As discussed when introducing Sigma, Sigma rules revolutionize our approach to log analysis and threat detection. What we're dealing with here is a sort of Rosetta Stone for SIEM systems. Sigma is like a universal translator that brings in a level of abstraction to event logs, taking away the painful element of SIEM-specific query languages.
Example 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)
A Sigma rule named proc_access_win_lsass_dump_comsvcs_dll.yml can be found inside the C:\Tools\chainsaw\sigma\rules\windows\process_access directory of the previous section's target.
This Sigma rule detects adversaries leveraging the MiniDump export function of comsvcs.dll via rundll32 to perform a memory dump from LSASS.
We can translate this rule into a Splunk search with sigmacas follows.
Open the "Search & Reporting" application, and submit the Splunk search sigmac provided us with.
The Splunk search provided by sigmac was indeed able to detect MiniDump function abuse to dump LSASS's memory.
Example 2: Hunting for Notepad Spawning Suspicious Child Process
A Sigma rule named proc_creation_win_notepad_susp_child.yml can be found inside the C:\Rules\sigma directory of the previous section's target.
This Sigma rule detects notepad.exe spawning a suspicious child process.
PS C:\Tools\sigma-0.21\tools> python sigmac -t splunk C:\Rules\sigma\proc_creation_win_notepad_susp_child.yml -c .\config\splunk-windows.yml
(ParentImage="*\\notepad.exe" (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe" OR Image="*\\cscript.exe" OR Image="*\\wscript.exe" OR Image="*\\taskkill.exe" OR Image="*\\regsvr32.exe" OR Image="*\\rundll32.exe" OR Image="*\\calc.exe"))
Open the "Search & Reporting" application, and submit the Splunk search sigmac provided us with.
The Splunk search provided by sigmac was indeed able to detect notepad.exe spawning suspicious processes (such as PowerShell).
((Image="*\\winword.exe" OR Image="*\\excel.exe" OR Image="*\\powerpnt.exe" OR Image="*\\msaccess.exe" OR Image="*\\mspub.exe" OR Image="*\\eqnedt32.exe" OR Image="*\\visio.exe" OR Image="*\\wordpad.exe" OR Image="*\\wordview.exe" OR Image="*\\certutil.exe" OR Image="*\\certoc.exe" OR Image="*\\CertReq.exe" OR Image="*\\Desktopimgdownldr.exe" OR Image="*\\esentutl.exe" OR Image="*\\finger.exe" OR Image="*\\notepad.exe" OR Image="*\\AcroRd32.exe" OR Image="*\\RdrCEF.exe" OR Image="*\\mshta.exe" OR Image="*\\hh.exe" OR Image="*\\sharphound.exe") (TargetFilename="*.zip" OR TargetFilename="*.rar" OR TargetFilename="*.7z" OR TargetFilename="*.diagcab" OR TargetFilename="*.appx"))