Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
T1003 on the official MITRE ATT&CK siteT1027 on the official MITRE ATT&CK siteT1036 on the official MITRE ATT&CK siteT1055 on the official MITRE ATT&CK siteT1059 on the official MITRE ATT&CK siteT1070 on the official MITRE ATT&CK siteT1070.001 on the official MITRE ATT&CK siteT1070.006 on the official MITRE ATT&CK siteT1218 on the official MITRE ATT&CK siteT1547 on the official MITRE ATT&CK siteT1562 on the official MITRE ATT&CK siteT1562.001 on the official MITRE ATT&CK site
NIST CSF 2.0
MITRE D3FEND
When to Use
Use this skill when:
- Hunting for adversary defense evasion techniques (MITRE ATT&CK TA0005) in endpoint telemetry
- Building detection rules for common evasion methods (process injection, timestomping, log clearing)
- Investigating incidents where adversaries disabled or bypassed security tools
- Analyzing endpoint logs for indicators of living-off-the-land binary (LOLBin) abuse
Do not use this skill for network-level evasion (use network traffic analysis) or for malware reverse engineering.
Prerequisites
- Sysmon installed and configured with comprehensive logging rules (SwiftOnSecurity or Olaf Hartong config)
- Windows Security Event Log with advanced audit policy enabled
- EDR telemetry (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)
- SIEM platform for log correlation (Splunk, Elastic, Sentinel)
- MITRE ATT&CK Enterprise matrix for technique reference
Workflow
Step 1: Detect Log Tampering (T1070)
Windows Event Log clearing (T1070.001):
# Sysmon Event ID 1 (Process Create) for wevtutil
EventID: 1
CommandLine contains: "wevtutil cl" OR "wevtutil clear-log"
# Security Event ID 1102 - Audit log was cleared
EventID: 1102
Source: Microsoft-Windows-Eventlog
# System Event ID 104 - Event log was cleared
EventID: 104
# PowerShell log clearing
EventID: 1 (Sysmon)
CommandLine contains: "Clear-EventLog" OR "Remove-EventLog"
# Splunk query:
index=windows (EventCode=1102 OR EventCode=104)
OR (EventCode=1 CommandLine="*wevtutil*cl*")
OR (EventCode=1 CommandLine="*Clear-EventLog*")
| table _time host user CommandLine EventCodeTimestomping (T1070.006):
# Sysmon Event ID 2 - File creation time changed
EventID: 2
# Look for creation times set far in the past on recently-written files
# Correlate with Event ID 11 (FileCreate) - if FileCreate is recent but
# creation time in Event ID 2 is old, timestomping is likely
# MDE Advanced Hunting (KQL):
DeviceFileEvents
| where ActionType == "FileTimestampModified"
| where Timestamp > ago(7d)
| extend TimeDiff = datetime_diff('day', Timestamp, ReportedFileCreationTime)
| where TimeDiff > 30
| project Timestamp, DeviceName, FileName, FolderPath,
ReportedFileCreationTime, InitiatingProcessFileNameStep 2: Detect Process Injection (T1055)
# Sysmon Event ID 8 - CreateRemoteThread
EventID: 8
# Alert when source process is unusual (not system processes)
# Filter out known legitimate: antivirus, debugging tools
SourceImage NOT IN ("C:\Windows\System32\csrss.exe",
"C:\Windows\System32\lsass.exe")
# Sysmon Event ID 10 - ProcessAccess with suspicious access masks
EventID: 10
GrantedAccess contains: "0x1F0FFF" OR "0x1FFFFF" OR "0x001F0FFF"
# PROCESS_ALL_ACCESS = 0x1F0FFF (common in injection)
# Filter legitimate: AV accessing all processes
# Sysmon Event ID 25 - Process Tampering
EventID: 25
Type: "Image is replaced" # Process hollowing indicator
# Splunk detection:
index=sysmon EventCode=8
| where NOT match(SourceImage, "(?i)(csrss|svchost|MsMpEng|defender)")
| stats count by SourceImage TargetImage host
| where count < 5
| sort - countStep 3: Detect Security Tool Disabling (T1562)
# Service stopped events for security services
EventID: 7045 (new service) OR 7036 (service state change)
ServiceName IN ("WinDefend", "Sense", "CrowdStrike Falcon Sensor",
"SentinelAgent", "csagent", "MBAMService")
# Sysmon Event ID 1 - Processes that disable Defender
CommandLine contains: "Set-MpPreference -DisableRealtimeMonitoring"
OR "sc stop WinDefend"
OR "sc config WinDefend start= disabled"
OR "net stop" AND ("windefend" OR "sense" OR "csagent")
# Registry modification to disable security features
# Sysmon Event ID 13 - Registry value set
TargetObject contains: "DisableAntiSpyware"
OR "DisableRealtimeMonitoring"
OR "DisableBehaviorMonitoring"
Details: "DWORD (0x00000001)"
# MDE KQL:
DeviceRegistryEvents
| where RegistryValueName in ("DisableAntiSpyware", "DisableRealtimeMonitoring")
| where RegistryValueData == "1"
| project Timestamp, DeviceName, RegistryKey, InitiatingProcessFileNameStep 4: Detect Masquerading (T1036)
# Sysmon Event ID 1 - Process with legitimate name from unusual path
EventID: 1
Image contains: "svchost.exe" AND Image NOT starts with: "C:\Windows\System32\"
Image contains: "csrss.exe" AND Image NOT starts with: "C:\Windows\System32\"
Image contains: "lsass.exe" AND Image NOT starts with: "C:\Windows\System32\"
# Process name mismatch (original filename vs. current name)
# Sysmon captures OriginalFileName from PE header
EventID: 1
OriginalFileName != (parsed filename from Image path)
# Double extension files
EventID: 11 (FileCreate)
TargetFilename matches: "*\.pdf\.exe" OR "*\.doc\.exe" OR "*\.jpg\.exe"
# Splunk:
index=sysmon EventCode=1
| eval process_name=mvindex(split(Image,"\\"),-1)
| where (process_name="svchost.exe" AND NOT match(Image,"(?i)C:\\\\Windows\\\\System32"))
OR (process_name="csrss.exe" AND NOT match(Image,"(?i)C:\\\\Windows\\\\System32"))
| table _time host Image ParentImage CommandLine UserStep 5: Detect LOLBin Abuse (T1218, T1127)
# Common LOLBin abuse patterns:
# mshta.exe executing remote content
EventID: 1
Image ends with: "mshta.exe"
CommandLine contains: "http" OR "javascript:" OR "vbscript:"
# certutil.exe downloading files
EventID: 1
Image ends with: "certutil.exe"
CommandLine contains: "-urlcache" OR "-decode" OR "-encode"
# regsvr32.exe executing scriptlets
EventID: 1
Image ends with: "regsvr32.exe"
CommandLine contains: "/s /n /u /i:" OR "scrobj.dll"
# rundll32.exe with unusual DLLs
EventID: 1
Image ends with: "rundll32.exe"
CommandLine contains: "javascript:" OR ".js" OR "http:"
# MSBuild executing inline tasks
EventID: 1
Image contains: "MSBuild.exe"
CommandLine NOT contains: ".sln" AND NOT contains: ".csproj"Step 6: Build Detection Rule Correlation
# Combine multiple weak signals into high-confidence detection:
# Rule: Potential post-exploitation evasion chain
# Trigger when 3+ evasion techniques observed on same host within 1 hour
# Splunk correlation search:
index=sysmon host=*
| eval technique=case(
EventCode=2, "timestomping",
EventCode=8 AND NOT match(SourceImage,"csrss|svchost"), "process_injection",
EventCode=1 AND match(CommandLine,"(?i)wevtutil.*cl"), "log_clearing",
EventCode=13 AND match(TargetObject,"DisableRealtimeMonitoring"), "security_disable",
EventCode=1 AND match(CommandLine,"(?i)(mshta|certutil.*urlcache|regsvr32.*/s.*/n)"), "lolbin_abuse",
true(), NULL
)
| where isnotnull(technique)
| bin _time span=1h
| stats dc(technique) as technique_count values(technique) as techniques by host _time
| where technique_count >= 3
| sort - technique_countKey Concepts
| Term | Definition |
|---|---|
| Defense Evasion (TA0005) | MITRE ATT&CK tactic where adversaries attempt to avoid detection during operations |
| Process Injection (T1055) | Technique of injecting code into another process's memory space to execute in a trusted context |
| Timestomping (T1070.006) | Modifying file timestamps to make malicious files appear old and blend with legitimate files |
| Masquerading (T1036) | Naming malicious files or processes to match legitimate system files to avoid detection |
| LOLBin | Living Off the Land Binary; legitimate Windows tool repurposed by adversaries |
| Indicator Removal (T1070) | Clearing logs, deleting files, or modifying artifacts to remove evidence of compromise |
Tools & Systems
- Sysmon: Advanced Windows system monitoring with kernel-level visibility
- Microsoft Defender for Endpoint: EDR with advanced hunting (KQL) for evasion detection
- CrowdStrike Falcon: IOA-based behavioral detection for evasion techniques
- Elastic Security: SIEM with prebuilt detection rules for ATT&CK evasion techniques
- Sigma Rules: Vendor-agnostic detection rule format with extensive evasion rule library
Common Pitfalls
- Alert fatigue from process injection rules: Many legitimate tools (AV, accessibility) perform process injection. Maintain an allowlist of known-good source processes.
- Missing Sysmon Event ID 8/10: Default Sysmon configurations may not capture CreateRemoteThread or ProcessAccess. Use a comprehensive Sysmon config.
- Ignoring parent process context: A suspicious command line from cmd.exe is concerning only if the parent of cmd.exe is unusual (e.g., Excel spawning cmd.exe).
- Not correlating across event types: Single events are often benign. Combine multiple weak signals (process creation + network connection + file creation) for high-confidence detections.
Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.7 KB
API Reference: Detecting Evasion Techniques in Endpoint Logs
Key Windows Event IDs for Evasion
| Event ID | Source | Evasion Technique |
|---|---|---|
| 1102 | Security | Audit log cleared (T1070.001) |
| Sysmon 2 | Sysmon | Timestomping (T1070.006) |
| Sysmon 8 | Sysmon | CreateRemoteThread (T1055) |
| Sysmon 10 | Sysmon | Process Access / LSASS (T1003) |
| 4688 | Security | Process creation with cmdline |
python-evtx Usage
import Evtx.Evtx as evtx
with evtx.Evtx("Sysmon.evtx") as log:
for record in log.records():
xml = record.xml()
# Parse EventID, CommandLine, SourceImage, TargetImageEvasion Detection Patterns
# Log clearing
r"wevtutil\s+(cl|clear-log)"
r"Clear-EventLog"
# Security tool disable
r"Set-MpPreference\s+-DisableRealtimeMonitoring\s+\$true"
r"sc\s+(stop|delete)\s+WinDefend"
# AMSI bypass
r"[Ref].Assembly.GetType.*AMSI"
r"amsiInitFailed"MITRE ATT&CK TA0005 Techniques
| Technique | ID | Detection |
|---|---|---|
| Indicator Removal | T1070 | Log clearing, file deletion |
| Timestomping | T1070.006 | Sysmon Event ID 2 |
| Process Injection | T1055 | Sysmon Event ID 8 |
| Impair Defenses | T1562.001 | AV/EDR disabling commands |
| AMSI Bypass | T1562.001 | PowerShell AMSI patching |
Splunk SPL Detection
index=sysmon (EventCode=2 OR EventCode=8 OR EventCode=10)
| eval technique=case(
EventCode=2, "Timestomping",
EventCode=8, "Process Injection",
EventCode=10, "Process Access")
| stats count by technique, SourceImage, ComputerCLI Usage
python agent.py --evtx-file Sysmon.evtx
python agent.py --evtx-file Security.evtxstandards.md1.6 KB
Standards & References - Detecting Evasion Techniques in Endpoint Logs
Primary Standards
MITRE ATT&CK TA0005 - Defense Evasion
- URL: https://attack.mitre.org/tactics/TA0005/
- Scope: 43 techniques and 80+ sub-techniques for defense evasion
- Key techniques: T1055 (Process Injection), T1070 (Indicator Removal), T1036 (Masquerading), T1218 (System Binary Proxy Execution), T1562 (Impair Defenses)
Sigma Detection Rules
- URL: https://github.com/SigmaHQ/sigma
- Scope: Community-maintained detection rules in vendor-agnostic format
- Evasion rules: rules/windows/process_creation/proc_creation_win_*, rules/windows/sysmon/
LOLBAS Project
- URL: https://lolbas-project.github.io/
- Scope: Catalog of Windows binaries that can be used for defense evasion, with detection recommendations
Compliance Mappings
| Framework | Requirement | Detection Coverage |
|---|---|---|
| NIST 800-53 | SI-4 System Monitoring | Evasion detection via endpoint logging |
| NIST 800-53 | AU-6 Audit Record Review | Log analysis for tampering indicators |
| PCI DSS 4.0 | 10.4.1 - Audit log review | Automated detection of log tampering |
| ISO 27001 | A.12.4.1 - Event logging | Integrity monitoring of security logs |
Supporting References
- Sysmon Configuration: https://github.com/SwiftOnSecurity/sysmon-config
- Olaf Hartong Sysmon Modular: https://github.com/olafhartong/sysmon-modular
- SANS Hunt Evil Poster: Comprehensive guide to suspicious Windows process behavior
- Elastic Detection Rules: https://github.com/elastic/detection-rules
workflows.md2.2 KB
Workflows - Detecting Evasion Techniques in Endpoint Logs
Workflow 1: Evasion Technique Threat Hunt
[Select evasion technique to hunt]
│
├── T1055 Process Injection
├── T1070 Log Tampering
├── T1036 Masquerading
├── T1562 Security Tool Disabling
│
▼
[Craft detection query (Splunk/KQL/Elastic)]
│
▼
[Execute across 30-90 days of endpoint telemetry]
│
▼
[Triage results]
│
├── Known-good (allowlist) ──► [Add to baseline, refine query]
├── Suspicious ──► [Deep investigation]
│ │
│ ├── Correlate with other telemetry
│ ├── Check process tree
│ ├── Review network connections
│ │
│ ├── True positive ──► [Escalate to IR]
│ └── False positive ──► [Tune detection]
│
└── No results ──► [Validate logging covers technique]Workflow 2: Detection Rule Deployment
[Create Sigma/SIEM detection rule]
│
▼
[Test against historical data]
│
├── High false positive rate ──► [Refine exclusions]
│
└── Acceptable FP rate ──► [Deploy in alert mode]
│
▼
[Monitor for 2 weeks]
│
▼
[Review alert quality]
│
▼
[Promote to production detection]Workflow 3: Evasion Incident Response
[Evasion technique detected]
│
▼
[Assess scope: Which endpoints affected?]
│
▼
[Correlate with initial access and persistence]
│
▼
[Determine if adversary achieved objectives]
│
├── Active intrusion ──► [Full incident response]
│
└── Isolated event ──► [Remediate endpoint, enhance detection]Scripts 2
agent.py5.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Defense evasion detection agent for endpoint logs.
Detects MITRE ATT&CK TA0005 evasion techniques including log clearing,
timestomping, process injection indicators, and security tool disabling
by analyzing Sysmon and Windows Security event logs.
"""
import argparse
import json
import re
from datetime import datetime
try:
import Evtx.Evtx as evtx
except ImportError:
evtx = None
EVASION_EVENT_IDS = {
1102: {"name": "Audit Log Cleared", "severity": "CRITICAL", "mitre": "T1070.001"},
4688: {"name": "Process Creation", "severity": "INFO", "mitre": "T1059"},
4689: {"name": "Process Termination", "severity": "INFO", "mitre": ""},
}
SYSMON_EVASION_IDS = {
1: "Process Create",
2: "File creation time changed (Timestomping)",
8: "CreateRemoteThread",
10: "Process Access",
12: "Registry Object Create/Delete",
13: "Registry Value Set",
}
TIMESTOMP_INDICATORS = [
r"SetFileTime", r"timestomp", r"\$STANDARD_INFORMATION",
r"NtSetInformationFile", r"SetFileInformationByHandle",
]
LOG_CLEARING_COMMANDS = [
r"wevtutil\s+(cl|clear-log)",
r"Clear-EventLog",
r"Remove-EventLog",
r"del\s+.*\.evtx",
r"wmic\s+nteventlog.*clear",
]
SECURITY_TOOL_DISABLE = [
r"(Stop|Disable)-Service.*(Windows Defender|WinDefend|MsMpSvc)",
r"Set-MpPreference\s+-DisableRealtimeMonitoring\s+\$true",
r"sc\s+(stop|delete)\s+(WinDefend|MsMpSvc|Sense)",
r"netsh\s+advfirewall\s+set\s+.*state\s+off",
r"reg\s+add.*DisableAntiSpyware.*1",
r"taskkill.*/im\s+(MsMpEng|avp|avgui|mbam)",
]
AMSI_BYPASS_PATTERNS = [
r"amsi(Init|Scan)Buffer",
r"AmsiUtils",
r"amsiContext",
r"[Ref].Assembly.GetType.*AMSI",
]
def analyze_evtx_for_evasion(filepath):
if evtx is None:
return {"error": "python-evtx not installed: pip install python-evtx"}
findings = []
with evtx.Evtx(filepath) as log:
for record in log.records():
xml = record.xml()
event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
if not event_id_match:
continue
event_id = int(event_id_match.group(1))
time_match = re.search(r'SystemTime="([^"]+)"', xml)
timestamp = time_match.group(1) if time_match else ""
if event_id == 1102:
findings.append({
"event_id": 1102, "timestamp": timestamp,
"severity": "CRITICAL", "mitre": "T1070.001",
"description": "Security audit log was cleared",
})
if event_id == 2:
findings.append({
"event_id": 2, "timestamp": timestamp,
"severity": "HIGH", "mitre": "T1070.006",
"description": "File creation time modified (timestomping)",
})
if event_id == 8:
source = re.search(r'<Data Name="SourceImage">([^<]+)', xml)
target = re.search(r'<Data Name="TargetImage">([^<]+)', xml)
findings.append({
"event_id": 8, "timestamp": timestamp,
"source": source.group(1) if source else "",
"target": target.group(1) if target else "",
"severity": "HIGH", "mitre": "T1055",
"description": "CreateRemoteThread detected (process injection)",
})
if event_id in (1, 4688):
cmdline = re.search(r'<Data Name="CommandLine">([^<]+)', xml)
if not cmdline:
cmdline = re.search(r'<Data Name="NewProcessName">([^<]+)', xml)
if cmdline:
cmd = cmdline.group(1)
for pattern in LOG_CLEARING_COMMANDS:
if re.search(pattern, cmd, re.IGNORECASE):
findings.append({
"event_id": event_id, "timestamp": timestamp,
"command": cmd[:200], "severity": "CRITICAL",
"mitre": "T1070.001",
"description": "Log clearing command detected",
})
for pattern in SECURITY_TOOL_DISABLE:
if re.search(pattern, cmd, re.IGNORECASE):
findings.append({
"event_id": event_id, "timestamp": timestamp,
"command": cmd[:200], "severity": "CRITICAL",
"mitre": "T1562.001",
"description": "Security tool disabling detected",
})
for pattern in AMSI_BYPASS_PATTERNS:
if re.search(pattern, cmd, re.IGNORECASE):
findings.append({
"event_id": event_id, "timestamp": timestamp,
"command": cmd[:200], "severity": "HIGH",
"mitre": "T1562.001",
"description": "AMSI bypass attempt detected",
})
return findings
def main():
parser = argparse.ArgumentParser(description="Defense Evasion Detector")
parser.add_argument("--evtx-file", required=True, help="EVTX file (Sysmon or Security)")
args = parser.parse_args()
findings = analyze_evtx_for_evasion(args.evtx_file)
if isinstance(findings, dict) and "error" in findings:
results = findings
else:
results = {
"timestamp": datetime.utcnow().isoformat() + "Z",
"source_file": args.evtx_file,
"findings": findings,
"total_findings": len(findings),
"by_severity": {},
}
for f in findings:
sev = f.get("severity", "UNKNOWN")
results["by_severity"][sev] = results["by_severity"].get(sev, 0) + 1
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()
process.py7.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Endpoint Evasion Technique Detector
Analyzes Windows event logs (exported as EVTX/CSV) for common defense
evasion techniques mapped to MITRE ATT&CK TA0005.
"""
import json
import csv
import re
import sys
import os
from collections import defaultdict
from datetime import datetime
EVASION_PATTERNS = {
"T1070.001-log_clearing": {
"name": "Indicator Removal: Clear Windows Event Logs",
"severity": "high",
"patterns": [
r"wevtutil\s+(cl|clear-log)",
r"Clear-EventLog",
r"Remove-EventLog",
],
"event_ids": ["1102", "104"],
},
"T1055-process_injection": {
"name": "Process Injection",
"severity": "high",
"sysmon_event_ids": ["8", "10", "25"],
"patterns": [
r"VirtualAllocEx",
r"WriteProcessMemory",
r"CreateRemoteThread",
r"NtMapViewOfSection",
],
},
"T1562.001-disable_security": {
"name": "Impair Defenses: Disable or Modify Tools",
"severity": "critical",
"patterns": [
r"Set-MpPreference\s+-Disable",
r"sc\s+(stop|config)\s+(WinDefend|Sense|MBAMService)",
r"net\s+stop\s+(windefend|sense|csagent)",
r"DisableAntiSpyware",
r"DisableRealtimeMonitoring",
],
},
"T1036-masquerading": {
"name": "Masquerading",
"severity": "medium",
"suspicious_paths": {
"svchost.exe": r"C:\\Windows\\System32\\svchost\.exe",
"csrss.exe": r"C:\\Windows\\System32\\csrss\.exe",
"lsass.exe": r"C:\\Windows\\System32\\lsass\.exe",
"smss.exe": r"C:\\Windows\\System32\\smss\.exe",
"services.exe": r"C:\\Windows\\System32\\services\.exe",
},
},
"T1218-lolbin_abuse": {
"name": "System Binary Proxy Execution",
"severity": "high",
"patterns": [
r"mshta\.exe.*https?://",
r"mshta\.exe.*javascript:",
r"certutil\.exe.*-urlcache",
r"certutil\.exe.*-decode",
r"regsvr32\.exe.*/s.*/n.*/u.*/i:",
r"rundll32\.exe.*javascript:",
r"MSBuild\.exe(?!.*\.(sln|csproj|vbproj))",
r"installutil\.exe.*/logfile=",
],
},
"T1070.006-timestomping": {
"name": "Indicator Removal: Timestomp",
"severity": "medium",
"sysmon_event_ids": ["2"],
},
}
def analyze_sysmon_csv(csv_path: str) -> list:
"""Analyze Sysmon events exported as CSV for evasion techniques."""
detections = []
with open(csv_path, "r", encoding="utf-8-sig") as f:
reader = csv.DictReader(f)
for row in reader:
event_id = row.get("Event ID", row.get("EventID", ""))
message = row.get("Message", row.get("Details", ""))
command_line = row.get("CommandLine", "")
image = row.get("Image", row.get("Process Name", ""))
timestamp = row.get("Date and Time", row.get("TimeCreated", ""))
full_text = f"{message} {command_line} {image}".lower()
for technique_id, technique in EVASION_PATTERNS.items():
detected = False
detection_detail = ""
if "event_ids" in technique and event_id in technique["event_ids"]:
detected = True
detection_detail = f"Event ID {event_id} detected"
if "sysmon_event_ids" in technique and event_id in technique["sysmon_event_ids"]:
detected = True
detection_detail = f"Sysmon Event ID {event_id}"
for pattern in technique.get("patterns", []):
if re.search(pattern, full_text, re.IGNORECASE):
detected = True
detection_detail = f"Pattern match: {pattern}"
break
if "suspicious_paths" in technique and image:
image_lower = image.lower()
for proc_name, expected_path in technique["suspicious_paths"].items():
if proc_name in image_lower:
if not re.match(expected_path, image, re.IGNORECASE):
detected = True
detection_detail = f"Masquerading: {proc_name} from unexpected path {image}"
if detected:
detections.append({
"timestamp": timestamp,
"technique_id": technique_id.split("-")[0],
"technique_name": technique["name"],
"severity": technique["severity"],
"event_id": event_id,
"process": image,
"command_line": command_line[:300],
"detail": detection_detail,
"host": row.get("Computer", row.get("host", "")),
})
return detections
def generate_detection_report(detections: list, output_path: str) -> None:
"""Generate evasion detection report."""
by_technique = defaultdict(list)
by_severity = defaultdict(int)
by_host = defaultdict(int)
for d in detections:
by_technique[d["technique_id"]].append(d)
by_severity[d["severity"]] += 1
by_host[d["host"]] += 1
report = {
"report_generated": datetime.utcnow().isoformat() + "Z",
"total_detections": len(detections),
"summary": {
"by_severity": dict(by_severity),
"by_technique": {k: len(v) for k, v in by_technique.items()},
"by_host": dict(by_host),
},
"detections": detections[:200],
}
with open(output_path, "w", encoding="utf-8") as f:
json.dump(report, f, indent=2)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python process.py <sysmon_events.csv>")
print()
print("Analyzes exported Sysmon/Windows event logs for defense evasion techniques.")
sys.exit(1)
csv_path = sys.argv[1]
if not os.path.exists(csv_path):
print(f"Error: File not found: {csv_path}")
sys.exit(1)
print("Analyzing endpoint logs for evasion techniques...")
detections = analyze_sysmon_csv(csv_path)
base = os.path.splitext(os.path.basename(csv_path))[0]
out_dir = os.path.dirname(csv_path) or "."
report_path = os.path.join(out_dir, f"{base}_evasion_report.json")
generate_detection_report(detections, report_path)
print(f"Detection report: {report_path}")
print(f"\n--- Evasion Detection Summary ---")
print(f"Total detections: {len(detections)}")
severity_counts = defaultdict(int)
technique_counts = defaultdict(int)
for d in detections:
severity_counts[d["severity"]] += 1
technique_counts[d["technique_id"]] += 1
for sev in ["critical", "high", "medium", "low"]:
if severity_counts[sev]:
print(f" {sev.upper()}: {severity_counts[sev]}")
if technique_counts:
print(f"\nBy technique:")
for tid, count in sorted(technique_counts.items(), key=lambda x: -x[1]):
print(f" {tid}: {count}")
Assets 1
template.mdtext/markdown · 0.8 KBKeep exploring