It is common for SIGMA authors to pull results from malware sandboxes and write detections against the command line arguments used by the malware. Commonly malware drops & executes artifacts from user profiles. However, we must anticipate that these user profiles will change. We must use a wildcard when specifying that artifacts will drop in user profiles. Unless that profile is the public profile.

In this example, an analyst meant to match on malware running from a user profile’s appdata\roaming folder. However, this will only match in environments where users are named “admin”.

The corrected version of this rule will match on ANY user profile.

Not nearly as common but still poses a similar problem is the use of Security Identifiers (SIDs). SIDs for user accounts are highly unique, when we maintain them in a rule we are limiting the rule to work for a single user account on a single workstation or domain.

Exclusions to this problem are rules that depend on “well known SIDs” for detection purposes. https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

In this example, a SID belonging to the local system administrator account of a specific host means this rule will only work for a single user on a single machine.

In this corrected version of the rule, we’ve used a wildcard to allow the rule to match on any user’s SID.

SIGMA takes advantage of named fields and via SIGMAC configurations the field names are updated to reflect those in use by the user. If we don’t use the existing mappings, then this automation breaks and users will either have to update their configurations or manually change the mappings after conversion.

Whenever possible we must use the existing mappings as defined in the taxonomy. https://github.com/Neo23x0/sigma/wiki/Taxonomy

In this example, the non-existent mapping “command” is used. “CommandLine” is already defined in the taxonomy.

In the corrected example the correct field “CommandLine” is used.

Often the results of sandbox reports are made into SIGMA rules. Sometimes these rules include “normal” windows behavior such as “werfault.exe” being spawned. Certain executables such as “werfault.exe”, “conhost.exe” when executed from their normal locations can rarely be used in a detection without creating a massive amount of noise.

Not every Windows system is using the “C” drive as its “system drive”. For instance, it is common for Windows based web servers to use “D '' as the system drive. Therefore we should not limit rules by forcing them to use the “C” drive.

Unfortunately, the SIGMA specification & taxonomy doesn’t have a field for matching on the contents of an HTTP POST/PUT body. c-uri and other webserver/proxy category fields do not contain any part of the HTTP POST/PUT request body. c-uri only contains the URI (e.g. https://example.com/example?a=example) requested by a client (e.g. Mozilla Firefox). These types of rules are better written in the Snort® Rule language.

There are some exceptions to this guidance:

Note: SOC Prime may rarely accept a rule that uses keywords to identify suspicious terms in the POST body, however this will be for only the most critical of exploits.

Example:

The following wireshark screenshot of a packet capture will be used to further describe the issue. The packet capture shows the contents of a “malicious” file uploaded to a web server via /info.php.

An incorrect approach is to flag only on the c-uri path /info.php. While /info.php may be exploitable, it will presumably mostly be used for legitimate purposes. Therefore, the path itself is innocuous and it is incorrect to create a rule with the logic c-uri|contains: /info.php.

In this example, writing a valid SIGMA rule is not possible.

Often adversaries perform tasks that cause multiple correlatable events. For instance, we may care if net.exe, wmic.exe, and nltest.exe are executed on the same Windows host within one minute. SOC Prime supports detecting this via legacy correlations as defined by the SIGMA specification https://github.com/SigmaHQ/sigma-specification/blob/main/archives/wiki.md.

This example fails to use correlation logic, and assumes that SIGMA is able to automatically correlate events. This is not the case, without specifying the correlation this rule can’t work. No single event will contain the net.exe, wmic.exe, nltest.exe within the Image field.

In this corrected example correlations are used to ensure 3 unique Image paths exist.

Challenge: Notice a fuller path is provided to net.exe, wmic.exe, and nltest.exe. Can you Identify why? Hint: syswow64

Adversaries have control over certain parts of a log. For instance, they can rename a file from the obvious “evil.exe” to something more benign “7za.exe”. Different parts of their tooling are more difficult to change than others. For instance, an open source tool can have parameters/arguments changed, but it takes a little more effort to do that. So, it is more useful to flag on unique arguments to a binary than it is to flag on the binary name. When possible rules should match on unique terms that are difficult to change, these rules are more resilient.

However, sometimes it is in our interest to decrease rule resilience to increase the rule availability. For instance, it may be better to write a rule without regular expressions even though the rule may end up being less resilient. This is because backend support for regular expressions isn’t universal.

Example:

The following rules are based off of the commonly abused freeware tool “WebBrowserPassView” by Nir Sofer:

https://www.nirsoft.net/utils/web_browser_password.html

This rule can easily be evaded by changing the name of the executable.

SIGMA allows for the use of * (asterisk) and ? (question mark) as wildcards. A common mistake is to accidentally escape these characters when their use as a wildcard was intended. Using a single \ (backslash) before an asterisk or question mark will cause it to be treated as the character instead of a wildcard. Instead, we must escape the trailing backslash with another backslash (\\* instead of \*).

In this example, an analyst meant to match on any user profile, but instead, they unintentionally escaped the wildcard character so that it will match an asterisk (*) literally.

In this corrected example we’ve correctly escaped the backslash before the wildcard so that the asterisk is treated as a wildcard.

WARNING: It is a violation of copyright law to directly copy and paste a description from the original source without permission.

The description field within SIGMA should provide the rule user with context about the intention of the rule itself. For instance, rules are submitted containing relevant malware campaign information, but nothing about how the rule is intended to detect said campaign. Ensure the intention of the detection is clear in the rule description.

In this corrected version of the rule, we’ve added the ‘contains’ transformation and the original intention of the rule has been met.

Malware will often create named objects (e.g. files, registry keys, pipes) within victim environments. The attacker often has complete control of what these object names will be and can set the names to random values upon execution of their malware. When reading reports on adversary activity, it is best to assume that random looking object names are randomly generated at execution. However, if the reporting indicates or the author is able to show that the “random” object names are consistent across multiple samples and execution environments, or are campaign specific, then it is fair to use these ‘random’ names.

Note: Sometimes the “random” object names will follow a pattern or be placed in an unusual path that can lead to a more acceptable detection.

A malware analysis sandbox service showed the file ‘ghn93opfj.txt’ being created in the directory ‘users\public\temp\’. The author wrote the below rule without performing additional analysis of the malware sample (reverse engineering the file creation) or reviewing sandbox logs of multiple samples & environments.

A malware analysis sandbox service showed the file ‘ghn93opfj.txt’ being created in the directory ‘users\public\temp\’. After performing some reverse engineering, the author was able to identify that the path will always be “\users\public\temp” and that the file name will always follow a pattern that fits the regular expression ‘.*[a-z]{9}.txt’, which is unique enough to match on.

There are certain behaviors that seem to be abused by malware campaigns over and over. Typically, these behaviors are already caught by a generic rule. However, sometimes the threat actor includes a unique term that uniquely identifies that they are the likely actor (e.g. a specific scheduled task name). These rules are not necessarily incorrect, but they will be judged with more scrutiny for their value. For instance, if a malware campaign is identified creating a unique scheduled task named “NotAnEvilTask” but that campaign is targeting a specific extremist cult leader in Fiji, then we will probably not accept the rule as relevant to SOC Prime’s customer base.

Here is a list of examples:

Modifiers such as “contains” and “all” are very useful to simplify rule creation. However, if modifiers are intended to be used in the match but are not included in the field name the rule logic breaks entirely.

In this rule the “contains” transformation is missing. Since no registry key begins with “\software” this rule should never hit.

In this corrected version of the rule, we’ve added the ‘contains’ transformation and the original intention of the rule has been met.

Executables often accept slashes / and dashes - interchangeably even if the usage is not documented. Typically the slash or dash can be excluded entirely without affecting the intent of the rule. If this is the case for your rule, remove the slash/dash.

The primary rule for regular expressions is to “keep it simple”. Regex support differs widely between platforms. You should attempt to keep your regular expressions to the standard operators. . ? + * {} | () [] ^ \ this will ensure reusability across platforms.

This regular expression will not work in databases using “lucene”.

This equivalent regular expression will work in any platform that supports regex.

The commands in this kind of rules are the commands run on the attacker's box (executed by the attacker's side) So they will never show up on the log source of the client.

In this example, the rule was made in order to detect the execution of Bad Blood tool (an exploit for CVE-2021-20038). If you look at the parameters, you’ll see that this specific tool tries to establish connection with victim’s machine, so the action occurs on adversarie’s side.

In this corrected example we’ve used a tool that could be detected on the Victim's machine, so clients can use the content properly. In this case, the values are unique and related to Sharphound tool.

There are two basic types of registry paths: Kernel Paths and User-land Paths. Kernel paths will be consistent, they do not use any kind of symbolic linking (more on this in user-land).

User-land paths may NOT be consistent.

Example: These paths are 'equivalent' and all are possible depending basically only on the datasource:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThisIsAService - User land

HKLM\SYSTEM\ControlSet001\Services\ThisIsAService - User land

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ThisIsAService - User land

HKLM\SYSTEM\CurrentControlSet\Services\ThisIsAservice - User land

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ThisIsAService - Kernel land

In order to make this path "agnostic" to all the possibilities it must be written as

TargetObject|endswith: \System\\*ControlSet*\Services\ThisIsAService

OR

TargetObject|endswith: \Services\ThisIsAService

In this example, the rule was made to put an example of incorrect use of CurrentControlSet.

In this corrected example we’ll use wildcards to make those paths more “agnostics”.

In this case, in order to make the rule approvable and useful, it’s important to consider creating content to cover ransomware behavior instead of encryption activity. This is because clients could use a good ransomware rule to detect previous steps before infection and they probably have an opportunity to avoid the action of being victims.

In this rule we’ll detect encryption activity of a fake ransomware.

In this corrected version of the rule, we’ll detect ransomware activity in order to stay one step ahead of adversaries.