Understanding SIGMA Rule

Condition Operators

As condition expression use of logical operators to link and tie elements in search-identifiers together, let us look at each of these operators with an example:

Example: 1 - Logical "OR"

Lets look at condition expression using Logical "OR":

Assuming we have a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
Requirement is to get this rule triggered upon matching at least one of the three Search-Identifiers (i.e., selection1 or selection2 or selection3), condition can be written as:

### Example-1 Condition with Logical "OR"
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
detection:
  selection1:
    EventID: 7045
    ServiceName: 'PSEXESVC'
    ServiceFileName: '\PSEXESVC.exe'
  selection2:
    EventID: 7036
    ServiceName: 'PSEXESVC'
  selection3:
    EventID: 1
    Image: '*\PSEXESVC.exe'
    User: 'NT AUTHORITY\SYSTEM'
  Condition: selection1 OR selection2 OR selection3

Condition expression in above example "selection1 OR selection2 OR selection3" evaluates and matches to (EventID == 7045 AND ServiceName == 'PSEXESVC' AND ServiceFileName == '\PSEXESVC.exe') OR (EventID == 7036 AND ServiceName == 'PSEXESVC') OR (EventID == 1 AND Image == '*\PSEXESVC.exe' AND User == 'NT AUTHORITY\SYSTEM')

Alternatively, condition for above can also be written as following using "1/any of Search-Identifiers" operators SIGMA provides:

Operators (1/any of Search-Identifiers)
1 of selection*
1 of them
any of selection*

Operators (1/any of Search-Identifiers)

1 of selection*

1 of them

any of selection*

Example: 2 - Logical "AND"

Lets look at another example for condition expression using Logical "AND":

Consider a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.
Rule should be triggered upon matching both the Search-Identifiers (i.e., selection1, selection2) only, condition can be written as:

### Example-2 Condition with Logical "AND” 
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
 detection:
  selection1:
    Image: '*\mshta.exe'
  selection2:
    ParentImage:
      - '*\cmd.exe'
      - '*\powershell.exe'
  condition: selection1 AND selection2

Condition expression in above example "selection1 AND selection2" evaluates and matches to Image == '*\mshta.exe' AND (ParentImage == '*\cmd.exe' or ParentImage == '*\powershell.exe')

Alternatively, condition expression for above can also be written as following using“all of search-identifier" operators:

Operators (all of search-identifier)
all of selection*
all of them

Operators (all of search-identifier)

all of selection*

all of them

Example: 3 - Negation with "NOT"

Lets look at another example for condition expression - Negation with "NOT":

Consider a rule with two Search-Identifiers (i.e., selection, filter) as part of Detection attribute.
Rule should be triggered upon matching first Search-Identifier (i.e., selection) but not the second Search-Identifier (i.e., filter), Negation condition can be written as:

### Example-3 Condition with Negation with "NOT"
title: ‘mshta.exe’ process execution from untrusted locations
detection:
  selection:
    Image|endswith: '\mshta.exe'
  filter:
    Image|contains:
      - 'C:\Windows\System32'
      - 'C:\Windows\SysWOW64'
  condition: selection AND NOT filter

Condition expression in above example "selection AND NOT filter" evaluates and matches to Image == '*\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')

Example: 4 - Logical "AND/OR"

Lets look at another example for condition expression in combination with both Logical "AND/OR":

Consider a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
Rule should be triggered upon matching first Search-Identifiers (i.e., selection1) and one of the other two Search-Identifiers (i.e., selection2 or selection3) , condition can be written as:

### Example-4 Condition with Negation with "AND/OR"
title: Suspicious ‘mshta.exe’ Process Executions
detection:
  selection1:
    Image|endswith: '\mshta.exe'
  selection2:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  selection3:
    CommandLine|contains:
      - '\AppData\Local'
      - 'C:\Windows\Temp'
      - 'C:\Users\Public'
  condition: selection1 AND (selection2 OR selection3)

Condition expression in above example "selection1 AND (selection2 OR selection3)" evaluates and matches to Image == '*\mshta.exe' AND ((ParentImage == '*\cmd.exe' or ParentImage == '*\powershell.exe') OR (CommandLine == '*\AppData\Local*' or CommandLine == '*C:\Windows\Temp*' or CommandLine == '*C:\Users\Public*'))

Example: 5 - Complete Rule (All of Above)

From examples: 2 to 4 in above tables, we have seen individual rules to detect suspicious ‘mshta.exe’ activity.

Example: 2 - Suspicious ‘mshta.exe’ Process Executions via Command Line tools
Example: 3 - 'mshta.exe’ Process Execution from untrusted locations
Example: 4 - Suspicious ‘mshta.exe’ Process Executions

Now let’s merge these examples to create one new rule to detect suspicious ‘mshta.exe’ processes, using all the SIGMA operators and things discussed, mentioned earlier.

Assuming we have a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.

### Example-4 Complete Rule (All of Above 2-4)
title: Suspicious Execution of ‘MSHTA.exe’ Process
detection:
  # Binary
  selection_base:
    Image|endswith: '\mshta.exe'
  # Suspicious parents
  selection1:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  # Suspicious folders
  selection2:
    CommandLine|contains:
      - '\AppData\Local'
      - 'C:\Windows\Temp'
      - 'C:\Users\Public'
  # Suspicious Execution Locations
  filter1:
    Image|contains:
      - 'C:\Windows\System32'
      - 'C:\Windows\SysWOW64'
  filter2:
    CommandLine|contains:
      - '.htm'
      - '.hta'
    CommandLine|endswith:
      - 'mshta.exe'
      - 'mshta'
  condition: selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)

Condition expression in above example selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2) evaluates and matches to (Image == '\mshta.exe' AND ((ParentImage == '\cmd.exe' or ParentImage == '\powershell.exe') OR (CommandLine == '\AppData\Local' or CommandLine == 'C:\Windows\Temp' or CommandLine == 'C:\Users\Public'))) OR (Image == '\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')) OR (Image == '*\mshta.exe' AND NOT ((CommandLine == '.htm' or CommandLine == '.htm') AND (CommandLine == 'mshta.exe' or CommandLine == 'mshta.exe')))

PreviousSIGMA Detection Attributes NextCreating SIGMA Rule

Last updated 2 years ago