Home  ›  Malware  ›  Malware Analysis  ›  News and Indicators - Latest topics

AttackRuleMap: Bridging Open-Source Detections and Atomic Tests

on Post a Comment

Hi there! 

I wanted to share a project I’ve been working on that connects adversary simulations with open source detection rules. If you’ve ever used Atomic Red Team, you know how valuable it can be for simulating attacks. This project pairs these simulations with Sigma and Splunk ESCU (maybe more in the future) detection rules to help you better assess your security setups.

Why This Project Exists

When I first started testing detection capabilities, I noticed a gap between simulation tools and the rules needed to identify those simulated attacks. This project aims to close that gap by providing a clear mapping between Atomic Red Team tests and detection rules.

ARM - AttackRuleMap

Note: I have checked that the pairings are correct, but I suggest you do your own checks before using it.

How It Was Built?

This project came out of a simulation I ran in my home lab. Here’s what the setup looked like:

  • Operating System: Windows Server 2019 in a virtualized environment
  • Simulation Tool: Atomic Red Team, using PowerShell with a few manual adjustments
  • Log Management: Splunk Enterprise for log ingestion and analysis
  • Detection Rules: Sigma rules and Splunk ESCU rules
  • Optimization: Enabled datamodel acceleration for faster, multi-threaded searches

At the moment, the project focuses on Windows systems, but I’m hoping to include Linux and macOS in the future.

Sigma Rule Conversion Made Simple

sigma rules

One challenge was adapting Sigma rules for different platforms. To handle this, I used sigconverter.io (running locally on Docker). This tool makes it easy to convert Sigma rules into queries for platforms like Splunk, Elastic, and Kusto.

For example, if you need a Sigma rule translated into Splunk SPL, just select Splunk as your target, and the tool handles the rest. It’s quick and saves so much time.

Contributions

This project is open to contributions, and I’d love your contributions! Here’s how you can help:

  1. Platform Expansion: Test these rules on Linux or macOS systems.
  2. Feedback: If you find any gaps or have suggestions, let me know.
  3. Pull Requests: Feel free to contribute by submitting code or opening issues.

Your input can help make this a better resource for the community.

Repository Link

GitHub - krdmnbrk/AttackRuleMap

AttackRuleMap: Bridging Open-Source Detections and Atomic Tests was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: AttackRuleMap: Bridging Open-Source Detections and Atomic Tests | by Burak Karaduman | Dec, 2024 | Detect FYI

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Malware Malware Analysis News and Indicators - Latest topics
Sp123
"The real threat is actually not when the computer begins to think like a human, but when humans begin to think like computers."

Post a Comment

Post a Comment