2. § Florian Roth
§ Head of Research @ Nextron Systems
§ IT Sec since 2000,
Nation State Cyber Attacks since 2012
§ THOR Scanner
§ Twitter @cyb3rops
§ Open Source Projects:
§ Sigma (Generic SIEM Rule Format)
§ LOKI (Open Source Scanner)
§ APT Groups and Operations Mapping
§ Antivirus Event Analysis Cheat Sheet
§ ...
About Me
3. § What is Sigma?
§ ATT&CK Integration in Sigma
§ Hall of Fame: The 5 most successful Sigma rules
§ Where’s the Sigma project going?
§ Cool new or upcoming related projects
Overview
4. What is Sigma?
Sigma is a generic rule format
to express detection ideas in form of rules
that match on log data .
5. What is Sigma?
Sigma is for log data what
YARA is for files and
Snort is for network traffic .
6. § Simplicity and Usability
§ Users like it: Easy to read and write
§ Developers like it: Manageable specs and expressions
§ Immediate Benefit
§ Big rule base with more than 1000 rules
§ Integrated converter for 17+ backends (query generator)
§ Active community: you quickly get new rules for burning issues
§ No Product-Specific Focus
§ No overreaching vendor
§ No SIEM specific expressions
§ No vendor lock-in
Why Sigma?
7. § Sigma rules contain ATT&CK
techniques as tags
§ A matching rule points to one or more
techniques
§ The tests check against attackcti.com
to compare the tags in new rules with
a list of all valid ones (live)
MITRE ATT&CK® Integration
9. § Very effective due to generic character
§ Low false positive rate
§ Detects serious threats
§ Detects very common threats
Key Selection Criteria for the Hall of Fame
Efficiency
Low False Positive Rate
Threat Severity
Prevalence
16. § The new converter uses this module
§ Complete rewrite of the old converter
§ Support for the new Sigma correlation
rules
§ New backends should be built with with
this module
§ All credits go to Thomas @blubbfiction
https://github.com/SigmaHQ/pySigma
pySigma
sigma
(sigmac + rules)
pySigma
(converter)
sigma
(rules)
pySigma
17. § Correlation rules provide an easy to use
solution to complex detection ideas
§ Time-based, statistical or sequential
correlations
§ Correlation rules refer to simple rules
(different files)
§ The old converter will not support the new
correlation rules (> new pySigma)
Draft (already partly outdated)
https://onedrive.live.com/view.aspx?resid=34
54E59DF98D7D65!7485&ithint=file%2cdocx&
authkey=!ADb97TgRX9Fr4xQ
Sigma Correlation Rules
Sigma
Correlation Rule
Sigma Rule X
5 matches of rule X
then
1 match of rule Y Sigma Rule Y
Sigma Rule Z
Sigma
Correlation Rule
10 matches of rule Z
within 5 minutes
/correlation-rules /rules
19. § Applies Sigma rules on EVTX files
§ Digital Forensics Incident Response (DFIR)
Use Cases
§ Forensic investigations
§ Collect EVTX files from end points and scan them in
the lab
§ Rust based – precompiled executables for
Windows and Linux
§ GPL
https://labs.f-secure.com/tools/chainsaw/
F-Secure: Chainsaw
20. § Applies Sigma rules on EVTX files
§ Digital Forensics Incident Response (DFIR)
Use Cases
§ Forensic investigations
§ Collect EVTX files from end points and scan them in
the lab
§ Python-based
§ LGPL
https://github.com/wagga40/Zircolite
Zircolite by @waggabat
21. § Transforms IOCs into
Queries
§ Online and free
(limits apply)
§ Support for many
different backends: Azure
Sentinel, Elastic, Splunk,
SentinelOne, Carbon Blac,
LogPoint, FireEye Helix,
CrowdStrike … and more
https://cti.uncoder.io/
SOC Prime: Uncoder CTI
22. § Lightweight agent that applies Sigma rules on log
data in real-time on endpoints
§ Free
(Pro version has additional features)
§ Uses ETW
§ Supports the upcoming Sigma correlation rules
§ Extends the Sigma standard with response
actions ⚡
§ Kill, KillParent, Suspend, Dump
§ Custom actions: e.g.
copy %Image% %%ProgramData%%%ProcessID%.bin
§ Consider it your “custom Sigma-based HIPS”
Release: December 2021 🤞
Nextron: Aurora Agent
Sigma Rules
Sigma
Config
Agent
Config
ETW Eventlog
Log File
Process
response
Eventlog
Channels
23. Thanks to all contributors
Rules: @cyb3rops and frack113
Rule Converter: @blubbfic:on Thomas Patzke
TwiBer: @sigma_hq
Slack: siemexchange.slack.com (contact us for invites)
More informa:on: hBps://github.com/SigmaHQ/sigma