Frequent SIGMA Mistakes Series
Table of contents:
Part 2: Environment-Dependent Terms
Overview of Series
This is part 2 of a multi-part series that will cover frequent mistakes SOC Prime observes regularly in SIGMA. We will cover everything from common rule logic errors to common schema problems, and even some more obscure “gotchas” to think about. Some of these ideas will extend beyond SIGMA and into general detection engineering.
Problem #2: Environment-Dependent Terms
It is common for SIGMA authors to write detections based on malware sandbox environments. These environments will contain terms that may not exist in any other environment. For instance, if the user that is used on the sandbox is called “Admin”, it would be incorrect to write a rule that looks for execution from “C:\users\Admin\downloads”.
Regular Expression to Identify Impacted Rules via Grep or Similar Tool:
/[^\\]\\\*/g |
Below are some examples to make the problem more clear:
Incorrect Example 1: User Profile
In this example, an analyst meant to match malware running from a user profile’s appdata\roaming folder. However, this will only match in environments where users are named “admin”.
title: Incorrect Non-Agnostic User Profile
description: This rule has been stripped down to minimal fields as an example.
detection:
selection:
Image|endswith: ‘\users\admin\appdata\roaming\malware.exe’
condition: selection
The Solution 1: Agnostic User Profile Path
The corrected version of this rule will match any user profile by relying on |endswith
to match the unique part of the end of the path.
title: Correct Matches on Any User Profile
description: This rule has been stripped down to minimal fields as an example.
detection:
selection:
Image|endswith: ‘\appdata\roaming\malware.exe’
condition: selection
Incorrect Example 2: User SID
In this example, a SID belonging to the local system administrator account of a specific host means this rule will only work for a single user on a single machine.
title: Incorrect - SID Dependant Rule
description: This rule has been stripped down to minimal fields as an example.
detection:
selection:
TargetObject|contains: ‘\user\S-1-5-21-6841020553-7100022413-6101150552-500\Software\Microsoft\Windows\CurrentVersion\Run\’
condition: selection
The Solution 2: SID Agnostic
In this corrected version of the rule, we’ve used |endswith
to allow the rule to match independent of a user’s SID.
title: Correct - SID Agnostic
description: This rule has been stripped down to minimal fields as an example.
detection:
selection:
TargetObject|endswith: ‘\Software\Microsoft\Windows\CurrentVersion\Run\’
condition: selection
Try Uncoder AI to engineer detections faster and smarter, apply SIGMA and MITRE ATT&CK autocompletion as your code assistants, and validate rules with built-in syntax and logic checks to avoid common mistakes in an automated fashion.