Defender’s Toolkit 102: Sigma Rules

What is Sigma?

is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.

Writing Sigma Rules

A Sample Rule to Detect Mimikatz

How to Start Writing Sigma Rules?

Step 1: Acquire the Sigma repository [Optional]

git clone https://github.com/SigmaHQ/sigma

Step 2: Create a YAML file

title:
id:
status:
description:
author:
references:
logsource:
category:
product:
service:
definition:
detection:
condition:
fields:
falsepositives:
level:
tags:

Step 3: Provide Input to Attributes

title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2020/09/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- DumpCreds
- invoke-mimikatz
selection_2:
CommandLine|contains:
- rpc
- token
- crypto
- dpapi
- sekurlsa
- kerberos
- lsadump
- privilege
- process
selection_3:
CommandLine|contains:
- '::'
condition: selection_1 or selection_2 and selection_3

Step 4: Compiling the Rule

python .\sigmac -h
python .\sigmac --lists
python .\sigmac -t splunk -c splunk-windows ..\rules\windows\process_creation\win_mimikatz_command_line.yml

You can now go ahead and use the rule on your Splunk instance!

Using Uncoder.io

Sample Rule translated via Uncoder

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

GSOC — WEEK 4

Layman Explained: Git

#100DaysofCode Chapter 1 ~ HTML and CSS Basics

Exposing Kubernetes API ( kube-apiserver)

GitHub Copilot is No Longer Free. Here are 3 Free Alternatives!

Box API Integration Part 1: Ruby on Rails

My notes from Platform Thinking by Evan Bottcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀

More from Medium

DBC — “How Google Works” by Eric Schmidt & Jonathan Rosenberg

How Smart AG and the IoT Are Improving Farming | Soracom

Anarchy Chess IO: Supply

Embedded System : Bluetooth Classic with ESP32