Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ ThreatStalker Public

Multi-layered Sigma rule filtering to improve detection rates while reducing false positives, ensuring efficient threat hunting and forensic investigations.

License

Apache-2.0 license
11 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

YusukeJustinNakajima/ThreatStalker

BranchesTags

Repository files navigation

ThreatStalker

ThreatStalker enables filtering at the MITRE Technique (point), Tactics (line), and Detection (surface) levels, allowing you to tailor your forensic and threat hunting analysis to your specific need.

image-1

Background and Purpose

  • Vendor-independent Sigma rules play a crucial role in threat hunting and SOC operations, as they are widely used by many organizations. However, as mentioned in MITRE's Summiting the Pyramid, many detection rules can be easily evaded by attackers.
  • Moreover, increasing detection coverage often leads to a surge in false positives, overwhelming analysts with excessive alerts. Addressing this trade-off is therefore of utmost importance.
  • This project leverages MITRE’s knowledge to enable flexible selection and application of Sigma rules across multiple levels: technique-level (point), tactics-level (line), adversary-level (surface), and LoLBin-level, reflecting the recent trend of Living off the Land attacks.
  • By doing so, even attacks that may evade a single detection rule can be identified when analyzed as part of a broader attack chain. Additionally, filtering based on specific needs helps to suppress false positives, ensuring a more effective detection process.

Preparation

Step1

Clone the repository:

git clone https://github.com/YusukeJustinNakajima/ThreatStalker.git
cd ThreatStalker

Step2

Installing Dependencies:

pip install -r requirements.txt

Step3

Download Hayabusa Binary from https://github.com/Yamato-Security/hayabusa

How to use

Filtering by Attack ID:

python3 ThreatStalker.py --attackID t1190 --product windows

Filtering by Tactics:

python3 ThreatStalker.py --tactics execution --product windows

Filtering by Actors:

python3 ThreatStalker.py --threat_actor_name APT37 --product windows

Filtering by LoLbin:

python3 ThreatStalker.py --lolbin --product windows

Filtering by Actors and Apply these rules using Hayabusa

python3 ThreatStalker.py --threat_actor_name APT37 --product windows --use-hayabusa -d hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/

All filtered rules are placed within "chainrules" directory, organized by tactics.

Future Works

About

Multi-layered Sigma rule filtering to improve detection rates while reducing false positives, ensuring efficient threat hunting and forensic investigations.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

11 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages