Defender’s Toolkit 102: Sigma Rules

What is Sigma?

is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.

Writing Sigma Rules

A Sample Rule to Detect Mimikatz

How to Start Writing Sigma Rules?

Step 1: Acquire the Sigma repository [Optional]

git clone https://github.com/SigmaHQ/sigma

Step 2: Create a YAML file

title:
id:
status:
description:
author:
references:
logsource:
category:
product:
service:
definition:
detection:
condition:
fields:
falsepositives:
level:
tags:

Step 3: Provide Input to Attributes

title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2020/09/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- DumpCreds
- invoke-mimikatz
selection_2:
CommandLine|contains:
- rpc
- token
- crypto
- dpapi
- sekurlsa
- kerberos
- lsadump
- privilege
- process
selection_3:
CommandLine|contains:
- '::'
condition: selection_1 or selection_2 and selection_3

Step 4: Compiling the Rule

python .\sigmac -h
python .\sigmac --lists
python .\sigmac -t splunk -c splunk-windows ..\rules\windows\process_creation\win_mimikatz_command_line.yml

You can now go ahead and use the rule on your Splunk instance!

Using Uncoder.io

Sample Rule translated via Uncoder

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Wrapper classes in Java!!

Simple Thresholding And Its Types In OpenCV

Null Safety Through Kotlin Extension Functions

Mocking GCP DatastoreRepository::performTransaction with MockK

How an open mindset can boost the evolution of a continuous development platform

How not to do Lean & Agile — a story from our experience of Squads, Chapters and Guilds

Centralized Log solutions and Log Shippers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

Honeypot project

GoDaddy Password Breach Affects Over A Million Users — CyberHoot

Creating a shellcode: Reverse tcp shell

“CVE Global Summit — Fall 2021”