Sigma Rules List: Sigma is a standardised rule syntax which can be converted into many different SIEM supported syntax formats. The Recored Future Platform allows clients to access and download Sigma rules developed by Insikt Group for Use in their organisations.
The Sigma rules provided by the open source Sigma project and the custom rules developed by Recorded Future offer a powerful capability to detect and respond to credential harvesting using existing SIEM solution. When combined with properly configured host-based logging, using tools such as Sysmon, Sigma rules can elevate the ability of an orgnization to detect and respond to threats with increased accuracy and efficiency. Sigma Rules List is given below.
Sigma Rules List
| Rule Title | Rule Author | Ruleset Name | ID | Files | Undetected Files |
|---|---|---|---|---|---|
| Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | View ID | 21401557 | 53952 |
| Suspicious Run Key from Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 8252741 | 5330 |
| Stop Windows Service | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 6831397 | 38789 |
| Net.exe Execution | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | View ID | 6451515 | 35190 |
| Milum malware detection (WildPressure APT) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 6291968 | 24 |
| Non Interactive PowerShell | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | View ID | 3991193 | 105250 |
| Always Install Elevated Windows Installer | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 3025326 | 55602 |
| File Created with System Process Name | Sander Wiebing | Sigma Integrated Rule Set (GitHub) | View ID | 2284944 | 13926 |
| Windows Processes Suspicious Parent Directory | vburov | Sigma Integrated Rule Set (GitHub) | View ID | 1851752 | 92 |
| Shade Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 1673840 | 16 |
| Suspicious desktop.ini Action | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | View ID | 1397422 | 161 |
| System File Execution Location Anomaly | Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 1386967 | 622 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 1147667 | 54640 |
| File deletion via CMD (via cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 923890 | 9083 |
| Suspicious Svchost Process | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 845991 | 133 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | View ID | 805020 | 104 |
| Execution from Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 643979 | 5419 |
| Suspect Svchost Activity | David Burkett | Sigma Integrated Rule Set (GitHub) | View ID | 568031 | 87 |
| Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | View ID | 549037 | 130 |
| CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | View ID | 531710 | 11 |
| Swisyn Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | View ID | 494316 | 108 |
| Suspicious Program Location with Network Connections | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 482076 | 5335 |
| Scheduled Task Creation | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 431585 | 473 |
| Startup Folder File Write | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | View ID | 323029 | 118 |
| Executables Started in Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 318156 | 2408 |
| Suspicious Program Location Process Starts | Florian Roth | Sigma Integrated Rule Set (GitHub) | View ID | 315071 | 2406 |
| Execution File Type Other Than .exe | Max Altgelt | Sigma Integrated Rule Set (GitHub) | View ID | 314199 | 3369 |
| Possible Applocker Bypass | juju4 | Sigma Integrated Rule Set (GitHub) | View ID | 264915 | 225 |
Common Sigma Rule Mistakes
There are some common sigma rule list mistakes which are given below with example
Not Knowing When Rules are Case Sensitive
Because strings in Sigma rules are case insensitive, except when they contain a regex pattern, defenders who are new to writing these rules might inadvertently introduce errors. An erroneous rule can turn out to be a wasted effort and a security miss as it may never be triggered when expected.
Improper Backslash Use
Another source of error comes from the improper use of the backslash when escaping strings, specifically using the wrong number of backslashes. This is particularly an issue in regular expressions.
The rule creation guide explains a solution to avoid this. Cases where only single backslashes are being used by themselves need not be escaped. For example, the string C:\Windows\System32\cmd.exe does not need to be escaped and the single backslash will be treated as a “plain” string value. In other words, defenders should not escape single backslashes by writing “C:\Windows\System32\cmd.exe.”
A working example of this is shown in a Sigma rule shared by Florian Roth himself. The rule alerts sysadmins on seeing instances of the “ping” command being provided a hex-encoded IP address, possibly to avoid detection. Notice, the use of wildcards (*) and the “\” not being escaped.
Logical Errors From Operator Misuse
When crafting selection criteria and condition that is required to trigger the rule, beware of how your expression is being evaluated. Crafting an expression with multiple expressions using the OR operator when your logic is meant to convey AND can trigger a plethora of false alerts. This can get especially difficult to master when combining multiple selection criteria (containing a list of items) with the condition field combining such criteria using AND/OR/NOT
Read : Pradhan Mantri Kaushal Vikas Yojana Courses List PDF 2022 | PMKVY Course Fee and Job Roles
Based
Sigma rule 3… Stop windows service
Sigma rules are like boys, because they are rocking and tough. Not like loser girls.
Say that infront of a girl and she will show you who the real loser is.😒
Girls are the only to give birth to those rocking and though boy
But I don't think you are anything more than an asshole 🥱
What are girls gonna do without boy's seed?
@Hhawra i don't think so
avoid girls and be a good boy
the biggest losers in this world is girls/ they can't live without boys/the can't do anything without boys/ i think they are just for enjoying of boys/reply if you are agree