Sigma2AttackNet - Mapper of Sigma Rules ➡️ MITRE ATT&CK
S2AN - Mapper of Sigma/Suricata Rules ➡️ MITRE ATT&CK
S2AN is a standalone tool developed in .NET Core, available for both Linux and Windows (x64), meant to interact with a folder holding Sigma rules as well as Suricata signatures. Currently the following features are supported:
Our main motivation behind its development was to have a tool that we could reference in a CI/CD pipeline when running in a minimal build environment (without having or wanting to install Python dependencies).
Some of S2AN features are based on a similar tool available in the official Sigma repository.
$ ./S2AN -d rules/ -wS2AN by 3CORESec - https://github.com/3CORESec/S2AN[*] Layer file written in sigma-coverage.json (6 rules)Attention - mismatch between technique and tactic has been detected!MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod_error.ymlMITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod.ymlMITRE ATT&CK technique (T1003.003) and tactic (credential-dumping) mismatch in rule: rules/win_susp_vssadmin_ntds_activity.yml
You are free to review the source code we make available in this repository.
The pre-compiled binaries are available for download and you can reference them in your pipeline (or download for manual execution) as they will always point towards the latest version:
./S2AN -d folder_with_sigma_rules/./S2AN -d folder_with_sigma_rules/ -w./S2AN -s -d folder_with_signatures/ In order to make use of the detection of mismatches in your rules, S2AN expects the following format (this feature is only available for Sigma rules):
tags:- attack.persistence- attack.t1543.003- attack.defense_evasion- attack.t1562.002- attack.t1543.003
Visit this URL for an example visualization using ATT&CK Navigator of a layer created by S2AN against the public Sigma rules (as of 02-05-2020).