BluSapphire
Search…
Introduction
Product Videos
Unified Cyber Defense Platform
The Stack
Features and capabilities
Operations
Architecture
Integration
Cisco pxGrid Integration
MITRE ATT&CK
MITRE ATT&CK Coverage by Tactic
MITRE ATT&CK Coverage by Technique
BluArmour Endpoint Protection
BluArmour For ICS / AirGapped Networks
BluArmour Pre-Deployment Checklist & Roll out Process
Deploy BluArmour via SCCM
BluGenie
SIGMA Rules
SIGMA Detection Attributes
Understanding SIGMA Rule
Creating SIGMA Rule
Use cases
Threat Intel Sources
Windows Logging Recommendations
Lateral Movement Logging Recommendations
Windows Advanced Auditing Recommendations
GPO for Service Account, WinRM and WMI
Log Forwarding - How To
Mirror / SPAN port configuration
Cloud Log Forwarding
Deploy Micro-Agent/Sysmon via GPO
Threat Hunt
Appendix A
Powered By GitBook
Understanding SIGMA Rule

Condition Operators

As condition expression use of logical operators to link and tie elements in search-identifiers together, let us look at each of these operators with an example:

Example: 1 - Logical "OR"

Lets look at condition expression using Logical "OR":
  • Assuming we have a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
  • Requirement is to get this rule triggered upon matching at least one of the three Search-Identifiers (i.e., selection1 or selection2 or selection3), condition can be written as:
1
### Example-1 Condition with Logical "OR"
2
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
3
detection:
4
selection1:
5
EventID: 7045
6
ServiceName: 'PSEXESVC'
7
ServiceFileName: '\PSEXESVC.exe'
8
selection2:
9
EventID: 7036
10
ServiceName: 'PSEXESVC'
11
selection3:
12
EventID: 1
13
Image: '*\PSEXESVC.exe'
14
User: 'NT AUTHORITY\SYSTEM'
15
Condition: selection1 OR selection2 OR selection3
Copied!
Condition expression in above example "selection1 OR selection2 OR selection3" evaluates and matches to (EventID == 7045 AND ServiceName == 'PSEXESVC' AND ServiceFileName == '\PSEXESVC.exe') OR (EventID == 7036 AND ServiceName == 'PSEXESVC') OR (EventID == 1 AND Image == '*\PSEXESVC.exe' AND User == 'NT AUTHORITY\SYSTEM')
Alternatively, condition for above can also be written as following using "1/any of Search-Identifiers" operators SIGMA provides:
Operators (1/any of Search-Identifiers)
1 of selection*
1 of them
any of selection*

Example: 2 - Logical "AND"

Lets look at another example for condition expression using Logical "AND":
  • Consider a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.
  • Rule should be triggered upon matching both the Search-Identifiers (i.e., selection1, selection2) only, condition can be written as:
1
### Example-2 Condition with Logical "AND”
2
title: Suspicious ‘mshta.exe’ Process Executions via Command Line tools
3
detection:
4
selection1:
5
Image: '*\mshta.exe'
6
selection2:
7
ParentImage:
8
- '*\cmd.exe'
9
- '*\powershell.exe'
10
condition: selection1 AND selection2
Copied!
Condition expression in above example "selection1 AND selection2" evaluates and matches to Image == '*\mshta.exe' AND (ParentImage == '*\cmd.exe' or ParentImage == '*\powershell.exe')
Alternatively, condition expression for above can also be written as following using“all of search-identifier" operators:
Operators (all of search-identifier)
all of selection*
all of them

Example: 3 - Negation with "NOT"

Lets look at another example for condition expression - Negation with "NOT":
  • Consider a rule with two Search-Identifiers (i.e., selection, filter) as part of Detection attribute.
  • Rule should be triggered upon matching first Search-Identifier (i.e., selection) but not the second Search-Identifier (i.e., filter), Negation condition can be written as:
1
### Example-3 Condition with Negation with "NOT"
2
title: ‘mshta.exe’ process execution from untrusted locations
3
detection:
4
selection:
5
Image|endswith: '\mshta.exe'
6
filter:
7
Image|contains:
8
- 'C:\Windows\System32'
9
- 'C:\Windows\SysWOW64'
10
condition: selection AND NOT filter
Copied!
Condition expression in above example "selection AND NOT filter" evaluates and matches to Image == '*\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')

Example: 4 - Logical "AND/OR"

Lets look at another example for condition expression in combination with both Logical "AND/OR":
  • Consider a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
  • Rule should be triggered upon matching first Search-Identifiers (i.e., selection1) and one of the other two Search-Identifiers (i.e., selection2 or selection3) , condition can be written as:
1
### Example-4 Condition with Negation with "AND/OR"
2
title: Suspicious ‘mshta.exe’ Process Executions
3
detection:
4
selection1:
5
Image|endswith: '\mshta.exe'
6
selection2:
7
ParentImage|endswith:
8
- '\cmd.exe'
9
- '\powershell.exe'
10
selection3:
11
CommandLine|contains:
12
- '\AppData\Local'
13
- 'C:\Windows\Temp'
14
- 'C:\Users\Public'
15
condition: selection1 AND (selection2 OR selection3)
Copied!
Condition expression in above example "selection1 AND (selection2 OR selection3)" evaluates and matches to Image == '*\mshta.exe' AND ((ParentImage == '*\cmd.exe' or ParentImage == '*\powershell.exe') OR (CommandLine == '*\AppData\Local*' or CommandLine == '*C:\Windows\Temp*' or CommandLine == '*C:\Users\Public*'))

Example: 5 - Complete Rule (All of Above)

From examples: 2 to 4 in above tables, we have seen individual rules to detect suspicious ‘mshta.exe’ activity.
  • Example: 2 - Suspicious ‘mshta.exe’ Process Executions via Command Line tools
  • Example: 3 - 'mshta.exe’ Process Execution from untrusted locations
  • Example: 4 - Suspicious ‘mshta.exe’ Process Executions
Now let’s merge these examples to create one new rule to detect suspicious ‘mshta.exe’ processes, using all the SIGMA operators and things discussed, mentioned earlier.
Assuming we have a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.
1
### Example-4 Complete Rule (All of Above 2-4)
2
title: Suspicious Execution of ‘MSHTA.exe’ Process
3
detection:
4
# Binary
5
selection_base:
6
Image|endswith: '\mshta.exe'
7
# Suspicious parents
8
selection1:
9
ParentImage|endswith:
10
- '\cmd.exe'
11
- '\powershell.exe'
12
# Suspicious folders
13
selection2:
14
CommandLine|contains:
15
- '\AppData\Local'
16
- 'C:\Windows\Temp'
17
- 'C:\Users\Public'
18
# Suspicious Execution Locations
19
filter1:
20
Image|contains:
21
- 'C:\Windows\System32'
22
- 'C:\Windows\SysWOW64'
23
filter2:
24
CommandLine|contains:
25
- '.htm'
26
- '.hta'
27
CommandLine|endswith:
28
- 'mshta.exe'
29
- 'mshta'
30
condition: selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)
Copied!
Condition expression in above example selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2) evaluates and matches to (Image == '\mshta.exe' AND ((ParentImage == '\cmd.exe' or ParentImage == '\powershell.exe') OR (CommandLine == '\AppData\Local' or CommandLine == 'C:\Windows\Temp' or CommandLine == 'C:\Users\Public'))) OR (Image == '\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')) OR (Image == '*\mshta.exe' AND NOT ((CommandLine == '.htm' or CommandLine == '.htm') AND (CommandLine == 'mshta.exe' or CommandLine == 'mshta.exe')))
Example-5 - Complete Rule
Previous
SIGMA Detection Attributes
Next
Creating SIGMA Rule
Last modified 4mo ago
Copy link
Contents
Condition Operators
Example: 1 - Logical "OR"
Example: 2 - Logical "AND"
Example: 3 - Negation with "NOT"
Example: 4 - Logical "AND/OR"
Example: 5 - Complete Rule (All of Above)