EVTX-to-MITRE-Attack
Set of EVTX samples (>270) mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases. (by mdecrevoisier)
EVTX-ATTACK-SAMPLES
Windows Events Attack Samples (by sbousseaden)
EVTX-to-MITRE-Attack | EVTX-ATTACK-SAMPLES | |
---|---|---|
2 | 1 | |
475 | 2,126 | |
- | - | |
3.7 | 0.0 | |
about 2 months ago | over 1 year ago | |
HTML | ||
Creative Commons Zero v1.0 Universal | GNU General Public License v3.0 only |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
EVTX-to-MITRE-Attack
Posts with mentions or reviews of EVTX-to-MITRE-Attack.
We have used some of these posts to build our list of alternatives
and similar projects.
-
Mapping MITRE ATT&CK with Window Event Log IDs
Direct GitHub link bc ads. Like I commented last time I saw this project, I think it's a good starting point, but an important note: These mappings are 1:1. You should not limit your correlations to 1:1, but rather one ATT&CK term to many event IDs. Each technique can often be mapped to many, many different event IDs. And analysis / alerting on these events needs to be context aware, looking at other events before and after. When we approached this problem (mapping ATT&CK to detection logic) we realized there was almost never a scenario where event IDs could map 1:1 with the ATT&CK Matrix.
Source Github Link no ads.
EVTX-ATTACK-SAMPLES
Posts with mentions or reviews of EVTX-ATTACK-SAMPLES.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-08-22.
-
Sample firewall/SIEM logs
Samir has great repo for logs with attacks occurred in it, for Windows, MacOS and Network - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
What are some alternatives?
When comparing EVTX-to-MITRE-Attack and EVTX-ATTACK-SAMPLES you can also consider the following projects:
evtx-hunter - evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.
mordor - Re-play Adversarial Techniques
SIGMA-detection-rules - Set of SIGMA rules (>320) mapped to MITRE ATT&CK tactic and techniques
reversinglabs-siem-rules - A collection of various SIEM rules relating to malware family groups.
SysmonConfigPusher - Pushes Sysmon Configs
sysmon-modular - A repository of sysmon configuration modules
ASH-IR-Dataset - An impulse response dataset for binaural synthesis of spatial audio systems on headphones