Implements multi-event correlation rules in Splunk SPL and Sigma formats to detect APT lateral movement by linking Windows events (4624, 4648, 4688) and Sysmon (1/3) across hosts in time windows.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
1. 安装依赖:`pip install requests pyyaml sigma-cli`
Implements Splunk SPL and Sigma correlation rules chaining Windows Event IDs 4624/4648/4688 and Sysmon 1/3 to detect APT lateral movement across hosts in time windows.
Generates multi-event correlation rules in Splunk SPL and Sigma format to detect APT lateral movement by chaining Windows Event IDs 4624, 4648, 4688 and Sysmon Events 1/3 across hosts in time windows.
Detects attacker lateral movement across networks using Splunk SPL queries on Windows authentication logs, SMB traffic, and remote service abuse. Useful for threat hunting TA0008 in SIEM setups.
Share bugs, ideas, or general feedback.
pip install requests pyyaml sigma-clisigma-cli convert 将 Sigma 规则转换为 Splunk SPL。python scripts/agent.py --splunk-url https://localhost:8089 --username admin --password changeme --output correlation_report.json
index=wineventlog (EventCode=4624 Logon_Type=10) OR (EventCode=7045)
| transaction Computer maxspan=15m startswith=(EventCode=4624) endswith=(EventCode=7045)
| where eventcount >= 2
| table _time Computer Account_Name ServiceName
title: PsExec 横向移动检测
logsource:
product: windows
service: sysmon
detection:
pipe_created:
EventID: 17
PipeName|startswith: '\PSEXESVC'
service_installed:
EventID: 7045
ServiceFileName|contains: 'PSEXESVC'
timeframe: 5m
condition: pipe_created | near service_installed
level: high