Hunting Evil with Sigma (Splunk Edition)

As discussed when introducing Sigma, Sigma rules revolutionize our approach to log analysis and threat detection. Acting as a universal translator, Sigma brings a level of abstraction to event logs, removing the need for SIEM-specific query languages and enabling the use of common detection logic across platforms.

Let's validate this approach by converting two Sigma rules into Splunk’s SPL format and examining the outcomes.

Example 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)

A Sigma rule named proc_access_win_lsass_dump_comsvcs_dll.yml is available in the following directory:

C:\Tools\chainsaw\sigma\rules\windows\process_access

This Sigma rule detects adversaries who use the MiniDump export function of comsvcs.dll via rundll32 to perform a memory dump from LSASS.

To convert this rule to a Splunk-compatible query, we can use sigmac as follows:

PS C:\Tools\sigma-0.21\tools> python sigmac -t splunk C:\Tools\chainsaw\sigma\rules\windows\process_access\proc_access_win_lsass_dump_comsvcs_dll.yml -c .\config\splunk-windows.yml

This command generates the following SPL query:

(TargetImage="*\\lsass.exe" SourceImage="C:\\Windows\\System32\\rundll32.exe" CallTrace="*comsvcs.dll*")

To validate the rule in Splunk:

Navigate to http://[Target IP]:8000.
Open the "Search & Reporting" application.
Submit the Splunk search query generated by sigmac.

Result: The SPL query successfully detects MiniDump function abuse to dump LSASS's memory.

Example 2: Hunting for Notepad Spawning Suspicious Child Processes

A Sigma rule named proc_creation_win_notepad_susp_child.yml is available in:

C:\Rules\sigma

This Sigma rule detects cases where notepad.exe spawns suspicious child processes.

To convert this rule to SPL, we use sigmac as follows:

PS C:\Tools\sigma-0.21\tools> python sigmac -t splunk C:\Rules\sigma\proc_creation_win_notepad_susp_child.yml -c .\config\splunk-windows.yml

The command produces the following SPL query:

(ParentImage="*\\notepad.exe" (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe" OR Image="*\\cscript.exe" OR Image="*\\wscript.exe" OR Image="*\\taskkill.exe" OR Image="*\\regsvr32.exe" OR Image="*\\rundll32.exe" OR Image="*\\calc.exe"))

To validate the rule in Splunk:

Navigate to http://[Target IP]:8000.
Open the "Search & Reporting" application.
Submit the generated SPL query.

Result: The SPL query detects instances where notepad.exe spawns suspicious processes, such as PowerShell.

Customizing Sigma for SIEM Compatibility

In many cases, Sigma configuration files, located in the following directory:

C:\Tools\sigma-0.21\tools\config

may require customization to generate accurate and usable SIEM queries. These configuration adjustments help ensure the translated rules align with specific data fields and log structures in the target SIEM environment.

PreviousHunting Evil with Sigma (Chainsaw Edition)NextIntroduction to Digital Forensics

Last updated 2 months ago

hashtagExample 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)

hashtagExample 2: Hunting for Notepad Spawning Suspicious Child Processes

hashtagCustomizing Sigma for SIEM Compatibility

Example 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)

Example 2: Hunting for Notepad Spawning Suspicious Child Processes

Customizing Sigma for SIEM Compatibility