# Understanding SIGMA Rule

### Condition Operators

As condition expression use of logical operators to link and tie elements in search-identifiers together, let us look at each of these operators with an example:

### Example: 1 - Logical "OR"

Lets look at condition expression using Logical "OR":

* Assuming we have a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
* Requirement is to get this rule triggered upon matching at least one of the three Search-Identifiers (i.e., selection1 or selection2 or selection3), condition can be written as:

```yaml
### Example-1 Condition with Logical "OR"
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
detection:
  selection1:
    EventID: 7045
    ServiceName: 'PSEXESVC'
    ServiceFileName: '\PSEXESVC.exe'
  selection2:
    EventID: 7036
    ServiceName: 'PSEXESVC'
  selection3:
    EventID: 1
    Image: '*\PSEXESVC.exe'
    User: 'NT AUTHORITY\SYSTEM'
  Condition: selection1 OR selection2 OR selection3
```

**Condition expression in above example** `"selection1 OR selection2 OR selection3"` **evaluates and matches to** `(EventID == 7045 AND ServiceName == 'PSEXESVC' AND ServiceFileName == '`*`\PSEXESVC.exe') OR (EventID == 7036 AND ServiceName == 'PSEXESVC') OR (EventID == 1 AND Image == '*`*`\PSEXESVC.exe' AND User == 'NT AUTHORITY\SYSTEM')`

Alternatively, condition for above can also be written as following using `"1/any of Search-Identifiers"` operators SIGMA provides:

| Operators (1/any of Search-Identifiers) |
| --------------------------------------- |
| 1 of selection\*                        |
| 1 of them                               |
| any of selection\*                      |

### Example: 2 - Logical "AND"

Lets look at another example for condition expression using Logical "AND":

* Consider a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.&#x20;
* Rule should be triggered upon matching both the Search-Identifiers (i.e., selection1, selection2) only, condition can be written as:&#x20;

```yaml
### Example-2 Condition with Logical "AND” 
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
 detection:
  selection1:
    Image: '*\mshta.exe'
  selection2:
    ParentImage:
      - '*\cmd.exe'
      - '*\powershell.exe'
  condition: selection1 AND selection2
```

**Condition expression in above example** `"selection1 AND selection2"` **evaluates and matches to** `Image == '*\`*`mshta.exe' AND (ParentImage == '*`*`\cmd.exe' or ParentImage == '*\powershell.exe')`

Alternatively, condition expression for above can also be written as following using`“all of search-identifier"` operators:

| Operators (all of search-identifier) |
| ------------------------------------ |
| all of selection\*                   |
| all of them                          |

### Example: 3 - Negation with "NOT"

Lets look at another example for condition expression - Negation with "NOT":&#x20;

* Consider a rule with two Search-Identifiers (i.e., selection, filter) as part of Detection attribute.&#x20;
* Rule should be triggered upon matching first Search-Identifier (i.e., selection) but not the second Search-Identifier (i.e., filter), Negation condition can be written as:

```yaml
### Example-3 Condition with Negation with "NOT"
title: ‘mshta.exe’ process execution from untrusted locations
detection:
  selection:
    Image|endswith: '\mshta.exe'
  filter:
    Image|contains:
      - 'C:\Windows\System32'
      - 'C:\Windows\SysWOW64'
  condition: selection AND NOT filter
```

**Condition expression in above example** `"selection AND NOT filter"` **evaluates and matches to** `Image == '*\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')`

### Example: 4 - Logical "AND/OR"

Lets look at another example for condition expression in combination with both Logical "AND/OR":&#x20;

* Consider a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.&#x20;
* Rule should be triggered upon matching first Search-Identifiers (i.e., selection1) and one of the other two Search-Identifiers (i.e., selection2 or selection3) , condition can be written as:&#x20;

```yaml
### Example-4 Condition with Negation with "AND/OR"
title: Suspicious ‘mshta.exe’ Process Executions
detection:
  selection1:
    Image|endswith: '\mshta.exe'
  selection2:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  selection3:
    CommandLine|contains:
      - '\AppData\Local'
      - 'C:\Windows\Temp'
      - 'C:\Users\Public'
  condition: selection1 AND (selection2 OR selection3)
```

**Condition expression in above example** `"selection1 AND (selection2 OR selection3)"` **evaluates and matches to** `Image == '*`*`\mshta.exe' AND ((ParentImage == '*`*`\cmd.exe' or ParentImage == '*\powershell.exe') OR (CommandLine == '*\AppData\Local*' or CommandLine == '*C:\Windows\Temp*' or CommandLine == '*C:\Users\Public*'))`

### Example: 5 - Complete Rule (All of Above)

From examples: 2 to 4 in above tables, we have seen individual rules to detect suspicious ‘mshta.exe’ activity.&#x20;

* Example: 2 - Suspicious ‘mshta.exe’ Process Executions via Command Line tools
* Example: 3 - 'mshta.exe’ Process Execution from untrusted locations&#x20;
* Example: 4 - Suspicious ‘mshta.exe’ Process Executions&#x20;

Now let’s merge these examples to create one new rule to detect suspicious ‘mshta.exe’ processes, using all the SIGMA operators and things discussed, mentioned earlier.&#x20;

Assuming we have a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.&#x20;

```yaml
### Example-4 Complete Rule (All of Above 2-4)
title: Suspicious Execution of ‘MSHTA.exe’ Process
detection:
  # Binary
  selection_base:
    Image|endswith: '\mshta.exe'
  # Suspicious parents
  selection1:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  # Suspicious folders
  selection2:
    CommandLine|contains:
      - '\AppData\Local'
      - 'C:\Windows\Temp'
      - 'C:\Users\Public'
  # Suspicious Execution Locations
  filter1:
    Image|contains:
      - 'C:\Windows\System32'
      - 'C:\Windows\SysWOW64'
  filter2:
    CommandLine|contains:
      - '.htm'
      - '.hta'
    CommandLine|endswith:
      - 'mshta.exe'
      - 'mshta'
  condition: selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)
```

**Condition expression in above example** `selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)` **evaluates and matches to** `(Image == '`*`\mshta.exe' AND ((ParentImage == '`*`\cmd.exe' or ParentImage == '`*`\powershell.exe') OR (CommandLine == '\AppData\Local' or CommandLine == 'C:\Windows\Temp' or CommandLine == 'C:\Users\Public'))) OR (Image == '`*`\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')) OR (Image == '*\mshta.exe' AND NOT ((CommandLine == '.htm' or CommandLine == '.htm') AND (CommandLine == 'mshta.exe' or CommandLine == 'mshta.exe')))`

![Example-5 - Complete Rule](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FSCj4xT9FzYmvixpGYyhf%2FSIGMA_DETECTION_01.jpg?alt=media\&token=ae8c5a5d-2af3-4964-aa56-925fe8fef78c)