S2AN - Mapper of Sigma/Suricata Rules ➡️ MITRE ATT&CK
S2AN is a standalone tool developed in .NET Core, available for both Linux and Windows (x64), meant to interact with a folder holding Sigma rules as well as Suricata signatures. Currently the following features are supported:
- Create an ATT&CK Navigator layer based on the techniques covered by:
- Sigma rules
- Suricata signatures
- Identify mismatches between tactics and techniques in the Sigma rule files, that could result from improper categorization or updates to the framework
Our main motivation behind its development was to have a tool that we could reference in a CI/CD pipeline when running in a minimal build environment (without having or wanting to install Python dependencies).
Some of S2AN features are based on a similar tool available in the official Sigma repository.
$ ./S2AN -d rules/ -w
S2AN by 3CORESec - https://github.com/3CORESec/S2AN
[*] Layer file written in sigma-coverage.json (6 rules)
Attention - mismatch between technique and tactic has been detected!
MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod_error.yml
MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod.yml
MITRE ATT&CK technique (T1003.003) and tactic (credential-dumping) mismatch in rule: rules/win_susp_vssadmin_ntds_activity.yml
You are free to review the source code we make available in this repository.
The pre-compiled binaries are available for download and you can reference them in your pipeline (or download for manual execution) as they will always point towards the latest version:
- GNU/Linux: https://s2an.3coresec.net/linux/S2AN
- Windows: https://s2an.3coresec.net/windows/S2AN.exe
- Generate Navigator layer:
./S2AN -d folder_with_sigma_rules/
- Generate Navigator layer and identify mismatch:
./S2AN -d folder_with_sigma_rules/ -w
- Generate Navigator layer from Suricata signatures:
./S2AN -s -d folder_with_signatures/
In order to make use of the detection of mismatches in your rules, S2AN expects the following format (this feature is only available for Sigma rules):
tags:
- attack.persistence
- attack.t1543.003
- attack.defense_evasion
- attack.t1562.002
- attack.t1543.003
Visit this URL for an example visualization using ATT&CK Navigator of a layer created by S2AN against the public Sigma rules (as of 02-05-2020).