Defender’s Toolkit 102: Sigma Rules

What is Sigma?

is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.

Writing Sigma Rules

A Sample Rule to Detect Mimikatz

How to Start Writing Sigma Rules?

Step 1: Acquire the Sigma repository [Optional]

git clone https://github.com/SigmaHQ/sigma

Step 2: Create a YAML file

title:
id:
status:
description:
author:
references:
logsource:
category:
product:
service:
definition:
detection:
condition:
fields:
falsepositives:
level:
tags:

Step 3: Provide Input to Attributes

title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2020/09/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- DumpCreds
- invoke-mimikatz
selection_2:
CommandLine|contains:
- rpc
- token
- crypto
- dpapi
- sekurlsa
- kerberos
- lsadump
- privilege
- process
selection_3:
CommandLine|contains:
- '::'
condition: selection_1 or selection_2 and selection_3

Step 4: Compiling the Rule

python .\sigmac -h
python .\sigmac --lists
python .\sigmac -t splunk -c splunk-windows ..\rules\windows\process_creation\win_mimikatz_command_line.yml

You can now go ahead and use the rule on your Splunk instance!

Using Uncoder.io

Sample Rule translated via Uncoder

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How do I add MFA to a Website

Lagerdata IMU Demo

What is Recursion ? What is Recursion ? What is Recursion ?

New Features of GitLab From the Last Quarter of 2021

Developing a CI/CD pipeline to provision an AWS infrastructure using Terraform, GitHub, and Ubuntu…

5 things you didn’t know about Guid in C#

How to make a STRONG node army

Business Strategy Consulting, Activism, and Fostering Kittens

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Using AzApi to Manage Azure Resources without a Terraform Provider.

Example pull request showing update to SKU validation for Data Bricks in AzureRM

Install NixOS with BTRFS and IN-RAM root

Transferring Windows Server roles to a new server, Part II FSMO

How to pause machine config operator from rebooting nodes after every file update