关联事件检测APT横向移动

v20260601

implementing-siem-correlation-rules-for-apt

本指南详细介绍了如何部署高级SIEM关联规则，以检测复杂的APT攻击行为。通过跨主机关联多种事件类型（包括Windows认证、进程执行和网络连接日志），用户可以挖掘出单个事件无法发现的复杂攻击链，用于强化安全防御和满足合规要求。

SIEM 安全运营 APT检测关联规则横向移动 Windows日志 Splunk Sigma

获取技能

481 次下载

概览

Implementing SIEM Correlation Rules for APT

When to Use

When deploying or configuring implementing siem correlation rules for apt capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install requests pyyaml sigma-cli
Connect to the Splunk REST API and define correlation searches that chain multiple event types across hosts.
Build Sigma rules in YAML that express multi-step detection logic for lateral movement patterns:
- RDP logon (4624 LogonType=10) followed by service installation (7045) on same target within 15 minutes
- Pass-the-Hash: NTLM logon (4624 LogonType=3) followed by process creation (4688) of admin tools
- PsExec-style: Named pipe creation (Sysmon 17/18) correlated with remote service creation (7045)
Convert Sigma rules to Splunk SPL using sigma-cli convert.
Deploy correlation searches to Splunk ES via the REST API.
Run the agent to generate and install correlation rules, then audit existing rules for coverage gaps.

python scripts/agent.py --splunk-url https://localhost:8089 --username admin --password changeme --output correlation_report.json

Examples

Detect RDP Lateral Movement Chain

index=wineventlog (EventCode=4624 Logon_Type=10) OR (EventCode=7045)
| transaction Computer maxspan=15m startswith=(EventCode=4624) endswith=(EventCode=7045)
| where eventcount >= 2
| table _time Computer Account_Name ServiceName

Sigma Rule for PsExec Lateral Movement

title: PsExec Lateral Movement Detection
logsource:
  product: windows
  service: sysmon
detection:
  pipe_created:
    EventID: 17
    PipeName|startswith: '\PSEXESVC'
  service_installed:
    EventID: 7045
    ServiceFileName|contains: 'PSEXESVC'
  timeframe: 5m
  condition: pipe_created | near service_installed
level: high

信息

Category 编程开发

Name implementing-siem-correlation-rules-for-apt

版本 v20260601

大小 9.96KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-06-03