Sigma2AttackNet - Mapper of Sigma Rules ➡️ MITRE ATT&CK
S2AN is a standalone tool developed in .NET Core, available for both Linux and Windows (x64), that will run through a folder of Sigma rules and create an ATT&CK Navigator layer based on the techniques covered by the Sigma rules.
Our main motivation behind its development was to have a tool that we could reference in a CI/CD pipeline when running in a minimal build environment (without having or wanting to install Python dependencies).
S2AN is based on a similar tool available in the official Sigma repository.
You are free to review the source code we make available in this repository.
The pre-compiled binaries are available for download and you can reference them in your pipeline (or download for manual execution) as they will always point towards the latest version:
- GNU/Linux: https://s2an.3coresec.net/linux/Sigma2AttackNet
- Windows: https://s2an.3coresec.net/windows/Sigma2AttackNet.exe
./Sigma2AttackNet -d folder_with_sigma_rules/
S2AN does not attempt to parse or validate the YAML files. We extract the tags that are relevant for the mapping from the rule file and create our JSON layer solely based on that.
Visit this URL for an example visualization using ATT&CK Navigator of a layer created by S2AN against the public Sigma rules (as of 02-05-2020).