It contains the rule base in the folder “.\/rules” and the Sigma rule compiler “.\/tools\/sigmac”. We will use the existing rules as examples and create a new rule based on a similar existing one. We will then test that rule by using “sigmac”.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.38.58.png\")
Sigma Github Repository<\/p><\/div>\n
2. Copy and Edit YAML Files<\/h2>\n
My personal favorite editor for YAML is VSCode<\/a>. It is free and runs on all major platforms. (alternatively you can use Atom<\/a>\u00a0with ‘language-yaml’ and ‘linter-js-yaml’ packages)<\/p>\n Visual Studio Code<\/p><\/div>\n I used the following extensions but I don’t know if they are still necessary. VSCode has improved a lot over the last 12 months and it is possible that it supports YAML highlighting and syntax checks by default now.<\/p>\n YAML Extensions for VSCode<\/p><\/div>\n We open the Sigma repository folder with “Open …” and see all existing rules.<\/p>\n Sigma Rules<\/p><\/div>\n I selected an example in which we will create a Sigma rule from one of @JPCERT<\/a>‘s findings in their awesome “Tool Analysis Result Sheet<\/a>“.<\/p>\n We open the results for “Quarks PWDump<\/a>“, a password dumper often used by Chinese threat groups. It creates temporary files that we want to detect in our SysInternals Sysmon<\/a> log data. To collect the needed events we use Sysmon with @SwiftOnSecurity<\/a>‘s Sysmon config file<\/a>, Windows Event Forwarding<\/a> or NXlog<\/a>.<\/p>\n Quarks PWDump Analysis Results<\/p><\/div>\n So, what we do is to find a Sigma rule in the repository that we can use as a template for our new rule. We use the ‘search’ function to find a rule that looks for “File Creation” events (EventID 11) in Sysmon log data.<\/p>\n Sigma Example Rule<\/p><\/div>\n We find a rule that has a special format. It is a so-called “rule-collection<\/a>“, which allows us to define a global section in the YAML file marked with “action: global” that will be applied to all other sections in that file during the search query generation process. This way you can define and create multiple search queries from a single YAML file.<\/p>\n In the case of our QuarksPwDump example we don’t need a rule collection, so we reduce the rule to a standard rule that contains a detection expression looking Sysmon Events with Event ID 11 and save it as “sysmon_quarkspw_filedump.yml” to a new file in the folder “.\/rules\/windows\/sysmon\/”.<\/p>\n Simple Sysmon Sigma Rule<\/p><\/div>\n After that, we modify several fields of that rule:<\/p>\n New Sigma Rule Header<\/p><\/div>\n Before we create the new “detection” section, we review the analysis report in detail.<\/p>\n Details: QuarksPwDump Temporary Files<\/p><\/div>\n We add a string with wildcards that matches on the ‘TargetFileName’ field in the Sysmon events of type 11. That’s what the new rule looks like:<\/p>\n QuarksPwDump Sigma Rule<\/p><\/div>\n We test our newly created rule with “sigmac”, which requires python3. It is located in the “.\/tools” folder. It features several targets for which we can create searches\/configurations from our rules.<\/p>\n Currently supported targets (10.02.2018):<\/p>\n Running “python3 sigmac -h” shows a help:<\/p>\n We test our new rule with “sigmac” and the target “splunk”.<\/p>\n Now the rule is ready for a pull request. Follow me or contact me on Twitter: @cyb3rops<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Sigma is an open standard for rules that allow you to describe searches on log data in generic form. These rules can be converted and applied to many log management or SIEM systems and can even be used with grep on the command line. In this article I’d like to give you a brief practical introduction into the rule creation process. I’ll recommend some tools and draft a guide that helps you to write Sigma rules as quick and sound as possible. 1. Get the Repository First download or clone our Sigma repository from Github. It contains the rule base in the folder “.\/rules” and the Sigma rule compiler “.\/tools\/sigmac”. We will use the existing rules as examples and create a new rule based on a similar existing one. We will then test that rule by using “sigmac”. 2. Copy and Edit YAML Files My personal favorite editor for YAML is VSCode. It is free and runs on all major platforms. (alternatively you can use Atom\u00a0with ‘language-yaml’ and ‘linter-js-yaml’ packages) I used the following extensions but I don’t know if they are still necessary. VSCode has improved a lot over the last 12 months and it is possible that it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Sigma is an open standard for rules that allow you to describe searches on log data in generic form. These rules can be converted and applied to many log management or SIEM systems and can even be used with grep on the command line. \r\n\r\nIn this article I'd like to give you a brief practical introduction into the rule creation process. I'll recommend some tools and draft a guide that helps you to write Sigma rules as quick and sound as possible.\r\n![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.33.49.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.54.10.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-10.23.48.png\")
3. Create a Sigma Rule<\/h2>\n
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-13.26.17.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-13.55.17.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.05.23.png\")
\n
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.21.26.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.25.23.png\")
![\"\"](\"\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.54.09.png\")
4. Test the Rules<\/h2>\n
\n
\n$ python3 sigmac -h\nusage: sigmac [-h] [--recurse] [--filter FILTER]\n[--target {es-qs,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}]\n[--target-list] [--config CONFIG] [--output OUTPUT]\n[--backend-option BACKEND_OPTION] [--defer-abort]\n[--ignore-not-implemented] [--verbose] [--debug]\n[inputs [inputs ...]]\n\nConvert Sigma rules into SIEM signatures.\n\npositional arguments:\ninputs Sigma input files\n\noptional arguments:\n-h, --help show this help message and exit\n--recurse, -r Recurse into subdirectories (not yet implemented)\n--filter FILTER, -f FILTER\nDefine comma-separated filters that must match (AND-\nlinked) to rule to be processed. Valid filters:\nlevel<=x, level>=x, level=x, status=y, logsource=z. x\nis one of: low, medium, high, critical. y is one of:\nexperimental, testing, stable. z is a word appearing\nin an arbitrary log source attribute. Multiple log\nsource specifications are AND linked.\n--target {es-qs,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-qs,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}\nOutput target format\n--target-list, -l List available output target formats\n--config CONFIG, -c CONFIG\nConfiguration with field name and index mapping for\ntarget environment (not yet implemented)\n--output OUTPUT, -o OUTPUT\nOutput file or filename prefix if multiple files are\ngenerated (not yet implemented)\n--backend-option BACKEND_OPTION, -O BACKEND_OPTION\nOptions and switches that are passed to the backend\n--defer-abort, -d Don't abort on parse or conversion errors, proceed\nwith next rule. The exit code from the last error is\nreturned\n--ignore-not-implemented, -I\nOnly return error codes for parse errors and ignore\nerrors for rules with not implemented features\n--verbose, -v Be verbose\n--debug, -D Debugging output\n<\/pre>\n\n$ python3 sigmac -t splunk ..\/rules\/windows\/sysmon\/sysmon_quarkspw_filedump.yml\n(EventID=\"11\" TargetFileName=\"*\\AppData\\Local\\Temp\\SAM-*.dmp*\")\n<\/pre>\n
1. Get the Repository<\/h2>\r\nFirst download or clone our Sigma repository<\/a> from Github.\r\n\r\nIt contains the rule base in the folder \".\/rules\" and the Sigma rule compiler \".\/tools\/sigmac\". We will use the existing rules as examples and create a new rule based on a similar existing one. We will then test that rule by using \"sigmac\".\r\n\r\n[caption id=\"attachment_2961\" align=\"alignnone\" width=\"1030\"]
![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.38.58.png\")
Sigma Github Repository[\/caption]\r\n2. Copy and Edit YAML Files<\/h2>\r\nMy personal favorite editor for YAML is VSCode<\/a>. It is free and runs on all major platforms. (alternatively you can use Atom<\/a>\u00a0with 'language-yaml' and 'linter-js-yaml' packages)\r\n\r\n[caption id=\"attachment_2960\" align=\"alignnone\" width=\"1175\"]
![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.33.49.png\")
Visual Studio Code[\/caption]\r\n\r\nI used the following extensions but I don't know if they are still necessary. VSCode has improved a lot over the last 12 months and it is possible that it supports YAML highlighting and syntax checks by default now. \r\n\r\n[caption id=\"attachment_2965\" align=\"alignleft\" width=\"869\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-09.54.10.png\")
YAML Extensions for VSCode[\/caption]\r\n\r\nWe open the Sigma repository folder with \"Open ...\" and see all existing rules.\r\n\r\n[caption id=\"attachment_2966\" align=\"alignnone\" width=\"912\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-10.23.48.png\")
Sigma Rules[\/caption]\r\n3. Create a Sigma Rule<\/h2>\r\nI selected an example in which we will create a Sigma rule from one of @JPCERT<\/a>'s findings in their awesome \"Tool Analysis Result Sheet<\/a>\".\r\n\r\nWe open the results for \"Quarks PWDump<\/a>\", a password dumper often used by Chinese threat groups. It creates temporary files that we want to detect in our SysInternals Sysmon<\/a> log data. To collect the needed events we use Sysmon with @SwiftOnSecurity<\/a>'s Sysmon config file<\/a>, Windows Event Forwarding<\/a> or NXlog<\/a>.\r\n\r\n[caption id=\"attachment_2968\" align=\"alignnone\" width=\"1132\"]
![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-13.26.17.png\")
Quarks PWDump Analysis Results[\/caption]\r\n\r\nSo, what we do is to find a Sigma rule in the repository that we can use as a template for our new rule. We use the 'search' function to find a rule that looks for \"File Creation\" events (EventID 11) in Sysmon log data.\r\n\r\n[caption id=\"attachment_2970\" align=\"alignnone\" width=\"866\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-13.55.17.png\")
Sigma Example Rule[\/caption]\r\n\r\nWe find a rule that has a special format. It is a so-called \"rule-collection<\/a>\", which allows us to define a global section in the YAML file marked with \"action: global\" that will be applied to all other sections in that file during the search query generation process. This way you can define and create multiple search queries from a single YAML file.\r\n\r\nIn the case of our QuarksPwDump example we don't need a rule collection, so we reduce the rule to a standard rule that contains a detection expression looking Sysmon Events with Event ID 11 and save it as \"sysmon_quarkspw_filedump.yml\" to a new file in the folder \".\/rules\/windows\/sysmon\/\".\r\n\r\n[caption id=\"attachment_2971\" align=\"alignnone\" width=\"639\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.05.23.png\")
Simple Sysmon Sigma Rule[\/caption]\r\n\r\nAfter that, we modify several fields of that rule:\r\n\r\n \t
![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.21.26.png\")
New Sigma Rule Header[\/caption]\r\n\r\nBefore we create the new \"detection\" section, we review the analysis report in detail.\r\n\r\n[caption id=\"attachment_2973\" align=\"alignnone\" width=\"759\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.25.23.png\")
Details: QuarksPwDump Temporary Files[\/caption]\r\n\r\nWe add a string with wildcards that matches on the 'TargetFileName' field in the Sysmon events of type 11. That's what the new rule looks like:\r\n\r\n[caption id=\"attachment_2976\" align=\"alignnone\" width=\"670\"]![\"\"](\"http:\/\/nextron.bsk-consulting.de\/wp-content\/uploads\/2018\/02\/Screen-Shot-2018-02-10-at-14.54.09.png\")
QuarksPwDump Sigma Rule[\/caption]\r\n4. Test the Rules<\/h2>\r\nWe test our newly created rule with \"sigmac\", which requires python3. It is located in the \".\/tools\" folder. It features several targets for which we can create searches\/configurations from our rules.\r\n\r\nCurrently supported targets (10.02.2018):\r\n
\r\n \t