packet-noir/sig_sum

# sig_sum 接受包含 Sigma 规则的目录路径，并对这些规则进行汇总。 ## 依赖 - Python >=3.10 - 第三方模块 'requests' - 第三方模块 'pyyaml' ## 用法 ``` python sig_sum.py /absolute/path/to/directory ``` ## 示例输出 ``` title: File And SubFolder Enumeration Via Dir Command severity: low source: process_creation from windows Mitre Tags: ['discovery', 't1217'] Mitre Technique Name(s): ['Browser Information Discovery'] Detection: {'selection_cmd': [{'Image|endswith': '\\cmd.exe'}, {'OriginalFileName': 'Cmd.Exe'}], 'selection_cli': {'CommandLine|contains|windash': 'dir*-s'}, 'condition': 'all of selection_*'} title: Potential Product Reconnaissance Via Wmic.EXE severity: medium source: process_creation from windows Mitre Tags: ['execution', 't1047'] Mitre Technique Name(s): ['Windows Management Instrumentation'] Detection: {'selection_img': [{'Image|endswith': '\\wmic.exe'}, {'OriginalFileName': 'wmic.exe'}], 'selection_cli': {'CommandLine|contains': 'Product'}, 'filter_main_call_operations': {'CommandLine|contains': [' uninstall', ' install']}, 'condition': 'all of selection_* and not 1 of filter_main_*'} title: PUA - NirCmd Execution As LOCAL SYSTEM severity: high source: process_creation from windows Mitre Tags: ['execution', 't1569.002', 's0029'] Mitre Technique Name(s): ['Service Execution'] Detection: {'selection': {'CommandLine|contains': ' runassystem '}, 'condition': 'selection'} ```

标签：AMSI绕过, ATT&CK框架, Cloudflare, MITRE ATT&CK, pyyaml, requests, Sigma规则, Windows端点, 依赖管理, 命令行检测, 威胁检测, 安全开发生命周期, 目标导入, 端点检测, 自动化分析, 规则汇总, 跨站脚本, 逆向工具