sigma::rules

tool sigma detection rules
Rule anatomy Detection logic Modifiers Examples Usage Field mapping Pitfalls
01Rule Anatomy
Minimal rule
title: Suspicious PowerShell EncodedCommand
id: 11111111-2222-3333-4444-555555555555
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    CommandLine|contains: "EncodedCommand"
  condition: selection
level: high
Fields that matter
title       short human-readable name
logsource   where the event comes from
detection   selection logic
condition   boolean expression over selections
falsepositives expected benign matches
level       low / medium / high / critical
tags        attack.t1059, attack.execution, etc.
02Detection Logic
Common operators
Image|endswith: '\powershell.exe'
CommandLine|contains: 'IEX'
ParentImage|contains|all:
  - 'cmd.exe'
  - 'powershell'
CommandLine|re: '(?i)frombase64string|encodedcommand'
User|startswith: 'NT AUTHORITY\'
Condition examples
condition: selection
condition: selection1 and not filter_main
condition: 1 of selection_*
condition: all of them
condition: selection_a or selection_b

# pattern:
selection_img and selection_cmd and not filter_fp
03Useful Modifiers
Cheat table
ModifierMeaningExample
|containssubstring matchCommandLine|contains: 'rundll32'
|startswithstarts withTargetFilename|startswith: 'C:\Users\'
|endswithends withImage|endswith: '\cmd.exe'
|allall list values requiredCommandLine|contains|all: ['-enc','JAB']
|reregexCommandLine|re: '(?i)whoami|net user'
|base64offsetmatch inside base64 chunksCommandLine|base64offset|contains: 'powershell'
|cidrIP in subnetDestinationIp|cidr: '10.0.0.0/8'
04Practical Rule Patterns
Suspicious LOLBins
title: Suspicious LOLBins
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
      - '\certutil.exe'
  condition: selection
Sysmon DNS beacon clue
title: Repeated DNS Query to Suspicious Domain
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    QueryName|endswith: '.evil.tld'
  condition: selection
05Conversion & Usage
sigma-cli basics
sigma list targets
sigma convert -t splunk rule.yml
sigma convert -t es-qs rule.yml
sigma check rule.yml

# whole directory
sigma convert -t splunk rules/*.yml
With Chainsaw / Hayabusa
chainsaw hunt Logs/ --rules sigma/rules/ --mapping sigma-event-logs-all.yml

hayabusa hunt -d Logs -r sigma/rules -o hits.csv

# practical CTF flow
1. build timeline
2. grep obvious LOLBins
3. run Sigma rules
4. inspect hits manually
06Field Mapping Mindset
Sigma is generic
Field names are logical. Backends and tools map them to actual event fields.
Rule may convert but still fail
A backend can lack the raw field or the logging source may not be enabled.
Always inspect raw data
Good hits come from understanding the real EVTX/JSON shape before writing rules.
07Pitfalls
Too broad
Start with one strong selection, then add filters for common false positives.
Wrong logsource
process_creation vs sysmon vs powershell matters a lot.
Copied rules
Do not trust imported rules blindly; validate against your sample data.