This repository (lesson) is strictly for educational, research, and defensive purposes only. CRITICAL NOTE: This is a SAFE SIMULATION designed to teach defensive concepts. The code is not intended to be, and should never be used as, a functional offensive tool or weapon.
It is NOT a guarantee of security. Cybersecurity is about reducing risk, not eliminating it.
The core schematics for understanding the logic are in README.md.
Source files and advanced tools are separated for expert use only, prioritizing responsible learning over potential misuse.
Legal Authority is MANDATORY: Before any monitoring, testing, or analysis, you must possess explicit, written, and verifiable legal authority from the network owner.
Consequences: Unauthorized access, monitoring, or testing is strictly illegal and will lead to severe civil and criminal penalties, including imprisonment.
By using this repository, you agree you are solely responsible for adhering to all applicable laws and regulations. The project contributors are not liable for any misuse or damage caused by this lessons (repo)
Important
Think before you type!
💡 Expert Highlight:** Don't miss the Advanced Jitter Analysis in the Continuous Monitoring workflow! This logic represents high-fidelity threat hunting and is the most advanced, non-simulated component of this repository.
- Disclaimer
- Background & Mission
- SIEM Basics
- Setup Options
- Installing Sigma Tools
- Known White-Label Implementations
- Detection Labs
- TLS Fingerprinting + JA3/JA4
- Sigma Rule Generator
- Test Data Simulation
- BSI-Compliant Hardening
- Threat Hunting Playbook
- Automated Testing
- Learning Resources
- Analyst Field Guide
- Interactive Training
- Operational Security Notice
- Support This Project
- Credits
Continuous Monitoring Implementation Mode
Technology is never neutral. This project was born from that understanding.
Powerful data analysis and surveillance technology, like that developed by Palantir, is now a globally traded commodity. It is sold to governments and organizations with little to no ethical oversight regarding their human rights records or political objectives. In the hands of democratic states, it promises security. In the hands of authoritarian regimes, it becomes a weapon for the oppression of minorities, journalists, and political dissenters.
This fundamental imbalance of power is the reason this repository exists.
Our mission is to help level the playing field. We provide open-source tools and hands-on labs to detect the digital fingerprints of these powerful surveillance platforms. By using vendor-agnostic Sigma rules and free SIEM platforms, we make these detection capabilities accessible to everyone—not just those with nation-state budgets.
This is more than a technical exercise; it is an act of digital transparency. The goal is to empower security analysts, researchers, and defenders to recognize these patterns, understand their implications, and hold powerful actors accountable. We believe that the best defense against the abuse of surveillance technology is a well-informed, prepared, and ethically-minded community.
Security Information & Event Management (SIEM) tools collect, normalize, and analyze logs from multiple sources (firewalls, servers, endpoints). Popular options:
- Elastic Security – Open source, flexible.
- Splunk Free – Industry standard, free tier (500 MB/day).
- Wazuh – All-in-one open-source XDR.
| Tool | Setup Guide | Best For |
|---|---|---|
| Elastic | Elastic Security VM | Open-source deployments |
| Splunk Free | Splunk Free Download | Industry familiarity |
| Wazuh | Wazuh VM | Combined SIEM + XDR |
pip install sigmatoolsSigma rules are vendor-agnostic detection rules. Convert them to your SIEM format with sigmatools.
Please Note: The indicator names listed below (e.g., POLiS, vs-dataharvester, Berlin-7) are FICTITIOUS EXAMPLES (Placeholders) created for this training simulation. They are designed to teach the structure of indicators (IOCs) without exposing classified information or compromising active investigations. Real-world advanced persistent threats (APTs) use generic names (e.g., svchost.exe) to hide. This lab teaches you the logic of detection, using these distinct names to make the learning process easier.
| Agency/Country | Cover Name | Technical Fingerprints |
|---|---|---|
| Hessian Police (DE) | POLiS | User-Agent: HessPol/2.0, JA3: a387c3a7a4d..., Path: /polis/v1/heartbeat |
| BKA (DE) | BDA-Analytik | Certificate Issuer: CN=BKA-INTERNAL-CA, Chunk Size: 131072 bytes |
| Verfassungsschutz | VS-Datarium | Process: vs-dataharvester.exe, TLS ALPN: h2 |
| France DGSE | ATLAS-Nexus | HTTP Header: X-ATLAS-Auth: ENC[base64], Port: 58444 |
| UK MI5 | MINERVA | DNS Pattern: minerva-*.internal-gov.uk, TLS SNI: secure-gchq |
| NSA (USA) | TRITON-X | User-Agent: TritonX/3.1, JA3: 5d4a..., HTTP Header: X-TX-Auth: [rot13], Port 8443 |
| GCHQ (UK) | MORPHEUS | DNS-Tunneling via *.morph-tech.uk, Process: morpheus_loader.dll (injected in svchost.exe) |
| BND (DE) | BERLIN-7 | Data Chunks: 262144 bytes, Registry Key: HKLM\SOFTWARE\Berlin7\Config, Mutex: Global\B7_DataLock |
| DGSE (FR) | LYRA-9 | UDP Beaconing on Port 4789, Process: lyra_service.exe, CLI Arg: --no-netlog |
| AISE (IT) | SPECTRE-V | ICMP Payloads (Type=69), File Path: C:\Windows\Temp\spv_[RANDOM].tmp, JA4: t13d... |
File: rules/palantir_beaconing.yml
title: Palantir Beaconing to AWS
logsource:
category: firewall
detection:
selection:
destination.ip:
- '52.0.0.0/8' # AWS US-East
destination.port: 443
timeframe: 5m
condition: selection | count(destination.ip) by source.ip > 15
level: highConvert for Elastic:
sigma convert -t es-rule rules/palantir_beaconing.ymlFile: rules/suspicious_gov_process.yml
title: Suspicious Government Process Execution
description: Detects potential white-labeled agents with multiple indicators
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\polis-agent.exe'
- '\bda-analytics.exe'
- '\vs-dataharvester.exe'
- '\lyra_service.exe'
ParentImage|endswith: '\explorer.exe'
CommandLine|contains:
- '--stealth'
- '--no-log'
CurrentDirectory|contains:
- '\Public\\'
- '\Temp\\'
condition: selection
level: highFile: rules/hessen_polis.yml
title: Hessen POLiS Beaconing
description: Detects 5-min intervals of Hessian police system
logsource:
product: firewall
detection:
selection:
dst_port: 443
http.uri: '/polis/v1/heartbeat'
http.user_agent: 'HessPol/*'
ja3_hash: 'a387c3a7a4d...' # Fiktive Hash for Simulation
timeframe: 5m
condition: selection | count > 3
level: critical
tags:
- palantir
- white_label
- germanyFile: rules/gov_dataexfil.yml
title: Government-Style Data Chunking
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/upload'
content_length: '131072' # Exact chunk size
condition: selection
level: highFile: rules/morpheus_dns.yml
title: MORPHEUS DNS Tunneling
logsource:
category: dns
detection:
selection:
query|re: '.*\.morph-tech\.uk$'
query_length > 60
condition: selection
level: highWhat it is: TLS fingerprinting identifies clients based on unique characteristics of their TLS handshake configuration.
Implementation:
title: Known POLiS JA3 Fingerprint
logsource:
category: firewall
detection:
selection:
ja3_hash: 'a387c3a7a4d...' # Example fingerprint
condition: selection
level: highTools to capture JA3:
- Suricata with
ja3keyword - Zeek with
JA3script - Custom Python:
pip install ja3er
Advanced usage needed? Have a look on ja3_ja4_guide.md
Create custom detection rules for white-labeled instances:
# tools/generate_sigma.py
agency = input("Agency name: ")
codename = input("Cover name: ")
signature = input("Unique signature (JA3/path/etc): ")
sigma_rule = f"""
title: {agency} {codename} Detection
logsource:
category: network
detection:
selection:
http.user_agent: '*{codename}*'
ja3_hash: '{signature}' # Use strongest available indicator
condition: selection
level: critical
"""
print(f"Generated rule:\n{sigma_rule}")# tools/simulate_palantir.py
import requests, time
target_url = "https://gotham.palantir.com/beacon"
headers = {"User-Agent": "Palantir-Custom-Agent/1.0"}
while True:
requests.post(target_url, headers=headers, data="SIMULATED")
time.sleep(300) # 5 minutesdocker run -it --rm palantir-simulator:latest-
Certificate Pinning
# Extract server certificate fingerprint openssl s_client -connect target:443 | openssl x509 -fingerprint -sha256
-
Network Segmentation
- Isolate systems communicating with government networks
- Implement strict egress filtering
-
Audit Requirements (§ 26 BDSG)
- Log all access to sensitive data repositories
- Retention period: minimum 6 months
name: Palantir-Like Activity Hunt
steps:
- phase: Network Anomalies
actions:
- "Search for periodic 5-min connections"
- "Identify JA3 fingerprints not in allowlist"
- "Detect unusual DNS patterns (*.morph-tech.uk)"
- phase: Process Analysis
tools:
- "Sysmon EventID 1 (Process Creation)"
- "Check for unsigned binaries in temp locations"
- phase: Data Flow
indicators:
- "131072/262144 byte upload chunks"
- "Unusual data transfers to cloud providers"# .github/workflows/test_rules.yml
name: Sigma Rule Validation
on: [push]
jobs:
sigma-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Test Sigma Rules
run: |
pip install sigmatools
sigma test -f rules/- Sigma Documentation: sigmahq.io
- BSI SIEM Guide (German): BSI Leitfaden
- DetectionLab: detectionlab.network
- German Threat Intel: BSI CERT Reports
- TLS Fingerprinting Guide: Engineering JA3
-
Detection Priority Stack
Loadinggraph LR A[TLS Fingerprints] --> B[Behavioral Patterns] B --> C[Process Anomalies] C --> D[Network Signatures]
-
Investigation Checklist
- Verify JA3/JA4 fingerprints
- Check for known white-label indicators
- Review data chunking patterns
- Document chain of custody
Warning: Always ensure you have explicit legal authority and proper authorization before monitoring any network, especially those associated with government or corporate entities. Unauthorized monitoring is illegal and can have severe consequences. This toolkit is for defending networks you are authorized to protect, not for offensive operations. Think before you type.
If you find this repository useful, please give it a star ⭐ on GitHub.
Starring a repository is the best way to show your appreciation and helps increase its visibility. It tells the GitHub algorithm that this project is significant, which means it will be recommended to more users and appear higher in search results. Unlike influencers, we don't have sponsors; our currency is community support.
Your star helps us help more people. Thank you!
