Sigma Rules List with Examples

Sigma Rules list pdf with examples check out all sigma rules list meme with ruleset name and also check common sigma rule mistakes with example

Sigma Rules List: Sigma is a standardised rule syntax which can be converted into many different SIEM supported syntax formats. The Recored Future Platform allows clients to access and download Sigma rules developed by Insikt Group for Use in their organisations.

The Sigma rules provided by the open source Sigma project and the custom rules developed by Recorded Future offer a powerful capability to detect and respond to credential harvesting using existing SIEM solution. When combined with properly configured host-based logging, using tools such as Sysmon, Sigma rules can elevate the ability of an orgnization to detect and respond to threats with increased accuracy and efficiency. Sigma Rules List is given below.

Sigma Rules List

Rule TitleRule AuthorRuleset NameID FilesUndetected Files
Autorun Keys ModificationVictor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin,, Tim SheltonSigma Integrated Rule Set (GitHub)View ID
Suspicious Run Key from DownloadFlorian RothSigma Integrated Rule Set (GitHub)View ID82527415330
Stop Windows ServiceJakob Weinzettl, oscd.communitySigma Integrated Rule Set (GitHub)View ID683139738789
Net.exe ExecutionMichael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / (improvements)Sigma Integrated Rule Set (GitHub)View ID645151535190
Milum malware detection (WildPressure APT)Ariel MillahuelSOC Prime Threat Detection MarketplaceView ID629196824
Non Interactive PowerShellRoberto Rodriguez @Cyb3rWard0g (rule), (improvements)Sigma Integrated Rule Set (GitHub)View ID3991193105250
Always Install Elevated Windows InstallerTeymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.communitySigma Integrated Rule Set (GitHub)View ID302532655602
File Created with System Process NameSander WiebingSigma Integrated Rule Set (GitHub)View ID228494413926
Windows Processes Suspicious Parent DirectoryvburovSigma Integrated Rule Set (GitHub)View ID185175292
Shade Ransomware (Sysmon detection)Ariel MillahuelSOC Prime Threat Detection MarketplaceView ID167384016
Suspicious desktop.ini ActionMaxime Thiebaut (@0xThiebaut)Sigma Integrated Rule Set (GitHub)View ID1397422161
System File Execution Location AnomalyFlorian Roth, Patrick Bareiss, Anton Kutepov, oscd.communitySigma Integrated Rule Set (GitHub)View ID1386967622
Nibiru detection (Registry event and CommandLine parameters)Ariel MillahuelSOC Prime Threat Detection MarketplaceView ID114766754640
File deletion via CMD (via cmdline)Ariel MillahuelSOC Prime Threat Detection MarketplaceView ID9238909083
Suspicious Svchost ProcessFlorian RothSigma Integrated Rule Set (GitHub)View ID845991133
Windows PowerShell Web RequestJames Pemberton / @4A616D6573Sigma Integrated Rule Set (GitHub)View ID805020104
Execution from Suspicious FolderFlorian RothSigma Integrated Rule Set (GitHub)View ID6439795419
Suspect Svchost ActivityDavid BurkettSigma Integrated Rule Set (GitHub)View ID56803187
Direct Autorun Keys ModificationVictor Sergeev, Daniil Yugoslavskiy, oscd.communitySigma Integrated Rule Set (GitHub)View ID549037130
CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline)SOC Prime TeamSOC Prime Threat Detection MarketplaceView ID53171011
Swisyn Trojan (Sysmon detection)Ariel MillahuelSOC Prime Threat Detection MarketplaceView ID494316108
Suspicious Program Location with Network ConnectionsFlorian RothSigma Integrated Rule Set (GitHub)View ID4820765335
Scheduled Task CreationFlorian RothSigma Integrated Rule Set (GitHub)View ID431585473
Startup Folder File WriteRoberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Sigma Integrated Rule Set (GitHub)View ID323029118
Executables Started in Suspicious FolderFlorian RothSigma Integrated Rule Set (GitHub)View ID3181562408
Suspicious Program Location Process StartsFlorian RothSigma Integrated Rule Set (GitHub)View ID3150712406
Execution File Type Other Than .exeMax AltgeltSigma Integrated Rule Set (GitHub)View ID3141993369
Possible Applocker Bypassjuju4Sigma Integrated Rule Set (GitHub)View ID264915225
Sigma Rules List

Common Sigma Rule Mistakes

There are some common sigma rule list mistakes which are given below with example

Not Knowing When Rules are Case Sensitive

Because strings in Sigma rules are case insensitive, except when they contain a regex pattern, defenders who are new to writing these rules might inadvertently introduce errors. An erroneous rule can turn out to be a wasted effort and a security miss as it may never be triggered when expected.

Improper Backslash Use

Another source of error comes from the improper use of the backslash when escaping strings, specifically using the wrong number of backslashes. This is particularly an issue in regular expressions.

The rule creation guide explains a solution to avoid this. Cases where only single backslashes are being used by themselves need not be escaped. For example, the string C:\Windows\System32\cmd.exe does not need to be escaped and the single backslash will be treated as a “plain” string value. In other words, defenders should not escape single backslashes by writing “C:\Windows\System32\cmd.exe.”

A working example of this is shown in a Sigma rule shared by Florian Roth himself. The rule alerts sysadmins on seeing instances of the “ping” command being provided a hex-encoded IP address, possibly to avoid detection. Notice, the use of wildcards (*) and the “\” not being escaped.

Logical Errors From Operator Misuse

When crafting selection criteria and condition that is required to trigger the rule, beware of how your expression is being evaluated. Crafting an expression with multiple expressions using the OR operator when your logic is meant to convey AND can trigger a plethora of false alerts. This can get especially difficult to master when combining multiple selection criteria (containing a list of items) with the condition field combining such criteria using AND/OR/NOT

Read : Pradhan Mantri Kaushal Vikas Yojana Courses List PDF 2022 | PMKVY Course Fee and Job Roles

9 thoughts on “Sigma Rules List with Examples”

  1. Girls are the only to give birth to those rocking and though boy
    But I don't think you are anything more than an asshole 🥱

  2. the biggest losers in this world is girls/ they can't live without boys/the can't do anything without boys/ i think they are just for enjoying of boys/reply if you are agree

Comments are closed.