Exploit Notes

Sigma Rules

Last modified: 2023-01-14

Malware

Sigma rules are signatures to detect threats. It is YAML format.

Example

"example.yml"

title: Example Threats
id: 0506a799-698b-43b4-85a1-ac4c84c720e9
status: experimental
description: This is an example rule.
author: John
date: 2023/01/14
modified: 
references:
    - https://example.com/example-threats
logsource:
	product: windows
	service: sysmon
detection:
	selection:
		EventID: 1
		ParentImage|endswith:
			- 'chrome.exe'
		Image|endswith:
			- 'mshta.exe'
		CommandLine|contains:
			- '\mshta.exe'
			- '-f'
			- ' -e '
		Hashes:
			- '31B87C94B9AFB492B845CEA2360A4B35'
	selection2:
		EventID: 2
	condition: selection OR selection2
fields:
falsepositives:
	- Unknown
level: medium
tags: # associated from MITRE ATT&CK
	- attack.credential access # MITRE Tactic
	- attack.t1110 # MITRE Technique