![]() ![]() Unlike with Elasticsearch however, Dredd can simply mount the rules and PCAPs into a container as-is and use Suricata to perform offline analysis. ![]() The MMC lateral movement rule worked against the export IDS Rule Analysisĭredd also supports the evaluation of Snort/Suricata IDS rules against PCAPs using Suricata. Once converted and archived as tar.gz files, they can be used alongside Mordor log sets.Ĭonverting an evtx export to JSON using PowerShellĮvaluating the export against a Sigma rule using Dredd Here is a PowerShell script to convert evtx files to Winlogbeat JSON files using Winlogbeat. This means that support for projects like EVTX-ATTACK-SAMPLES, a project similar to Mordor but using evtx files (Windows Event Log files), can be added fairly easily. In practice, Dredd will support any JSON logs produced by Winlogbeat or logs matching that schema. Dredd however does not enforce conformity those Mordor environments or require additional metadata (like the attacker view). The Mordor project lays out different environments where the logs were captured so that analysts can lookup which hosts map to which purpose (ex: IP 172.18.39.8 is the attacker C2 in the Shire environment). Other Data Sourcesĭredd currently only supports Mordor datasets for Sigma analysis. Here you can see that the “schtasks.exe” rule had a hit against the scheduled task log set but not the DCSync log set. However, this same procedure can be performed without merging the logs: In this example, the two Mordor logs are merged and the rules are run against the merged logs. Below is a video demonstrating the analysis process.Ī Sigma rule that uses Sysmon logs to look for “schtasks.exe” gets a hit against the two Mordor log sets. Under the hood, Dredd creates an Elasticsearch Docker container, ingests the Mordor logs into the container, translates the Sigma rules to Elasticsearch DSL queries, then runs those queries against the container and reports the results. This bypasses both the need to have a testing environment with logging infrastructure and the need to accurately simulate the attacker procedure of interest. The Mordor project aims to encapsulate attacker procedures as logs and distribute them openly to allow for ease detection content development. The other major component of Dredd is Mordor. The Sigma project provides a utility (sigmac) and library (sigmatools) to translate their format to other platforms like Splunk, QRadar, and Elastic.Ĭonverting a Sigma rule (left) to a Splunk query (right) using sigmac Sigma is a SIEM agnostic rule format that is designed to be interoperable. For the detection rule side of Dredd, Sigma was chosen. Dredd handles the log ingestion and normalization, detection rule conversion, and detection rule evaluation. ![]() Much like its namesake – Judge Dredd – Dredd is judge, jury, and executioner. In this blog, we will discuss Dredd and its potential uses. Dredd automates both the analysis of Sigma rules against Mordor datasets (collections of logs of attacker procedures), and the analysis of IDS rules against PCAPs. To address this challenge of quickly testing detection rules, we developed the tool Dredd. Creating, testing, and managing the detection rules for those changes is even more so a challenge, especially at scale. Offensive security moves at a breakneck pace and keeping up with new tools and TTPs (tactics, techniques, and procedures) can be an undertaking of its own for a security team.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |