Skip to content

A set of detection rules in the format of DSL which are extract from opensource attack libraries, and aim to map the Sysmon logs to techniques described in ATT&CK

Notifications You must be signed in to change notification settings

jayzheng98/Mapping-Sysmonlogs-to-ATTACK

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 

Repository files navigation

Prerequisite

Sysmon: advanced system monitor and syslog generator

ELK: data engine

Python3: drive ELK to execute all detection rules

Usage

1. Import the local logs to the ELK (In my case, they are already collected within ELK)

2. Change the main.py template we provide according to your actual needs (I've uploaded the "test_in_my_case.py" for reference as well)

3. Execute the main.py and start matching!

Description

1. This rule set conforms to the query statement DSL of ELK engine, so we can utilize ELK to drive detections within tremendous data quickly

2. Open any one of the .csv file in Elastic_dsl, you will see 4 columns:

  • Column 1: Technique id
  • Column 2: DSL query statement
  • Column 3: Attack instructions
  • Column 4: Remarks: (Now most of them are 2 or 2(4), don't worry)
    • 0: Do not understand the attack command
    • 1: The attack command requires the target to install specific software or scripts
    • 2: Verified
    • 2 (4): The commandline cannot be recorded by direct execution but can be seen by encapsulating the instruction with cmd /c "..." or powershell. exe "..."
    • 3: To be verified
    • 4: Commandline cannot be recorded
    • 5: It is difficult to detect if the command is executed step by step

3. The attacks for "initial access" we aquire at present are mainly implemented by phishing, which are rarely executed through the commandline, so they are not recorded yet

4. multiple.csv are a collection of techniques belonging to multiple tactics

Future Work (defects)

1. Now we only include attacks against Windows systems

2. Now we have not developed the capability to cope with the obfuscation

3. Now we mainly focus on the "CommandLine" field of Sysmon logs, and actually there are more fields that could be used to assist detection

About

A set of detection rules in the format of DSL which are extract from opensource attack libraries, and aim to map the Sysmon logs to techniques described in ATT&CK

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages