SIGMA: One Rule to Find Them All

All right, good afternoon and welcome to Besides Las Vegas. Uh, this talk is Sigma: One Rule to Find Them All by Rain Baker. Uh, before we kick stuff off, just a very quick announcement. Uh, we'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido. Uh, and our gold sponsors, Profit and Runzero. uh it's their support along with other sponsors, donors, and volunteers that make this event possible. Uh and also just as a reminder, this talk is being recorded. So, as a courtesy to those watching the recording and those in the room, please remember to silence your cell phones. Uh with that, I'll pass it off to Rain. >> All right. Thanks. Thank you. Um like I

said, thanks everybody for hanging out. Uh he said, Sigma, one rule to find them all. Uh yeah, I'm a Lord of the Rings fan. No. Um, all right. So, who am I? I'll start off with a introduction. Can you guys hear me? Okay. With that? Yeah. All right. Cool. So, Ed and Work stuff. Um, essentially I started off in a totally different area of philosophy and political science and kind of stumbled my way into cyber. Um, when I did end up coming into cyber, I benefited from the SANS Academy. So, if any of you haven't heard of the SNS Academy, they have a wonderful program for people new to the field. If you're new to the field, look it up. It's got

diversity women and also for veterans. Uh it's amazing. They gave me the opportunity to have three uh SANS certifications. And you guys know what that means because that's a lot of money. Um all right. So, and then I did some time spending uh different agencies and departments in the state of Florida. Then I ended up getting picked up by Rathon when Rathon was Rathon before they uh got with United. And then they decided to sell us to venture capitalists. So now I work for Nightwing. Um, and no, uh, Dick Grayson is not the CEO in case any of you guys are wondering. Um, so what I do there now is a threat analysis, uh, threat

intelligence and detection engineering. So, uh, we kind of run things as an agile sprint. We've taken the Sigma rules and we essentially put them out on a weekly sprint, have the hunters go through and use them, vet them in the different environments with the different tools, make sure they're working, and then we can tell if we want to put into production or we want to go ahead and just use them as leads for further threat further threat hunting. Um, so now I'll get to the good stuff. How many of you have heard of Sigma before? Obviously before this talk. All right. So maybe some of you guys might know more about Sigma than even I do.

This is going to be a highle thing. So you know I'm just going to go over some general things about sigma uh and a little bit on the history of it. So what is sigma? So sigma was something that was a concept of Florian Roth and Thomas Patsky and what they were trying to do is they were trying to establish something that would be able to work across multiple different platforms. Right? So, Sigma's big thing is that it's platform agnostic and uh they wrote it in YAML which is an essentially a human readable easy uh for uh programming language which makes it easy to work with and um sigas are kind of to logs what Yara is to files. So, if

you're familiar with using Yara it's pretty much sigma does the same thing but with your log files. Um so that's a little background on sigma and then you can see here is like you take the sigma format and you can translate it using pi sigma which is the back the what they use in order to sustain these different tools backends and it will pump out a query for whichever one of those tools you want to use it for. Um and again that can be used for threat hunting or it can be used eventually to put as in permanent detections into your seam or your edr or whatever other uh platform you want to implement it in.

So, here's a full version of Sigma. Now, Sigma has a lot of different fields that aren't necessary. They're considered optional, but they're very helpful in order to uh track your rules, as well as provide additional information that's helpful when you share those rules with the community. Um, so it it's not necessary to have all these fields, but they're they're considered metadata, but I highly recommend that you familiarize yourselves with all of them if you're going to start making your sigas, uh, because they're they're helpful. Like the MITER attack tags, for example, can be then used in LinkedIn for other things. Um, so all right, so a high level of sigma rule, as I was saying, the required fields are

title. Title's arbitrary. You could name it whatever the heck you want. Purple smurf, doesn't matter. But I mean, I would name it something that makes sense cuz you know. Um, then you need your log source. And your log source is going to be what you're searching against, right? So, it's going to be comprised of three attributes. And I'll get into that a little bit more later. Um, I take this off because then detection. So, for detection logic, what we're looking for is the search identifiers. That's going to be what you are actually trying to detect. And then your condition which your condition is going to be where you apply your logic to the sigma rule. And some people

consider that the most complicated part of the sigma. All right. So log source right. So your log source is going to be comprised of a category a product and a service. Uh for here I'm using the example of process creation. Process creation is the event one for sysmon. And then I'm using the product of windows and I'm using the service of security. So what this is going to be looking for is in your Windows event security event logs. Then you have your detection and in your detection you're going to have um those things that what you're actually searching against. So you have your fields and you you have a selection and then you have the field for which you

are selecting for. Uh when you have two different types of detection formats. You have one that's a list which links things with a logical or. So you can have the field name then a value or another value and then you have your selection or you have a map which is also known as a dictionary or an associative array an object. It's all a fancy way of saying the same thing. Uh and this one links two different fields with a logical and. So you'd be saying I'm looking for this selection whatever this field is and this other field. You can also put underneath those fields uh various values that you're looking for and we'll get into that a little bit. And then you

choose your selection. And you can also have modifiers. So modifiers, I think Sigma has 16 at this point. They've added some on as they've gone um improving and adding different functionalities. Again, this is a high level for Sigma. Sim Sigma can do so much more than what I'm going to tell you guys tonight. So um but they do have the modifiers. the modifiers allow you to apply additional uh logic. So in this case you'd be saying you know you've got a selection for command line one and you have a contains right which will create a wild card and then all and then in the second selection you've got a contains. So what you would read here logically is

you're looking for selection one both command exe and powershell and one of selection two. So the command line either has EC encoded command from base fix force ring etc. Right? And then you write selection cmd and selection uh cmd2. Uh the other thing is those selections are completely arbitrary. You can name the selection anything you want. I name it selection to kind of keep track of it in my own mind but really you could name it anything. Um the condition is where you're going to be applying that logic. So this essentially is just putting the the boolean logic that's applied in the same language as log queries. So you're using the not and or and uh it helps because

what you can do here as well is provide a filter. So you can say say you're testing a sigma in your environment and it comes back with a ton of of hits and you realize well no this is way too noisy. So what you do is you filter it out. you add a selection into your sigma rule that says don't look for any of this and then in your condition you put a statement that says not this. So pretty straightforward. It's the great thing about sigma. All right. So then now we get to put that into a sigma rule. Uh I use VS Code as an editor because it has this extension for Sigma. Actually

watched a talk about extensions today that makes me a little afraid to recommend this at this point. So, uh, you know, use at your own risk, but I thought it was really cool. It has these little code snippets. It works great, but, uh, yeah, I haven't tested to see how safe it is. U, that being said, um, so we've done some research and some backwards, uh, reverse engineering on samples that we found in our customer environments. And, uh, we also blew up some stuff in our sandboxes and we obtained these different things. And so what these things are is essentially strings that I then used in order to uh develop sigas, right? Because like the

best way I think to implement sigma is to look at your environment and what's actually out there and what you're seeing and then try to formulate rules to detect that, right? So we went ahead and we took these and I consider it to kind of making a recipe or putting it all to all the little bits and pieces into a pot, making a stew. And my goal is to be able to detect the bad, right? So PowerShell doing things that shouldn't be. Uh so these are pretty simple. Uh I I only included those fields which are absolutely required to make the sigma. So the title, the log source, the detection, and the condition. And in this one, all I'm

doing is taking some of those key uh strings out of the command line that I that was observed and then putting them into the detection. So here you can read the detection as selection PowerShell command line contains PowerShell and selection downloader command line contains one of these things right and then in my condition I state I want the condition of PowerShell or the selection of PowerShell and I want the selection of downloader pretty straightforward uh the full sigma would have all the metadata all of the miter tactics and you know uh techniques that are associated with this so it would look a little bit different, but this is basics what you need in order to

make it work. Uh, same thing over here. We looked at some of the strings. This isn't the only way to do encoded PowerShell. There is a whole heck of a lot of different ways, but this is just one way. And again, the logic is you're going with the selection PS hidden window encoded command. The parent image as was explorer, so it's probably user init user initiated. And then command line contains all. that contains all turns that into an and and so you have the PowerShell with the hidden window encoded command. So pretty straightforward there. And the last one, this one, I'm sure you guys have heard of ClickFix. It's been a pretty hot thing the last year and this

was from one of the samples that we found in our environment and we went ahead and uh created a sigma rule for it or I I did a sigma rule for it. And what's interesting is like you wouldn't think that it would have caught this but it did. Uh when the user gets prompted and they see that I am not a robot kind of thing in the screen. It actually prints to the command line. So went ahead and created a sigma for that and it's just you know command line contains mista and then command line contains one of these things and boom we caught a whole bunch of of examples of that. And so this right here is uh the sigma

converter IO. For those of you who were here previously, you might have seen a quick glimpse of this. This is a Sigma HQ's web UI for translating Sigma rules. It's really nifty. You can also download a docker which allows you to install install it locally and run it locally. Um it's really neat. I have a little video because I don't trust the demo gods enough to do a live. So essentially the different fields here you know you have this big field which is where you put the sigma rule right and then you have the query over to your right and that's what's translated based on the target which the target is the back end and it's running through what's called

pi sigma that over there where you see cli is a sigma cli you can add the pipeline which is going to tell it what other translations and what other uh you changes you want to make in order to create the query. Oh, wait. Sorry guys. It went a little bit too fast for me. So, see why I don't trust the demo gods. And then, um, all right. So, over there, as you see, I'm changing the different queries to the different targets. Um what it is is what I wanted you guys to actually see is that over here uh you can select whichever language you want, whichever uh seam you want. There's log scale for crowd strike, there's net

witness, there's a whole bunch of different ones and you can look at the CLI over there and that essentially tells you more or less what's going on in the the command line. You can run this from command line as well. This is just neat because it's a guey and it's easy to use, you know, so I like it. um they did a great job and so all right so all right so the next one is where do I start so for some of you guys you may be wondering like all right so I want to do sigma I want to implement it in my environment what exactly do I do to implement sigma in my environment um

well you would probably want to look and start with your environments right and take samples from that start developing your sigma rules you will have to start up um pi sigma download they have Sigma HQ has all of that very well documented. At the end of this I will give you guys a bunch of resources uh so that you can look at it and you know help you to implement it if you want. Uh there's another thing you can use for sigas is this the CTI what uh you know going out and finding whatever bad like shareepoint right you guys remember the shareepoint thing that just happened well we went ahead and tried to detect

we had we tried to write some sigas right off the bat right when we saw the first post to x and even before you know because there's like a cycle of when the information comes out so you could do that too with your sigas right like try to get ahead of it so that you write your sigma rule and you start scanning your environment as soon as you can um So that's another one. And then sometimes customers will request it, right? They'll ask for a hunt or they'll say, "Hey, I'm looking for this particular threat. Can you help me find that threat?" And these are the references. Uh like I said, there's a ton of stuff on Sigma

HQ. They have a repo of um community- based rules that are available for free. Uh they also have documentation. Various people have wrote blogs that are really good uh helping you. There's again there's a lot to sigma. This is a kind of a highlevel introduction. I wanted to get people literate on what a sigma rule was for those of you who had never heard of it before, but it seems like everybody here had heard of sigma. Uh hopefully some of you signed up for the talk tomorrow, which is going to be more entailed. And if you didn't sign up ahead of time, sorry that I'm telling you that. Um, but yeah, there's a training on it that that we're going to

do tomorrow that includes this and and a more in-depth uh hands-on how to do Sigma. So, and that's pretty much what I got. Thanks everybody. [applause]

Any questions or >> how do you do all these rules? How do you organize your what you already kind of >> uh so we have >> so I I mean I track it locally on my VDI like I have my own stuff um but we use Jira and in Jira we have the hold on uh

in Jira what we do is we have all the rules and so all those rules are being tracked in there. It contains the logic as well as some other stuff that we've incorporated into it. When it finishes the the sprint, it gets pushed to a repo to another area where it gets stored. And uh so that's kind of how we track it. Does that answer the question? >> Yes. All right. >> Uh when you were talking about getting started, have you investigated at all uh taking existing corpuses of rule sets and migrating them into sigma not just sigma output into various formats? >> Taking so taking the existing community sigma rules or no >> no sorry like if you have an existing

corpus of detection logic and >> oh and try to backwards engineer it into sigma rules there you can do that. I think uncoder io uh or one of them was able to do that as well where you could like take it and I do that sometimes too like if there's a custo like Microsoft like with the shareepoint thing they came out with some detections for custoto query language and I backwards engineered them into sigas so yeah any other questions what's up >> you cases where sigma will work >> yes uh there there that's one of the reasons Why I'm hesitant to say AI is ready for sigma because like honestly there's uh some environmental factors

that are required for example you might get a sigma rule that works generically but when you go to apply it in a particular environment like say Splunk for example if you guys have worked with Splunk you know that field names you can have a billion different field names for the same damn thing. So you would need to implement a custom pipeline and you would have to, you know, be able to then translate an additional step to that rule to get it to work. So yeah, there's a lot. So thanks. Any other I don't know if I have time for another one or good. >> All right. Did I talk a lot faster than I thought? I'm super nervous. So

if you guys have questions, um, I can, you know, embellish on some of the steps if you'd like. Or if you guys have questions, have any of you written your own sigas? Anybody here written sigas? Yeah. Have you implemented them in your environment? >> Mixed results. >> Mixed results. So, fair enough. Yeah. So, what we've what we've done is we've like implemented it with our hunters and stuff to try to help the vetting process, you know. So, uh but yeah. Oh, >> so you mentioned that you know some of them on translation or things do fail sometimes or you have issues with it. Is there a particular technology you've seen that you when you're trying to

translate it to struggles more than others like Splunk versus Crowdstrike or versus Microsoft or anything like that? >> Uh so the big ones that that normally uh we translate to are Splunk, Crowd Strike, uh Carbon Black, Carbon Black Cloud. Um, I'd say the one that is the most finicky, well, now that they have a backend for log scale, not as much. Uh, Splunk, you're going to find the biggest challenges with particular environments because, like I said, the field translation. Uh, oftentimes what happens in Splunk is if you use the rule as it is generically translated, you may not find what you're looking for without applying those uh custom pipelines in order to translate the rule to.

I'm really new to what Sigma is, so I was just wondering where exactly in the pipeline is it sitting? Um, is it to I guess like filter logs for your analyst or is it um is it generating alerts um that they're going to look at? Like how does exactly does that kind of work? So the the alert generation would come into play if you implement it as a detection. So the way you would implement it as a detection is you take your sigma rule logic you run it through and you get a query and then you take that query and you would implement that query as your detection logic depending on the what tool you're using with seam or edr um it

would be in that language and it would it would then alert and then it would create uh does that make sense? So kind of I mean it's that's one of the reasons why I was trying to show this because it does it gets a little confusing as to how the sigma rule goes through the pipeline and how it comes out as a query and all that but um in most in most seams or in most edrs you have the option to add queries as logic in order to create a detection and so that's where you would get the the sigma rule give you that output. I'm telling you this is why I don't awesome. Oh,

so thank you for your presentation and uh we have several techniques and US techniques. How can you how do you per uh prioritize your sigma rule uh and how can you handle all the trap uh we have uh in the in the world and in in the cyber? What's your pre and what what's your pre how do you prioritize uh the rules to to make and to uh to build? >> Okay. So prioritize which rules I create or prioritize how the rules are implemented or >> do you the rules you choose and create and implement uh how can you choose uh and I know we they have a lot of techniques and uh and malares uh how can

you prioritize how Today I um I will create a new semar on that on that technique and >> okay um well it's kind of like the slide on where do I start. So a lot of the I guess sources that I have are from the environments that we protect. And so I have sources that my malware engineer does research on that I do research on. And then there's also active threats that uh you know like the SharePoint thing is a good example is something that pops up that's like okay we should probably get on this as quickly as possible and try to get something out uh to all the environments where they can scan for this or you know so that you

know and then there's just the common bread and butter like PowerShell you know um or stuff like Misha with the click fix and stuff like that. It's just it's things that you're going to see over and over and over again. So just different slight variations of the same attack. So, but yeah, that's how I kind of look at it. What's the risk, you know, are we more likely to see it, you know, or is it like eminent, you know, SharePoint damnation for everybody? [laughter] So, >> anyone else? Thank you. Um, you might have covered this, but just so I'm clear, uh, is sigma kind of like an interface to like uh to like other edrs and sims or is

there something that ingests sigma natively? >> So, Sigma is separate from all of those things. So, Sigma HQ has their repo on GitHub and they maintain repository of Sigma rules, but Sigma in and of itself is a standard. It's more of like a format. Uh, it doesn't belong to anyone. It's pl completely platform agnostic. Um, but there are different um, like for example, Splunk has a plugin that you can use with recorded future. I'm not plugging them by the way. Uh, so, but you know what I mean? Like, so you can actually look up sigma rules and stuff like that and use them quasi natively through that app in Splunk. >> Does that make sense?

>> No, it does. So I guess my question would be do you feel like in the future there's going to be some tool that's going to use Sigma natively to like do detections as opposed to being like a interface between like what you're using and then it's translated. So, Florian has an EDR called Auroraite that uses Sigma as an EDR where sigma is its input and yeah, so I guess yes, there is a native one. I'm sorry. Uh it's for specific environments. See the it's allowed to run necessarily like contained and if you wanted to download it, there's a free version. The only thing with the free version is that you're limited. You can't uh like manage

it centrally. you have to manage it locally on the host and you're limited to like five correlation rules and stuff like that. But it's really cool. I definitely recommend and it does ingest sigas straight off the bat like in a n I guess native way. Yeah. But like when I think of native I think like well all of them kind of have a native way because you're just inputting the query but you still have to translate it. But the actual rule Aurora light or Aurora >> edr. Yeah. >> Thank you. Appreciate it. >> And that's Florian Roth's point. >> All right, I think that's all we have time for. One more round of applause. Thank you.

>> Thank you everybody. >> Uh we got a request for hot tomb lollies. >> Tomas for me. >> There was I I believe you rang, right? >> Yes. >> Yes, I did. >> So your speaker uh I did ask for hot request for hot tamalei. Well, it was actually spelled Tom Lollies. Well, >> so I've I've redone the box. >> Doesn't spell well either. >> So it's Oh, well says hot Tom Lollies. So there you go. Thank you so much.