S2AN - Mapper of Sigma/Suricata Rules ➡️ MITRE ATT&CK
S2AN is a standalone tool developed in .NET Core, available for both Linux and Windows (x64), meant to interact with a folder holding Sigma rules as well as Suricata signatures. Currently the following features are supported:
Our main motivation behind its development was to have a tool that we could reference in a CI/CD pipeline when running in a minimal build environment (without having or wanting to install Python dependencies).
Some of S2AN features are based on a similar tool available in the official Sigma repository.
$ ./S2AN -d rules/ -w S2AN by 3CORESec - https://github.com/3CORESec/S2AN [*] Layer file written in sigma-coverage.json (6 rules) Attention - mismatch between technique and tactic has been detected! MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod_error.yml MITRE ATT&CK technique (T1543.003) and tactic (defense-evasion) mismatch in rule: rules/win_eventlog_service_start_type_mod.yml MITRE ATT&CK technique (T1003.003) and tactic (credential-dumping) mismatch in rule: rules/win_susp_vssadmin_ntds_activity.yml
You are free to review the source code we make available in this repository.
The pre-compiled binaries are available for download and you can reference them in your pipeline (or download for manual execution) as they will always point towards the latest version:
./S2AN -d folder_with_sigma_rules/
./S2AN -d folder_with_sigma_rules/ -w
./S2AN -s -d folder_with_signatures/
In order to make use of the detection of mismatches in your rules, S2AN expects the following format (this feature is only available for Sigma rules):
tags: - attack.persistence - attack.t1543.003 - attack.defense_evasion - attack.t1562.002 - attack.t1543.003
Visit this URL for an example visualization using ATT&CK Navigator of a layer created by S2AN against the public Sigma rules (as of 02-05-2020).