---
name: pentest-detection
description: Detection engineering — Sigma, Splunk SPL, Elastic KQL, Microsoft Sentinel KQL, YARA, Suricata rule yazimi advisory. Triggers on detection engineering, Sigma rule, Splunk SPL, Elastic KQL, Sentinel KQL, YARA, Suricata, Snort, SIEM rule, EDR rule, hunting query.
license: MIT
compatibility: Works with Claude Code
allowed-tools: Read Write Edit Grep
metadata:
  author: badi
  badi-version: ">=1.24.0"
  category: pentest
  scope: advisory
  inspired-by: 0xSteph/pentest-ai-agents detection-engineer
---

# pentest-detection

Defansif detection rule yazimi. Pentest bulgularini detection rule'a cevirir — gelecekteki saldirilari yakalamak icin.

## Triggers

- "Sigma rule yaz"
- "Splunk SPL query"
- "KQL hunting query"
- "Sentinel rule"
- "YARA imza"
- "Suricata kural"
- "detection coverage analizi"

## Sigma (Vendor-Agnostic)

```yaml
title: Suspicious PowerShell Encoded Command Execution
id: 12345678-1234-1234-1234-1234567890ab
status: experimental
description: Detects PowerShell with -EncodedCommand flag, common in payloads
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Team
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  product: windows
  service: powershell
  category: process_creation
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
  filter:
    User|startswith: 'NT AUTHORITY\SYSTEM'
  condition: selection and not filter
falsepositives:
  - Legitimate admin scripts
level: high
```

## Splunk SPL

```spl
index=windows EventCode=4104
| where match(ScriptBlockText, "-EncodedCommand|-enc\s|-e\s")
| stats count by Computer, User, ScriptBlockText
| where count > 1
| sort -count
```

## Elastic KQL

```
event.code:"4104"
AND powershell.file.script_block_text:(*-EncodedCommand* OR *-enc * OR *-e *)
AND NOT user.name:"SYSTEM"
```

## Microsoft Sentinel KQL

```kql
SecurityEvent
| where EventID == 4104
| where EventData has_any ("-EncodedCommand", "-enc ", "-e ")
| where Account != "NT AUTHORITY\\SYSTEM"
| summarize count() by Computer, Account, EventData
| where count_ > 0
```

## YARA (Malware/File Imza)

```yara
rule SuspiciousPowerShellLoader {
    meta:
        author = "Security Team"
        date = "2026-05-15"
        description = "Detects PowerShell with base64 + IEX pattern"
        tags = "attack.t1059.001"

    strings:
        $iex = "IEX" nocase
        $invoke = "Invoke-Expression" nocase
        $b64 = /[A-Za-z0-9+\/]{50,}={0,2}/   // base64 blob >= 50 char
        $download = "DownloadString" nocase
        $bypass = "ExecutionPolicy Bypass" nocase

    condition:
        ($iex or $invoke) and $b64 and ($download or $bypass)
}
```

## Suricata (Network IDS)

```
alert http any any -> any any (msg:"Possible SQL Injection in URI"; \
  flow:established,to_server; \
  http.uri; content:"' OR '1"; nocase; \
  classtype:web-application-attack; sid:1000001; rev:1;)

alert dns any any -> any any (msg:"DNS Query to Suspicious DGA Domain"; \
  dns.query; content:"|"; depth:30; pcre:"/^[a-z0-9]{20,}\.(com|net)$/i"; \
  classtype:trojan-activity; sid:1000002; rev:1;)
```

## Detection Coverage Mapping

Pentest sonrasi her bulguyu detection rule'a esle:

```yaml
finding: BloodHound LDAP enumeration
mitre: T1087.002 (Account Discovery: Domain Account)
detection:
  - sigma:
      file: bloodhound_ldap_query.yml
      query: large_ldap_query_pattern
  - splunk: |
      index=windows EventCode=4662
      | where ObjectName="DC=*"
      | stats count by SubjectUserName
      | where count > 1000
  - sentinel: |
      SecurityEvent
      | where EventID == 4662
      | where ObjectName contains "DC="
      | summarize count() by Account
      | where count_ > 1000
```

## Atomic Red Team Mapping

ART tests'i pentest bulgularina hizalama:

```bash
# Pentest bulgu: PsExec lateral
# ART test: T1021.002 - Test 1 (PsExec.exe)

# Detection test
Invoke-AtomicTest T1021.002-1

# SIEM'de query calistir, hit gelmesi gerekli
# Hit gelmiyorsa coverage gap
```

## Detection Rule Test Strategy

```
1. Pozitif test: simulated attack -> rule fires
2. Negatif test: normal activity -> no false positive
3. Tuning: baseline 7-30 gun, false positive rate hesap
4. Aksiyon: low confidence -> alert only, high -> auto-isolate
```

## Output Sablonu

```markdown
## Detection Coverage — <engagement>

### Bulgu -> Detection Rule
| Bulgu | ATT&CK | Sigma | Splunk | Sentinel | Coverage |
|-------|--------|-------|--------|----------|----------|
| Kerberoast | T1558.003 | DC1234 | yes | yes | FULL |
| PsExec lateral | T1021.002 | DC1235 | yes | no | PARTIAL |
| BloodHound LDAP | T1087.002 | (new) | (new) | (new) | NEW |
| DCSync | T1003.006 | DC1236 | yes | yes | FULL |

### Gap Analiz
- BloodHound LDAP enum: hicbir SIEM'de coverage YOK
  -> Yeni Sigma rule oner (bu rapor ekinde)
- PsExec: Sentinel'de yok
  -> Sentinel detection rule template yaz

### Test
- Atomic Red Team T1021.002-1 -> Splunk: HIT, Sentinel: MISS
- Recommended action: Sentinel detection rule ship
```

## Out-of-Scope

- Production SIEM degisikligi (sadece rule yazimi, deployment musteri)
- Real-time blue team operasyonu