Defender’s Toolkit 102: Sigma Rules

What is Sigma?

is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.

Writing Sigma Rules

  • Metadata (Title, ID, Author, References, Tags, Level)
  • Log Source (Define the log source which will be used to collect the data from e.g. the Windows Security log channel)
  • Detections (selections, filters, and conditions)
  • False-positives
  • Optional (and custom) tags
A Sample Rule to Detect Mimikatz

How to Start Writing Sigma Rules?

Step 1: Acquire the Sigma repository [Optional]

git clone https://github.com/SigmaHQ/sigma

Step 2: Create a YAML file

title:
id:
status:
description:
author:
references:
logsource:
category:
product:
service:
definition:
detection:
condition:
fields:
falsepositives:
level:
tags:

Step 3: Provide Input to Attributes

title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2020/09/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
status: experimental
  • Stable — Usable in production environments
  • Test — Tuning is required if an FP is thoroughly vetted
  • Experimental — Usable in the test environment and needs tuning to reduce the noise and FPs
  • Low
  • Medium
  • High
  • Critical
logsource:
category: process_creation
product: windows
  • Category — log files which fall under a particular category e.g. DNS server logs, process_creation, file_event logs, etc.
  • Product — log files generated by a particular product e.g. windows (Eventlog), linux, splunk, etc.
  • Service — Subset of a product’s log e.g. security, powershell, sysmon, etc.
detection:
selection_1:
CommandLine|contains:
- DumpCreds
- invoke-mimikatz
selection_2:
CommandLine|contains:
- rpc
- token
- crypto
- dpapi
- sekurlsa
- kerberos
- lsadump
- privilege
- process
selection_3:
CommandLine|contains:
- '::'
condition: selection_1 or selection_2 and selection_3
  • Selections — What you actually wish to select/search from the log data
  • Conditions — How should the selection or filters be evaluated
  • contains
  • all
  • base64
  • endswith
  • startswith
  • Logical AND/OR operations
  • 1 of (selection) OR all of (selection) — this you might recognize from Yara as well
  • Negation using ‘not’ — e.g. not selection
  • Grouping expressions by using parenthesis — e.g. (selection1 and selection2) or selection3

Step 4: Compiling the Rule

python .\sigmac -h
python .\sigmac --lists
python .\sigmac -t splunk -c splunk-windows ..\rules\windows\process_creation\win_mimikatz_command_line.yml

You can now go ahead and use the rule on your Splunk instance!

Using Uncoder.io

Sample Rule translated via Uncoder

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀