Skip to content
/ autopsy-sigmaa-ingest-module Public

An Autopsy data source ingest module for detection of IOCs in EVTX for Windows and Auditd for Linux based on SIGMA Rules.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PLZENTERTEXT/autopsy-sigmaa-ingest-module

BranchesTags

Repository files navigation

SIGMAA: SIGMA Analyzer Module

Detection of IOCs in EVTX for Windows and Auditd for Linux based on SIGMA Rules

  • Users can import Sigma rules via YAML files or its respective JSON format into Autopsy through the module
  • Users have the option to run specific rule sets within the SIGMAA module
  • Able to display analysis results according to log type and rule level under the Data Artifacts section in Autopsy
  • SIGMA rules can be applied on EVTX logs for Windows and Auditd logs for Linux

Requirements / Installation

This module can be used directly by cloning the repo and and place it in C:\Users\<username>\AppData\Roaming\autopsy\python_modules (Default Python Module path) in Autopsy

Alternatively, you can download the module in "Releases", unzip it, and place it in C:\Users\<username>\AppData\Roaming\autopsy\python_modules (Default Python Module path) in Autopsy

Important Note

Installation of this module will be flagged by Antiviruses since some strings in the provided sample rules detects malicious attacks. This is the same with the Zircolite executable. If you wish to download the module without any sample Sigma rules or attack samples do download it at "Releases"

Quick Start

Sigma Rules for EVTX Logs :

Users can import rule files in .yml format or its .json equivalent into the EvtxRule folder

Do note that if .json files are used, only 1 .json file is accepted as input and it is prioritized from other .yml rules

Auditd for Linux Logs :

Users can import rule files in .yml format or its .json equivalent into the AuditdRule folder

Do note that if .json files are used, only 1 .json file is accepted as input and it is prioritized from other .yml rules

JSON Rule Format Generation :

To convert these rule files from .yml to .json format using the sigma-cli tool, you have to leverage the sqlite backend and Zircolite mode.

sigma convert -t sqlite "yml_format_sigma_rule_path" -f zircolite -o output_file_name.json

Sample Rulesets Provided

  • YML Format: RuleCollection/SIGMAHQ by SigmaHQ
  • JSON Format: RuleCollection/Zircolite by Zircolite

ℹ️ Please note these rulesets are provided as an example you should generate your own rulesets but they can be very noisy or slow.

Sample Attack Samples Provided

  • EVTX Attack Samples: In EVTXSamplesCollection by sbousseaden

Demo Attack Samples with Sigma Rule

  • Attack Samples: In DEMO_SAMPLES
  • EVTX Logs Related Rule Sample: In EvtxRule/powershell
  • Auditd Logs Related Rule Sample: In AuditdRule/auditd

Technologies Used

  • Zircolite as the Sigma rule detection tool
  • Jython for the Autopsy data source ingest module

About

An Autopsy data source ingest module for detection of IOCs in EVTX for Windows and Auditd for Linux based on SIGMA Rules.

Topics

auditd sigma autopsy evtx sigma-rules

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0 Latest
Apr 29, 2024

Packages

No packages published

Languages