowda/apt28-detection-engineering

一个基于检测即代码方法的 APT28 威胁检测工程项目,将 Sigma 规则自动转换为 Sentinel KQL 并通过对手模拟验证检测有效性。

Stars: 0 | Forks: 0

# APT28 检测工程实验室 一个检测即代码项目,将 APT28 (Fancy Bear) 的 TTP 映射到 Sigma 规则,通过对手模拟进行验证,并部署到 Microsoft Sentinel。 ## 项目目标 - 将 APT28 已知的 ATT&CK 技术映射到自定义的 Sigma 检测规则 - 通过 CI/CD (GitHub Actions) 自动将规则转换为 Sentinel KQL - 使用 Atomic Red Team 模拟验证检测 - 通过量化的前后指标来衡量和提高检测覆盖率 ## 架构 ``` Home Lab VMs (Windows + Linux) │ ▼ Sysmon + AMA + Azure Arc Microsoft Sentinel (Log Analytics Workspace) │ ▼ KQL queries deployed from CI/CD Detection Rules ← converted from Sigma by GitHub Actions ``` ## 仓库结构 ``` sigma-rules/ # Detection rules written in Sigma format initial-access/ execution/ persistence/ defense-evasion/ credential-access/ discovery/ lateral-movement/ exfiltration/ converted/ sentinel-kql/ # Auto-converted KQL (generated, do not edit manually) emulation/ atomic-tests/ # Atomic Red Team test plans mapped to APT28 metrics/ # Detection coverage reports (before/after tuning) docs/ # Methodology, ATT&CK coverage map, screenshots screenshots/ ``` ## APT28 ATT&CK 覆盖范围 | 战术 | 技术 | 子技术 | Sigma 规则 | 已验证 | |--------|-----------|---------------|------------|-----------| | Initial Access | T1566 Phishing | T1566.001 Spearphishing Attachment | ✅ | ⬜ | | Execution | T1059 Command Interpreter | T1059.001 PowerShell | ✅ | ⬜ | | Persistence | T1547 Boot Autostart | T1547.001 Registry Run Keys | ✅ | ⬜ | | Defense Evasion | T1055 Process Injection | T1055.001 DLL Injection | ✅ | ⬜ | | Credential Access | T1003 OS Credential Dumping | T1003.001 LSASS Memory | ✅ | ⬜ | | Discovery | T1082 System Info Discovery | — | ✅ | ⬜ | | Lateral Movement | T1021 Remote Services | T1021.001 RDP | ✅ | ⬜ | | Exfiltration | T1041 Exfil Over C2 Channel | — | ✅ | ⬜ | ## 方法论 1. **威胁模型** — 从 MITRE ATT&CK (Group G0007) 中选择 APT28 TTP 2. **检测假设** — 编写针对每种技术的 Sigma 规则 3. **部署** — GitHub Actions 在 push 时自动将 Sigma 转换为 KQL 4. **模拟** — Atomic Red Team 运行并在实验室中模拟每个 TTP 5. **验证** — 确认规则触发,衡量 MTTD,调整误报 6. **指标** — 记录调整前后的覆盖率 % ## 结果 | 指标 | 数值 | |--------|-------| | 检测覆盖率 | 5/8 技术 (62.5%) | | 平均 MTTD | 36.6 秒 | | 误报率 | 0% | | 已验证规则 | T1059.001, T1003.001, T1547.001, T1055.001, T1082 | 请参阅 [sample-data/kql_query_results.md](sample-data/kql_query_results.md) 获取完整的查询输出和各规则的验证详情。 ## 实验室环境 - **SIEM:** Microsoft Sentinel (Log Analytics Workspace,免费层) - **日志源:** 配备 Sysmon 的 Windows VM (Olaf Hartong 配置) - **连接:** Azure Arc + Azure Monitor Agent (AMA) - **模拟:** Atomic Red Team - **规则格式:** Sigma → KQL (通过 pySigma + sigma-cli) ## 参考 - [MITRE ATT&CK G0007 - APT28](https://attack.mitre.org/groups/G0007/) - [Sigma 项目](https://github.com/SigmaHQ/sigma) - [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) - [Olaf Hartong Sysmon 配置](https://github.com/olafhartong/sysmon-modular)
标签:AMSI绕过, Microsoft Sentinel, OpenCanary, PE 加载器, Reconnaissance, Sigma规则, 威胁检测, 安全运营, 扫描框架, 无线安全, 检测即代码, 目标导入