This repository provides a mapping of Atomic Red Team attack simulations to open-source detection rules, such as Sigma and Splunk ESCU.
The goal of this project is to bridge the gap between Atomic Red Team’s adversary simulations and open-source detection rules.
By doing so, this project aims to help security professionals simulate attacks and evaluate their detection strategies more effectively.
This project is the result of a simulation conducted in my personal lab environment. During the simulation, I executed all available Atomic Red Team tests and ran all Sigma and Splunk ESCU detections.
The outputs from these tests form the foundation of this repository. It focuses on Windows systems for now. Future updates may include support for additional platforms.
Note: The mapping process is a mix of manual and automatic. It is a time consuming process. But I will still try to update it monthly.
To convert Sigma rules into Splunk Search Processing Language (SPL), I used the sigconverter.io locally on Docker. This tool simplifies the process of adapting Sigma rules for use in Splunk by automating the translation process.
Users can specify the desired target platform, such as Splunk, Elastic, Kusto or any platform that supported by sigconverter, and the tool generates platform-specific queries based on Sigma’s rule definitions.
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…
If you’re learning Bash scripting, one of the most useful features you’ll come across is…
If you are new to Bash scripting or Linux shell scripting, one of the most…