GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → 3CORESec → S2AN

3CORESec / S2AN

Licence: AGPL-3.0 license
S2AN - Mapper of Sigma/Suricata Rules/Signatures ➡️ MITRE ATT&CK Navigator

Programming Languages

C#
18002 projects

Labels

suricatathreat-huntingthreat-modelingsigmamitre-attacksuricata-rulessigma-rules

Projects that are alternatives of or similar to S2AN

nsm-attack
Mapping NSM rules to MITRE ATT&CK
Stars: ✭ 53 (-24.29%)
Mutual labels:  suricata, mitre-attack, suricata-rules
SIGMA-detection-rules
Set of SIGMA rules (>250) mapped to MITRE Att@k tactic and techniques
Stars: ✭ 97 (+38.57%)
Mutual labels:  threat-hunting, sigma, mitre-attack
Auditd Attack
A Linux Auditd rule set mapped to MITRE's Attack Framework
Stars: ✭ 642 (+817.14%)
Mutual labels:  threat-hunting, mitre-attack
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (+865.71%)
Mutual labels:  threat-hunting, mitre-attack
Sysmon Modular
A repository of sysmon configuration modules
Stars: ✭ 1,229 (+1655.71%)
Mutual labels:  threat-hunting, mitre-attack
detection-rules
Threat Detection & Anomaly Detection rules for popular open-source components
Stars: ✭ 34 (-51.43%)
Mutual labels:  threat-hunting, sigma
Attackdatamap
A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
Stars: ✭ 264 (+277.14%)
Mutual labels:  threat-hunting, mitre-attack
Threathunting
A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
Stars: ✭ 738 (+954.29%)
Mutual labels:  threat-hunting, mitre-attack
rhq
Recon Hunt Queries
Stars: ✭ 66 (-5.71%)
Mutual labels:  threat-hunting, mitre-attack
Macos Attack Dataset
JSON DataSet for macOS mapped to MITRE ATT&CK Tactics.
Stars: ✭ 116 (+65.71%)
Mutual labels:  threat-hunting, mitre-attack
Pcap Attack
PCAP Samples for Different Post Exploitation Techniques
Stars: ✭ 175 (+150%)
Mutual labels:  threat-hunting, mitre-attack
SIGMA-Resources
Resources To Learn And Understand SIGMA Rules
Stars: ✭ 61 (-12.86%)
Mutual labels:  sigma, sigma-rules
Bluespawn
An Active Defense and EDR software to empower Blue Teams
Stars: ✭ 737 (+952.86%)
Mutual labels:  threat-hunting, mitre-attack
Evtx Attack Samples
Windows Events Attack Samples
Stars: ✭ 1,243 (+1675.71%)
Mutual labels:  threat-hunting, mitre-attack
Zircolite
A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
Stars: ✭ 443 (+532.86%)
Mutual labels:  sigma, sigma-rules
S1EM
This project is a SIEM with SIRP and Threat Intel, all in one.
Stars: ✭ 270 (+285.71%)
Mutual labels:  suricata, sigma
ETWNetMonv3
ETWNetMonv3 is simple C# code for Monitoring TCP Network Connection via ETW & ETWProcessMon/2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
Stars: ✭ 32 (-54.29%)
Mutual labels:  threat-hunting
mitrecnd.github.io
MITRE Shield website
Stars: ✭ 17 (-75.71%)
Mutual labels:  mitre-attack
threat-model-templates
Templates for the Microsoft Threat Modeling Tool
Stars: ✭ 73 (+4.29%)
Mutual labels:  threat-modeling
SysmonConfigPusher
Pushes Sysmon Configs
Stars: ✭ 59 (-15.71%)
Mutual labels:  threat-hunting
View All Similar Projects ➔

Build and deploy to AWS S3

S2AN

S2AN - Mapper of Sigma/Suricata Rules ➡️ MITRE ATT&CK

S2AN is a standalone tool developed in .NET Core, available for both Linux and Windows (x64), meant to interact with a folder holding Sigma rules as well as Suricata signatures. Currently the following features are supported:

  • Create an ATT&CK Navigator layer based on the techniques covered by:
    • Sigma rules
    • Suricata signatures
  • Identify mismatches between tactics and techniques in the Sigma rule files, that could result from improper categorization or updates to the framework

Our main motivation behind its development was to have a tool that we could reference in a CI/CD pipeline when running in a minimal build environment (without having or wanting to install Python dependencies).

Some of S2AN features are based on a similar tool available in the official Sigma repository.

Example output

$ ./S2AN -d rules/ -w
 
S2AN by 3CORESec - https://github.com/3CORESec/S2AN
 
[*] Layer file written in sigma-coverage.json (6 rules)
 
Attention - mismatch between technique and tactic has been detected!
MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod_error.yml
MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod.yml
MITRE ATT&CK technique (T1003.003) and tactic (credential-dumping) mismatch in rule: rules/win_susp_vssadmin_ntds_activity.yml

Download

You are free to review the source code we make available in this repository.

The pre-compiled binaries are available for download and you can reference them in your pipeline (or download for manual execution) as they will always point towards the latest version:

Running S2AN

  • Generate Navigator layer: ./S2AN -d folder_with_sigma_rules/
  • Generate Navigator layer and identify mismatch: ./S2AN -d folder_with_sigma_rules/ -w
  • Generate Navigator layer from Suricata signatures: ./S2AN -s -d folder_with_signatures/

Tactic & Technique mismatch

In order to make use of the detection of mismatches in your rules, S2AN expects the following format (this feature is only available for Sigma rules):

tags:
  - attack.persistence
  - attack.t1543.003
  - attack.defense_evasion
  - attack.t1562.002
  - attack.t1543.003

Example Layer

Visit this URL for an example visualization using ATT&CK Navigator of a layer created by S2AN against the public Sigma rules (as of 02-05-2020).

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].