Detection — Sigma, YARA, ATT&CK
Open detection rule formats and adversary-emulation testing.
Detection content is the codified knowledge of "how do we know something bad happened?" The 2024–26 lingua franca: Sigma for log-based detection, YARA for pattern-matching files / memory, MITRE ATT&CK as the technique vocabulary, Atomic Red Team for validation. For SIEM consumers see SIEM (Wazuh / Graylog). For threat-intel that drives detections see Threat Intelligence (MISP). For network-side detection see Network IDS (Suricata / Zeek). For endpoint see EDR / OSQuery.
Sigma — vendor-neutral log detection
- ★ ★ Sigma (sigmahq) — YAML rule format for log detection; SIEM-agnostic. Convert one rule to Splunk, Sentinel, Elastic, Sumo, Graylog, Wazuh, Chronicle, Panther, etc. Free OSS.
- ★ SigmaHQ rule repo — 3,000+ community rules; curated; updated near-daily. Free.
- ★ sigma-cli / pySigma — modern v2 conversion engine (replaces legacy
sigmac). Free. - Splunk2sigma / sentinel2sigma — reverse-converters.
- Uncoder.io (SOC Prime) — free / freemium web converter; Sigma → many backends + AI assistance.
- Awesome Sigma — curated lists.
YARA — pattern matching
- ★ ★ YARA — string + condition rules over files / processes / memory. Free OSS — the reference malware-pattern format.
- YARA-X — Rust rewrite, 2024+ stable; faster, safer, mostly compatible.
- ★ YARA rule repos:
- Neo23x0/signature-base (Florian Roth) — APT / hack-tool / webshell rules.
- Yara-Rules/rules — community.
- ReversingLabs YARA Rules.
- Elastic YARA repo.
- InQuest/awesome-yara — curated list.
- Yara-Forge (Florian Roth) — auto-built up-to-date packs.
- YaraScanner / yarGen / yarAnalyzer (Roth) — generate YARA from a sample.
- THOR / THOR Lite / Loki (Nextron Systems) — YARA-driven scanner; THOR paid + Lite free.
ATT&CK / TTPs
- ★ ★ MITRE ATT&CK — knowledge base of adversary tactics × techniques × procedures; the reference vocabulary. Free.
- ATT&CK Navigator — heatmap your detection / control coverage.
- DeTT&CT — map detections to ATT&CK techniques.
- ATT&CK STIX/TAXII feed — programmatic.
- MITRE D3FEND — defensive countermeasures vocabulary; complementary to ATT&CK.
- MITRE Engage — deception / engagement framework.
- MITRE CALDERA — automated adversary emulation; free.
Detection-as-code platforms
- Panther — paid; detection-as-code (Python); see SIEM (Wazuh / Graylog).
- Tines / Torq / Workato — paid; SOAR-as-code.
- Sigma rules in Git, sync to SIEM via CI — common 2024–26 pattern with sigma-cli.
- DetectionLab (Chris Long) — free lab to test rules.
Atomic / runnable techniques
- ★ ★ Atomic Red Team (Red Canary) — runnable ATT&CK techniques as PowerShell / Bash / Python scripts. The validation default — "does my detection actually fire?" Free.
- Invoke-AtomicRedTeam — PowerShell runner.
- Atomic Test Harness — coordinated runs.
- CALDERA (MITRE) — automated adversary emulation; multi-step.
- Stratus Red Team (Datadog) — cloud-focused (AWS / Azure / GCP / k8s); see Cloud Pentesting.
- Vectr (SRA) — purple-team campaign tracking; free OSS + paid.
- AtomicTestHarnesses (Microsoft) — atomic-style test variations for Windows.
- APTSimulator (NextronSystems) — single-script "make it look like an APT walked through."
- PurpleSharp — .NET adversary simulation.
Sysmon / event-log enrichers
- Sysmon (Microsoft Sysinternals) — Windows; the default endpoint event enricher.
- Sysmon for Linux — same.
- SwiftOnSecurity / Olaf Hartong sysmon-modular — community Sysmon configs.
- See EDR / OSQuery.
Sigma over event logs (offline / DFIR)
- ★ Hayabusa (Yamato Security) — Sigma-against-evtx; fast Rust; great for DFIR pre-SIEM. Free.
- Chainsaw (WithSecure) — same niche; one-shot triage.
- Zircolite — Sigma + SQLite; massive logs at speed.
- EVTX-ATTACK-SAMPLES (sbousseaden) — labelled evtx samples for testing rules.
Vendor-specific detection content (link)
- Elastic Detection Rules — public; free.
- Splunk Security Content (Splunk ESCU) — free; Splunk-flavoured.
- Sentinel Hunting Queries — KQL; free; on GitHub.
- CrowdStrike CrowdSearch / Falcon Forensics — paid.
Flow that pays off
- ★ Pull SigmaHQ → convert → deploy to your SIEM weekly via CI.
- ★ Run Atomic Red Team for every new technique you onboard rules for.
- Map every rule to ATT&CK; visualise on Navigator.
- Tune false positives; suppress at the rule, not at the SIEM.
Pick this if…
- Default vendor-neutral log detection format: Sigma.
- Default malware pattern matching: YARA / YARA-X.
- TTP knowledge base / vocabulary: MITRE ATT&CK.
- Validate detections fire: Atomic Red Team.
- Cloud-side adversary emulation: Stratus Red Team.
- DFIR Sigma-on-evtx triage: Hayabusa.
- Mature purple program: CALDERA + Vectr.