Frequent SIGMA Mistakes Series

[post-views]
September 28, 2023 · 3 min read
Frequent SIGMA Mistakes Series

Part 2: Environment-Dependent Terms

Overview of Series

This is part 2 of a multi-part series that will cover frequent mistakes SOC Prime observes regularly in SIGMA. We will cover everything from common rule logic errors to common schema problems, and even some more obscure “gotchas” to think about. Some of these ideas will extend beyond SIGMA and into general detection engineering.

Problem #2: Environment-Dependent Terms

It is common for SIGMA authors to write detections based on malware sandbox environments. These environments will contain terms that may not exist in any other environment. For instance, if the user that is used on the sandbox is called “Admin”, it would be incorrect to write a rule that looks for execution from “C:\users\Admin\downloads”. 

Regular Expression to Identify Impacted Rules via Grep or Similar Tool:

/[^\\]\\\*/g

Below are some examples to make the problem more clear:

Incorrect Example 1: User Profile

In this example, an analyst meant to match malware running from a user profile’s appdata\roaming folder. However, this will only match in environments where users are named “admin”.

title: Incorrect Non-Agnostic User Profile
description: This rule has been stripped down to minimal fields as an example.
detection:
  selection:
    Image|endswith: ‘\users\admin\appdata\roaming\malware.exe’
  condition: selection

The Solution 1: Agnostic User Profile Path

The corrected version of this rule will match any user profile by relying on |endswith to match the unique part of the end of the path.

title: Correct Matches on Any User Profile
description: This rule has been stripped down to minimal fields as an example.
detection:
  selection:
    Image|endswith: ‘\appdata\roaming\malware.exe’
  condition: selection

Incorrect Example 2: User SID

In this example, a SID belonging to the local system administrator account of a specific host means this rule will only work for a single user on a single machine.

title: Incorrect - SID Dependant Rule
description: This rule has been stripped down to minimal fields as an example.
detection:
  selection:
    TargetObject|contains: ‘\user\S-1-5-21-6841020553-7100022413-6101150552-500\Software\Microsoft\Windows\CurrentVersion\Run\’
  condition: selection

The Solution 2: SID Agnostic

In this corrected version of the rule, we’ve used |endswith to allow the rule to match independent of a user’s SID.

title: Correct - SID Agnostic
description: This rule has been stripped down to minimal fields as an example.
detection:
  selection:
    TargetObject|endswith: ‘\Software\Microsoft\Windows\CurrentVersion\Run\’
condition: selection

Try Uncoder AI to engineer detections faster and smarter, apply SIGMA and MITRE ATT&CK autocompletion as your code assistants, and validate rules with built-in syntax and logic checks to avoid common mistakes in an automated fashion. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts