Cyber security

AttackRuleMap : Bridging Adversary Simulations And Detection Rules For Enhanced Cybersecurity

This repository provides a mapping of Atomic Red Team attack simulations to open-source detection rules, such as Sigma and Splunk ESCU.

Project Purpose

The goal of this project is to bridge the gap between Atomic Red Team’s adversary simulations and open-source detection rules.

By doing so, this project aims to help security professionals simulate attacks and evaluate their detection strategies more effectively.

Project Origin

This project is the result of a simulation conducted in my personal lab environment. During the simulation, I executed all available Atomic Red Team tests and ran all Sigma and Splunk ESCU detections.

Environment Setup

  • Operating System: Windows Server 2019 running in a virtualized environment.
  • Testing Tool: Atomic Red Team, executed using PowerShell and manual adjustments for specific scenarios.
  • Log Ingestion: Splunk Enterprise for ingesting logs and analyzing detections.
  • Datamodel Acceleration: To running all searches multi-threaded requires datamodel acceleration.
  • Detection Rules: Sigma rules and Splunk ESCU rules.

The outputs from these tests form the foundation of this repository. It focuses on Windows systems for now. Future updates may include support for additional platforms.

Note: The mapping process is a mix of manual and automatic. It is a time consuming process. But I will still try to update it monthly.

Sigma Rule Conversion

To convert Sigma rules into Splunk Search Processing Language (SPL), I used the sigconverter.io locally on Docker. This tool simplifies the process of adapting Sigma rules for use in Splunk by automating the translation process.

Users can specify the desired target platform, such as Splunk, Elastic, Kusto or any platform that supported by sigconverter, and the tool generates platform-specific queries based on Sigma’s rule definitions.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

4 hours ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

4 hours ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

4 hours ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

2 days ago

Bash Arrays Explained Simply: Beginner’s Guide with Examples

If you’re learning Bash scripting, one of the most useful features you’ll come across is…

3 days ago

Bash For Loop Examples Explained Simply for Beginners

If you are new to Bash scripting or Linux shell scripting, one of the most…

3 days ago