Abhishek-Sidde-Gowda/apt28-detection-engineering
GitHub: Abhishek-Sidde-Gowda/apt28-detection-engineering
一个基于检测即代码方法的 APT28 威胁检测工程项目,将 Sigma 规则自动转换为 Sentinel KQL 并通过对手模拟验证检测有效性。
Stars: 0 | Forks: 0
# APT28 检测工程实验室
一个检测即代码项目,将 APT28 (Fancy Bear) 的 TTP 映射到 Sigma 规则,通过对手模拟进行验证,并部署到 Microsoft Sentinel。
## 项目目标
- 将 APT28 已知的 ATT&CK 技术映射到自定义的 Sigma 检测规则
- 通过 CI/CD (GitHub Actions) 自动将规则转换为 Sentinel KQL
- 使用 Atomic Red Team 模拟验证检测
- 通过量化的前后指标来衡量和提高检测覆盖率
## 架构
```
Home Lab VMs (Windows + Linux)
│
▼ Sysmon + AMA + Azure Arc
Microsoft Sentinel (Log Analytics Workspace)
│
▼ KQL queries deployed from CI/CD
Detection Rules ← converted from Sigma by GitHub Actions
```
## 仓库结构
```
sigma-rules/ # Detection rules written in Sigma format
initial-access/
execution/
persistence/
defense-evasion/
credential-access/
discovery/
lateral-movement/
exfiltration/
converted/
sentinel-kql/ # Auto-converted KQL (generated, do not edit manually)
emulation/
atomic-tests/ # Atomic Red Team test plans mapped to APT28
metrics/ # Detection coverage reports (before/after tuning)
docs/ # Methodology, ATT&CK coverage map, screenshots
screenshots/
```
## APT28 ATT&CK 覆盖范围
| 战术 | 技术 | 子技术 | Sigma 规则 | 已验证 |
|--------|-----------|---------------|------------|-----------|
| Initial Access | T1566 Phishing | T1566.001 Spearphishing Attachment | ✅ | ⬜ |
| Execution | T1059 Command Interpreter | T1059.001 PowerShell | ✅ | ⬜ |
| Persistence | T1547 Boot Autostart | T1547.001 Registry Run Keys | ✅ | ⬜ |
| Defense Evasion | T1055 Process Injection | T1055.001 DLL Injection | ✅ | ⬜ |
| Credential Access | T1003 OS Credential Dumping | T1003.001 LSASS Memory | ✅ | ⬜ |
| Discovery | T1082 System Info Discovery | — | ✅ | ⬜ |
| Lateral Movement | T1021 Remote Services | T1021.001 RDP | ✅ | ⬜ |
| Exfiltration | T1041 Exfil Over C2 Channel | — | ✅ | ⬜ |
## 方法论
1. **威胁模型** — 从 MITRE ATT&CK (Group G0007) 中选择 APT28 TTP
2. **检测假设** — 编写针对每种技术的 Sigma 规则
3. **部署** — GitHub Actions 在 push 时自动将 Sigma 转换为 KQL
4. **模拟** — Atomic Red Team 运行并在实验室中模拟每个 TTP
5. **验证** — 确认规则触发,衡量 MTTD,调整误报
6. **指标** — 记录调整前后的覆盖率 %
## 结果
| 指标 | 数值 |
|--------|-------|
| 检测覆盖率 | 5/8 技术 (62.5%) |
| 平均 MTTD | 36.6 秒 |
| 误报率 | 0% |
| 已验证规则 | T1059.001, T1003.001, T1547.001, T1055.001, T1082 |
请参阅 [sample-data/kql_query_results.md](sample-data/kql_query_results.md) 获取完整的查询输出和各规则的验证详情。
## 实验室环境
- **SIEM:** Microsoft Sentinel (Log Analytics Workspace,免费层)
- **日志源:** 配备 Sysmon 的 Windows VM (Olaf Hartong 配置)
- **连接:** Azure Arc + Azure Monitor Agent (AMA)
- **模拟:** Atomic Red Team
- **规则格式:** Sigma → KQL (通过 pySigma + sigma-cli)
## 参考
- [MITRE ATT&CK G0007 - APT28](https://attack.mitre.org/groups/G0007/)
- [Sigma 项目](https://github.com/SigmaHQ/sigma)
- [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)
- [Olaf Hartong Sysmon 配置](https://github.com/olafhartong/sysmon-modular)
标签:AMSI绕过, Microsoft Sentinel, OpenCanary, PE 加载器, Reconnaissance, Sigma规则, 威胁检测, 安全运营, 扫描框架, 无线安全, 检测即代码, 目标导入