sysmon-modular icon indicating copy to clipboard operation
sysmon-modular copied to clipboard

Published 20 hours ago • verified publisher icon olafhartong

[Feature] Compare Sysmon to MITRE ATT&CK - Script 🤖

Open nicpenning opened this issue 3 years ago • 0 comments

The goal of this feature is to provide a way for an analyst to easily check their Sysmon rules against the latest MITRE ATT&CK Framework.

Benefits:

  • Find valid and invalid Tactics and Techniques to fix in their Sysmon rule names
  • Identify all Sysmon rules that match the latest framework

Features of the script:

  • [x] Check a single file for valid tactics, techniques or subtechniques
  • [x] Check a modular folder for valid tactics, techniques or subtechniques
  • [x] Use latest MITRE ATT&CK enterprise-attck.json from GitHub for comparison
  • [x] Use local enterprise-attck.json file for comparison
  • [x] Export valid rules for Attack Navigator (Sysmon-modular.json)
  • [x] Ingest loaded MITRE ATT&CK into Elasticsearch cluster (Index - mitre_attck)
  • [x] Display table view of MITRE-ATT&CK and rules found from Sysmon configs (with file paths they live in)
  • [x] Display table view of Sysmon rules and if they are valid tactics, techniques or subtechniques

Basically, this will be the swiss army knife for all things MITRE ATT&CK and comparing them to the Sysmon rules the analysts wish to address.

This would also take care of https://github.com/olafhartong/sysmon-modular/issues/50

This script will work best with the full MITRE ATT&CK properties. Watch for incoming feature request / issue on this.

nicpenning avatar Apr 12 '21 21:04 nicpenning