Understanding SIGMA Rule
Condition Operators
As condition expression use of logical operators to link and tie elements in search-identifiers together, let us look at each of these operators with an example:
Example: 1 - Logical "OR"
Lets look at condition expression using Logical "OR":
Assuming we have a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
Requirement is to get this rule triggered upon matching at least one of the three Search-Identifiers (i.e., selection1 or selection2 or selection3), condition can be written as:
Condition expression in above example "selection1 OR selection2 OR selection3"
evaluates and matches to (EventID == 7045 AND ServiceName == 'PSEXESVC' AND ServiceFileName == '
\PSEXESVC.exe') OR (EventID == 7036 AND ServiceName == 'PSEXESVC') OR (EventID == 1 AND Image == '*
\PSEXESVC.exe' AND User == 'NT AUTHORITY\SYSTEM')
Alternatively, condition for above can also be written as following using "1/any of Search-Identifiers"
operators SIGMA provides:
1 of selection*
1 of them
any of selection*
Example: 2 - Logical "AND"
Lets look at another example for condition expression using Logical "AND":
Consider a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.
Rule should be triggered upon matching both the Search-Identifiers (i.e., selection1, selection2) only, condition can be written as:
Condition expression in above example "selection1 AND selection2"
evaluates and matches to Image == '*\
mshta.exe' AND (ParentImage == '*
\cmd.exe' or ParentImage == '*\powershell.exe')
Alternatively, condition expression for above can also be written as following using“all of search-identifier"
operators:
all of selection*
all of them
Example: 3 - Negation with "NOT"
Lets look at another example for condition expression - Negation with "NOT":
Consider a rule with two Search-Identifiers (i.e., selection, filter) as part of Detection attribute.
Rule should be triggered upon matching first Search-Identifier (i.e., selection) but not the second Search-Identifier (i.e., filter), Negation condition can be written as:
Condition expression in above example "selection AND NOT filter"
evaluates and matches to Image == '*\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')
Example: 4 - Logical "AND/OR"
Lets look at another example for condition expression in combination with both Logical "AND/OR":
Consider a rule with three Search-Identifiers (i.e., selection1, selection2, selection3) as part of detection attribute.
Rule should be triggered upon matching first Search-Identifiers (i.e., selection1) and one of the other two Search-Identifiers (i.e., selection2 or selection3) , condition can be written as:
Condition expression in above example "selection1 AND (selection2 OR selection3)"
evaluates and matches to Image == '*
\mshta.exe' AND ((ParentImage == '*
\cmd.exe' or ParentImage == '*\powershell.exe') OR (CommandLine == '*\AppData\Local*' or CommandLine == '*C:\Windows\Temp*' or CommandLine == '*C:\Users\Public*'))
Example: 5 - Complete Rule (All of Above)
From examples: 2 to 4 in above tables, we have seen individual rules to detect suspicious ‘mshta.exe’ activity.
Example: 2 - Suspicious ‘mshta.exe’ Process Executions via Command Line tools
Example: 3 - 'mshta.exe’ Process Execution from untrusted locations
Example: 4 - Suspicious ‘mshta.exe’ Process Executions
Now let’s merge these examples to create one new rule to detect suspicious ‘mshta.exe’ processes, using all the SIGMA operators and things discussed, mentioned earlier.
Assuming we have a rule with two Search-Identifiers (i.e., selection1, selection2) as part of detection attribute.
Condition expression in above example selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)
evaluates and matches to (Image == '
\mshta.exe' AND ((ParentImage == '
\cmd.exe' or ParentImage == '
\powershell.exe') OR (CommandLine == '\AppData\Local' or CommandLine == 'C:\Windows\Temp' or CommandLine == 'C:\Users\Public'))) OR (Image == '
\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')) OR (Image == '*\mshta.exe' AND NOT ((CommandLine == '.htm' or CommandLine == '.htm') AND (CommandLine == 'mshta.exe' or CommandLine == 'mshta.exe')))
Last updated