Encoded-Command-Analyzer/template_loader.py at main · aring87/Encoded-Command-Analyzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import os
import yaml


def load_yaml_detection_templates(template_root="templates"):
    """
    Loads detection templates from YAML files under the templates directory.

    Expected structure:
        templates/
        ├── sigma/
        │   └── rule.yml
        └── sentinel/
            └── rule.yml
    """

    templates = []

    if not os.path.exists(template_root):
        return templates

    for root, _, files in os.walk(template_root):
        for file_name in files:
            if not file_name.lower().endswith((".yml", ".yaml")):
                continue

            file_path = os.path.join(root, file_name)

            try:
                with open(file_path, "r", encoding="utf-8") as template_file:
                    template_data = yaml.safe_load(template_file)

                if not isinstance(template_data, dict):
                    continue

                template_data["source_file"] = file_path
                templates.append(template_data)

            except Exception as error:
                print(f"[!] Failed to load template {file_path}: {error}")

    return templates


def match_yaml_detection_templates(decoded_text, template_root="templates"):
    """
    Matches decoded content against YAML detection templates using keyword matching.
    """

    matched_templates = []
    decoded_text_lower = decoded_text.lower()

    templates = load_yaml_detection_templates(template_root)

    for template in templates:
        keywords = template.get("keywords", [])

        for keyword in keywords:
            if str(keyword).lower() in decoded_text_lower:
                matched_templates.append(template)
                break

    return matched_templates