PEAK Framework · ATT&CK Navigator · Detection Engineering

peak-to-sigma

Close the hunt-to-detection gap. Feed it a structured threat hunt report and get production-ready detection rules in every format your stack consumes — plus a MITRE ATT&CK Navigator layer.

View on GitHub → See How It Works
pip install 'peak-to-sigma[web]'
Why peak-to-sigma
From Hunt Findings to Deployed Detections

Every structured threat hunt should produce durable detection artifacts. When a hunt confirms attacker behavior, findings should immediately feed back into your detection stack — not sit in a Word document.

All Four Formats
One report → Sigma YAML, KQL (Sentinel/Defender XDR), SPL (Splunk ES), and Databricks SQL. All at once, organized by finding.
🎯
PEAK-Aware Confidence
Hunt phase maps directly to rule confidence. Validated findings → production-ready rules. Scoped → experimental. Unscoped → test-level drafts.
🗺️
ATT&CK Navigator Layer
Auto-generated Navigator v4.5 layer. Confirmed techniques in red, unconfirmed in amber. Import directly into the ATT&CK Navigator.
🌐
Guided Web UI
4-step educational wizard with inline tooltips. Teaches PEAK phases, ATT&CK technique formats, and IOC-to-field mappings as you fill in the form.
🤖
LLM Enrichment
Optional --enrich flag calls OpenAI or Anthropic to surface detection gaps, related techniques, and hunting pivots you may have missed.
📦
One Pip Install
Zero Docker. Zero npm. No build step. pip install peak-to-sigma and it works. Web UI and enrichment are optional extras.
Workflow
How It Works

Structure your hunt findings in YAML, run the tool, get detection artifacts. Or use the web UI wizard — no YAML required.

01
Write Your Hunt Report
YAML or JSON following the PEAK schema: hunt metadata, data sources, findings with IOCs, and a verdict.
02
Run the Tool
peak-to-sigma main --hunt report.yaml — or open the web UI wizard and fill in the form.
03
Get Detection Artifacts
One file per finding per format, organized in subdirectories. Navigator layer included by default.
04
Deploy to Your SIEM
Drop KQL into Sentinel analytics. Import SPL searches into Splunk ES. Convert Sigma rules with sigma-cli.
Example Output
Output from the Bundled AiTM Hunt Report

Four formats generated from two confirmed findings: T1557.001 (AiTM process injection) and T1539 (session cookie theft via impossible-travel). All IPs and domains use IANA-reserved documentation ranges (RFC 5737 / RFC 2606). 

title: "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay"
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: stable
description: >
  Confirmed attacker activity — AiTM Proxy Detection hunt (Scoped).
  Proxy process injected into browser SSL sessions via LLMNR poisoning.
  Self-signed cert from untrusted CA. Parent spawned from explorer.exe.
references: []
author: Andre Seguin
date: 2026-04-08
tags:
  - attack.credential_access
  - attack.t1557.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_process:
    Image|contains: "suspicious_proxy.exe"
  selection_parent:
    ParentImage|endswith: "\\explorer.exe"
    Image|contains: "suspicious_proxy.exe"
  selection_cert:
    CertificateIssuer|contains: "Untrusted Root CA"
  condition: selection_process or selection_parent or selection_cert
falsepositives:
  - Legitimate proxy software with similar process names
  - Internal PKI using non-standard CA names
level: high
---
title: "Steal Web Session Cookie: Impossible Travel via Token Replay"
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: stable
description: >
  Confirmed attacker activity — AiTM Proxy Detection hunt (Scoped).
  Session tokens replayed from 203.0.113.47 (RFC 5737 documentation range).
  Geolocation delta of 8,000+ km within 4 minutes. Correlated with proxy window.
references: []
author: Andre Seguin
date: 2026-04-08
tags:
  - attack.credential_access
  - attack.t1539
logsource:
  product: azure
  service: signinlogs
detection:
  selection_ip:
    callerIpAddress|contains: "203.0.113.47"
  selection_domain:
    NetworkDestination|contains: "aitm-proxy.example.com"
  condition: selection_ip or selection_domain
falsepositives:
  - VPN users with geographic IP routing anomalies
level: high
// ── T1557.001: Adversary-in-the-Middle — AiTM Process Injection ──────────────
// Hunt: AiTM Proxy Detection — Infostealer Delivery (Scoped)
// Author: Andre Seguin | Date: 2026-04-08 | Confidence: HIGH
// ATT&CK: T1557.001 — Credential Access

DeviceProcessEvents
| where Timestamp > ago(7d)
| where
    FileName has "suspicious_proxy.exe"
    or InitiatingProcessFileName =~ "explorer.exe" and FileName has "suspicious_proxy.exe"
| extend Technique = "T1557.001", Tactic = "CredentialAccess", Confidence = "High"
| project
    Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine, SHA256,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    Technique, Tactic, Confidence
| order by Timestamp desc

// ── T1539: Steal Web Session Cookie — Impossible Travel ───────────────────────
// Hunt: AiTM Proxy Detection — Infostealer Delivery (Scoped)
// Author: Andre Seguin | Date: 2026-04-08 | Confidence: HIGH
// ATT&CK: T1539 — Credential Access
// Note: 203.0.113.47 is an RFC 5737 documentation IP used in this example.

SigninLogs
| where TimeGenerated > ago(7d)
| where
    IPAddress == "203.0.113.47"
    or NetworkLocationDetails has "aitm-proxy.example.com"
| extend Technique = "T1539", Tactic = "CredentialAccess", Confidence = "High"
| project
    TimeGenerated, UserPrincipalName, AppDisplayName,
    IPAddress, Location, DeviceDetail,
    ConditionalAccessStatus, RiskLevelDuringSignIn,
    Technique, Tactic, Confidence
| order by TimeGenerated desc
| comment "T1557.001: Adversary-in-the-Middle — AiTM Process Injection"
| comment "Hunt: AiTM Proxy Detection — Infostealer Delivery (Scoped)"
| comment "Author: Andre Seguin | Date: 2026-04-08 | ATT&CK: T1557.001"

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    (process_name="*suspicious_proxy.exe*"
     OR (parent_process="*\\explorer.exe" AND process_name="*suspicious_proxy.exe*"))
| eval technique="T1557.001", tactic="Credential Access", confidence="high"
| table _time host user process_name parent_process CommandLine sha256 technique tactic
| sort -_time

| append [
| comment "T1539: Steal Web Session Cookie — Impossible Travel"
| comment "Note: 203.0.113.47 is RFC 5737 documentation address (example only)"
  index=* sourcetype=azure:aad:signin
    (src_ip="203.0.113.47" OR dest="aitm-proxy.example.com")
  | eval technique="T1539", tactic="Credential Access", confidence="high"
  | table _time user app src_ip dest authentication_method risk_level technique tactic
  | sort -_time
]
-- ── T1557.001: Adversary-in-the-Middle — AiTM Process Injection ──────────────
-- Hunt: AiTM Proxy Detection — Infostealer Delivery
-- Author: Andre Seguin | Date: 2026-04-08 | ATT&CK: T1557.001 | Level: HIGH

SELECT
  event_time,
  host,
  user_name,
  process_name,
  parent_process_name,
  command_line,
  sha256,
  'T1557.001'   AS technique,
  'high'        AS confidence
FROM security.process_events
WHERE
  event_time >= NOW() - INTERVAL 7 DAYS
  AND (
    LOWER(process_name) LIKE '%suspicious_proxy.exe%'
    OR (
      LOWER(parent_process_name) LIKE '%explorer.exe'
      AND LOWER(process_name)    LIKE '%suspicious_proxy.exe%'
    )
  )
ORDER BY event_time DESC;

-- ── T1539: Steal Web Session Cookie — Impossible Travel ───────────────────────
-- Note: 203.0.113.47 is RFC 5737 TEST-NET-3 (documentation range, not a real host)
-- Note: aitm-proxy.example.com is RFC 2606 reserved (not a real domain)

SELECT
  event_time,
  user_principal_name,
  app_display_name,
  ip_address,
  location,
  risk_level_during_signin,
  conditional_access_status,
  'T1539'   AS technique,
  'high'    AS confidence
FROM security.signin_logs
WHERE
  event_time >= NOW() - INTERVAL 7 DAYS
  AND (
    ip_address = '203.0.113.47'
    OR LOWER(network_destination) LIKE '%aitm-proxy.example.com%'
  )
ORDER BY event_time DESC;
hunt:
  name: "AiTM Proxy Detection — Infostealer Delivery"
  hypothesis: >
    Threat actors are using adversary-in-the-middle frameworks to intercept credentials
    and deliver infostealer malware via poisoned SSL sessions.
  analyst: "Andre Seguin"
  date: "2026-04-08"
  peak_phase: "Scoped"   # Unscoped | Scoped | Validated

data_sources:
  - name: "Microsoft Defender EDR"
    type: endpoint
    coverage: high
  - name: "Entra ID Sign-in Logs"
    type: identity
    coverage: medium
  - name: "Azure Monitor Network Logs"
    type: network
    coverage: medium

findings:
  - tactic: "Credential Access"
    technique: "T1557.001"
    technique_name: "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning"
    confirmed: true
    description: >
      Proxy process suspicious_proxy.exe spawned from explorer.exe and established
      outbound TLS connections using a self-signed cert from "Untrusted Root CA".
      Token replay observed in Entra ID logs within 30 seconds of initial auth.
    data_source_ref: "Microsoft Defender EDR"
    iocs:
      - type: process_name
        value: "suspicious_proxy.exe"
      - type: cert_issuer
        value: "Untrusted Root CA"
      - type: parent_process
        value: "explorer.exe"

  - tactic: "Credential Access"
    technique: "T1539"
    technique_name: "Steal Web Session Cookie"
    confirmed: true
    description: >
      Session tokens replayed from anomalous geoip — delta of 8,000+ km in 4 minutes.
      Impossible travel alert correlated with proxy process activity window.
    data_source_ref: "Entra ID Sign-in Logs"
    iocs:
      - type: ip
        # RFC 5737 TEST-NET-3 — documentation address, not a real host
        value: "203.0.113.47"
      - type: domain
        # RFC 2606 reserved — not a real domain
        value: "aitm-proxy.example.com"

verdict: >
  Confirmed attacker activity. Three detections deployed to production covering
  process creation, impossible travel, and C2 beaconing. IR engaged for affected accounts.
Output Formats
Every Format Your Stack Consumes
Sigma
Portable YAML Detection Rules
.yml

Vendor-neutral YAML. Convert to any SIEM with sigma-cli. Compatible with sigma-cli, Uncoder, Chainsaw.

KQL
Microsoft Sentinel / Defender XDR
.kql

Ready for Sentinel Analytic Rules or Defender XDR custom detections. pySigma Kusto backend with direct-build fallback.

SPL
Splunk Enterprise / ES
.spl

CIM-compliant field names for Splunk Enterprise Security. Includes sourcetype hints based on data source type.

SQL
Databricks Delta Lake / Unity Catalog
.sql

Targets security.* tables in a standard security data lake schema. Adjust table names for your environment.

Navigator
MITRE ATT&CK Navigator v4.5
.json

Layer schema v4.5. Confirmed findings in red, unconfirmed in amber. Import directly into attack.mitre.org/attack-navigator.

Enrichment
LLM Detection Gap Analysis
.md

Optional --enrich flag. Calls OpenAI gpt-4o or Claude to surface gaps, related techniques, and hunting pivots.

IOC Mappings
15 IOC Types, Cross-Platform

Each IOC type maps to the correct field name across all four output formats automatically.

IOC Type Sigma Field KQL Field SPL Field
process_nameImageFileNameprocess_name
command_lineCommandLineProcessCommandLinecmdline
parent_processParentImageInitiatingProcessFileNameparent_process
hash_sha256sha256SHA256sha256
hash_md5HashesMD5md5
ipDestinationIpRemoteIPdest_ip
domainDestinationHostnameRemoteUrldest
urlcs-uri-stemRequestURLurl
file_pathTargetFilenameFolderPathfile_path
registry_keyTargetObjectRegistryKeyregistry_path
cert_issuerCertificateIssuerCertificateIssuerNamecert_issuer
user_agentcs-user-agentUserAgenthttp_user_agent
email_senderSenderAddressSenderFromAddresssrc_user
network_portDestinationPortRemotePortdest_port