Examples of supported Sigma rule conversions

Table name

Sigma rule	Mapping to KUMA objects	Condition
title: Generic-DCSync Execution id: 9107f781-c984-436a-8093-1aaa64c70c49 description: Detects access to DC with "DS-Replication-Get-Changes" or "DS-Replication-Get-Changes-All" rights author: Kaspersky status: stable modified: 2023-08-02 tags: - attack.credential_access - attack.t1003.006 logsource: product: windows service: security detection: selection1: EventID: 4662 Properties\|contains: - 'DS-Replication-Get-Changes' - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' selection2: EventID: 4624 LogonType: 3 filter: EventID: 4624 LogonType: 3 SourceIP: - '<ip address of DC servers>' timeframe: 1m condition: selection1 or (selection2 and not filter) \| count(EventID) by Computer,LogonID = 2 fields: - SourceIP - Computer - LogonID - Username - Properties falsepositives: - Unknown level: high	"Microsoft products" normalizer tags → description logsource DeviceVendor = Microsoft DeviceProduct = Windows selection1: DeviceEventClassID=4662 FilePermission contains '' OR FilePermission contains '' OR FilePermission contains '' selection2 DeviceEventClassID=4624 DeviceCustomNumber1 = 3 filter DeviceEventClassID=4624 DeviceCustomNumber1 = 3 SourceAddress = <IP> condition: DeviceVendor = Microsoft AND DeviceProduct = Windows AND (( DeviceEventClassID=4662 FilePermission contains '' OR FilePermission contains '' OR FilePermission contains '' ) OR ( ( DeviceEventClassID=4624 AND DeviceCustomNumber1 = 3 ) NOT ( DeviceEventClassID=4624 AND DeviceCustomNumber1 = 3 AND SourceAddress = <IP> ) ) ) everything inside Count() Put EventID in Unique fields, everything after 'by' Computer → DestinationHostName LogonID → FlexString1 put in Aggregation fields, everything after '=' or '>' 2 put in threshold. timeframe put in time window	This is a correlation rule with correlations, that is, not a simple KUMA rule. At the moment, it is partially supported—if you remove the pipe from the Sigma rule in the condition, you can get a selector condition for a correlation rule or an SQL query for Threat Hunting.
title: Lsass Dump via LOLBin id: 2fe9cd33-d7f1-4d52-ab11-e40cb359ad02 description: detects lsass dump via lolbins such as procdump.exe, dotnet-dump.exe, dumpminitool.exe references: - https://twitter.com/bohops/status/1635288066909966338 - https://twitter.com/mrd0x/status/1511415432888131586 modified: 2023-07-18 author: Kaspersky status: stable tags: - attack.credential_access - attack.t1003.001 logsource: product: windows category: process_creation detection: selection_procdump: Image\|endswith: - '\procdump.exe' - '\procdump64.exe' CommandLine\|contains: 'lsass' selection_dotnet: Image\|endswith: '\dotnet-dump.exe' CommandLine: ' collect ' selection_dumpminitool: Image\|endswith: '\dumpminitool.exe' condition: 1 of selection* falsepositives: - Unknown level: high	Converted in the same way as the rule in row 3 of the table. Difference: the condition in 'condition 1 of selection*' is one of the named collections.	DeviceVendor='Microsoft' AND DeviceProduct='Windows' AND DeviceEventClassID='4688' AND ( ( (DestinationProcessName endsWith '\\procdump.exe' OR DestinationProcessName endsWith '\\procdump64.exe') AND DeviceCustomString contains 'lsass' ) OR (DestinationProcessName endsWith '\\dotnet-dump.exe' AND DeviceCustomString=' collect ' ) OR DestinationProcessName endsWith '\\dumpminitool.exe' )
title: Generic-Clearing Windows Event Logs via Command Line id: a903492e-da40-4ab4-a92d-306a4799d973 description: Detects Clear Windows Event Logs via Command Line author: Kaspersky status: stable modified: 2023-07-18 tags: - attack.defense_evasion - attack.t1070.001 logsource: product: windows category: process_creation detection: selection1: Image\|endswith: '\wevtutil.exe' CommandLine\|contains: - ' cl ' - 'clear' selection2: Image\|endswith: - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' CommandLine\|contains: - 'Clear-EventLog' - 'Remove-EventLog' selection3: Image\|endswith: '\wmic.exe' CommandLine\|contains: - 'ClearEventLog' condition: 1 of them falsepositives: - Legitimate System Administrator actions level: high	"Microsoft products" normalizer tags → description logsource DeviceVendor = Microsoft DeviceProduct = Windows DeviceEventClassID=4688 selection1: DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" Selection2 DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" selection3 DestinationProcessName endswith '' DeviceCustomString4 contains "" OR DeviceCustomString4 contains "" condition DeviceVendor = Microsoft AND DeviceProduct = Windows AND DeviceEventClassID=4688 AND ( ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR ( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) ) identical fields - specify the fields from the condition, except Name, deviceProduct, deviceVendor	DeviceVendor='Microsoft' AND DeviceProduct='Windows' AND DeviceEventClassID='4688' AND ( (DestinationProcessName endsWith '\\wevtutil.exe' AND (DeviceCustomString contains ' cl ' OR DeviceCustomString contains 'clear') ) OR ( (DestinationProcessName endsWith '\\powershell.exe' OR DestinationProcessName endsWith '\\powershell\_ise.exe' OR DestinationProcessName endsWith '\\pwsh.exe') AND (DeviceCustomString contains 'Clear-EventLog' OR DeviceCustomString contains 'Remove-EventLog') ) OR (DestinationProcessName endsWith '\\wmic.exe' AND DeviceCustomString contains 'ClearEventLog') )
title: 0021-0002.1204.003 Execution - PowerExchangeDropper description: Detect the dropping of PowerExchange components. status: experimental logsource: product: windows service: Sysmon detection: selection1: EventID: 11 selection2: TargetFilename\|contains: - 'c:\users\public\microsoftedge\autosave.exe' - 'c:\users\public\microsoftedge\wsdl.ps1' selection3: Image\|endswith: "brochure.exe" condition: selection1 and selection2 and selection3 falsepositives: - Unknown level: high	Based on: Normalizer 11 of Sysmon event. title → name author → description description→ description status → description logsource DeviceVendor = Microsoft DeviceProduct = Sysmon selection1 DeviceEventClassID=11 selection2 FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '' if the file path contains * format in regexp selection3 OldFilePath endswith "" condition: DeviceVendor = Microsoft AND DeviceProduct = Sysmon AND (DeviceEventClassID=11) AND (FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '') AND (OldFilePath endswith "") identical fields - specify the fields from the condition, except Name, deviceProduct, deviceVendor level →severity falsepositive → Description	DeviceVendor='Microsoft' AND DeviceProduct='Sysmon' AND DeviceEventClassID=11 AND ( FilePath contains 'c:\\users\\public\\microsoftedge\\autosave.exe' OR FilePath contains 'c:\\users\\public\\microsoftedge\\wsdl.ps1' ) AND OldFilePath endsWith 'brochure.exe'
title: Domain joined host discovery description: Detect an attacker enumerating domain-joined machines using PowerShell. status: stable logsource: product: windows service: security detection: selection: EventID: 4104 ScriptBlockText\|contains\|all: - 'System.DirectoryServices.DirectorySearcher' - 'Properties.operatingsystem' condition: selection falsepositives: - "Administrative scripts or tools like Vulnerability Scanners" level: medium	ScriptBlockText → Message
title: 0022-0002.1053.005 Execution - PowerExchange Task description: Detect the creation of a scheduled task by PowerExchange. status: experimental logsource: product: windows service: security detection: selection: EventID: - '4698' TaskName\|contains: - 'MicrosoftEdgeUpdateService' condition: selection falsepositives: - Unknown level: medium	TaskName → SourceProcessName
title: Created Windows Shell from Critical Windows Process description: Anomaly behavior critical windows process status: stable modified: 2023-07-18 tags: - attack.defense_evasion - attack.t1036 logsource: product: windows category: process_creation detection: selection: ParentImage\|endswith: - '\searchindexer.exe' - '\lsaiso.exe' - '\lsm.exe' - '\spoolsv.exe' - '\wininit.exe' - '\smss.exe' - '\csrss.exe' - '\lsass.exe' - '\services.exe' - '\winlogon.exe' Image\|endswith: - '\powershell_ise.exe' - '\cmstp.exe' - '\appvlp.exe' - '\mftrace.exe' - '\scriptrunner.exe' - '\forfiles.exe' - '\msiexec.exe' - '\rundll32.exe' - '\mshta.exe' - '\hh.exe' - '\wmic.exe' - '\regsvr32.exe' - '\scrcons.exe' - '\bash.exe' - '\sh.exe' - '\cscript.exe' - '\wscript.exe' - '\powershell.exe' - '\cmd.exe' condition: selection falsepositives: - Unknown level: high	ParentImage → SourceProcessName

Sigma rule

Mapping to KUMA objects

Condition

title: Generic-DCSync Execution

id: 9107f781-c984-436a-8093-1aaa64c70c49

description: Detects access to DC with "DS-Replication-Get-Changes" or "DS-Replication-Get-Changes-All" rights

author: Kaspersky

status: stable

modified: 2023-08-02

tags:

- attack.credential_access

- attack.t1003.006

logsource:

product: windows

service: security

detection:

selection1:

EventID: 4662

Properties|contains:

- 'DS-Replication-Get-Changes'

- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'

- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'

selection2:

EventID: 4624

LogonType: 3

filter:

EventID: 4624

LogonType: 3

SourceIP:

- '<ip address of DC servers>'

timeframe: 1m

condition: selection1 or (selection2 and not filter) | count(EventID) by Computer,LogonID = 2

fields:

- SourceIP

- Computer

- LogonID

- Username

- Properties

falsepositives:

- Unknown

level: high

"Microsoft products" normalizer

tags → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Windows

selection1:

DeviceEventClassID=4662

FilePermission contains '' OR FilePermission contains '' OR FilePermission contains ''

selection2

DeviceEventClassID=4624

DeviceCustomNumber1 = 3

filter

DeviceEventClassID=4624

DeviceCustomNumber1 = 3

SourceAddress = <IP>

condition:

DeviceVendor = Microsoft AND

DeviceProduct = Windows AND

((

DeviceEventClassID=4662

FilePermission contains '' OR FilePermission contains '' OR FilePermission contains ''

) OR

(

DeviceEventClassID=4624 AND

DeviceCustomNumber1 = 3

) NOT

(

DeviceEventClassID=4624 AND

DeviceCustomNumber1 = 3 AND

SourceAddress = <IP>

)

everything inside Count()

Put EventID in Unique fields,

everything after 'by'

Computer → DestinationHostName

LogonID → FlexString1

put in Aggregation fields,

everything after '=' or '>'

2 put in threshold.

timeframe

put in time window

This is a correlation rule with correlations, that is, not a simple KUMA rule. At the moment, it is partially supported—if you remove the pipe from the Sigma rule in the condition, you can get a selector condition for a correlation rule or an SQL query for Threat Hunting.

title: Lsass Dump via LOLBin

id: 2fe9cd33-d7f1-4d52-ab11-e40cb359ad02

description: detects lsass dump via lolbins such as procdump.exe, dotnet-dump.exe, dumpminitool.exe

references:

- https://twitter.com/bohops/status/1635288066909966338

- https://twitter.com/mrd0x/status/1511415432888131586

modified: 2023-07-18

author: Kaspersky

status: stable

tags:

- attack.credential_access

- attack.t1003.001

logsource:

product: windows

category: process_creation

detection:

selection_procdump:

Image|endswith:

- '\procdump.exe'

- '\procdump64.exe'

CommandLine|contains: 'lsass'

selection_dotnet:

Image|endswith: '\dotnet-dump.exe'

CommandLine: ' collect '

selection_dumpminitool:

Image|endswith: '\dumpminitool.exe'

condition: 1 of selection*

falsepositives:

- Unknown

level: high

Converted in the same way as the rule in row 3 of the table.

Difference: the condition in 'condition 1 of selection*' is one of the named collections.

DeviceVendor='Microsoft' AND

DeviceProduct='Windows' AND

DeviceEventClassID='4688' AND

(

(DestinationProcessName endsWith '\\procdump.exe' OR

DestinationProcessName endsWith '\\procdump64.exe') AND

DeviceCustomString contains 'lsass'

) OR

(DestinationProcessName endsWith '\\dotnet-dump.exe' AND

DeviceCustomString=' collect '

) OR

DestinationProcessName endsWith '\\dumpminitool.exe'

)

title: Generic-Clearing Windows Event Logs via Command Line

id: a903492e-da40-4ab4-a92d-306a4799d973

description: Detects Clear Windows Event Logs via Command Line

author: Kaspersky

status: stable

modified: 2023-07-18

tags:

- attack.defense_evasion

- attack.t1070.001

logsource:

product: windows

category: process_creation

detection:

selection1:

Image|endswith: '\wevtutil.exe'

CommandLine|contains:

- ' cl '

- 'clear'

selection2:

Image|endswith:

- '\powershell.exe'

- '\powershell_ise.exe'

- '\pwsh.exe'

CommandLine|contains:

- 'Clear-EventLog'

- 'Remove-EventLog'

selection3:

Image|endswith: '\wmic.exe'

CommandLine|contains:

- 'ClearEventLog'

condition: 1 of them

falsepositives:

- Legitimate System Administrator actions

level: high

"Microsoft products" normalizer

tags → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Windows

DeviceEventClassID=4688

selection1:

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

Selection2

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

selection3

DestinationProcessName endswith ''

DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""

condition

DeviceVendor = Microsoft AND

DeviceProduct = Windows AND

DeviceEventClassID=4688 AND

(

( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains "")) OR

( DestinationProcessName endswith '' AND (DeviceCustomString4 contains "" OR DeviceCustomString4 contains ""))

)

identical fields - specify the fields from the condition, except Name, deviceProduct, deviceVendor

DeviceVendor='Microsoft' AND

DeviceProduct='Windows' AND

DeviceEventClassID='4688' AND

(

(DestinationProcessName endsWith '\\wevtutil.exe' AND

(DeviceCustomString contains ' cl ' OR DeviceCustomString contains 'clear')

) OR

(

(DestinationProcessName endsWith '\\powershell.exe' OR

DestinationProcessName endsWith '\\powershell\_ise.exe' OR

DestinationProcessName endsWith '\\pwsh.exe') AND

(DeviceCustomString contains 'Clear-EventLog' OR

DeviceCustomString contains 'Remove-EventLog')

) OR

(DestinationProcessName endsWith '\\wmic.exe' AND

DeviceCustomString contains 'ClearEventLog')

)

title: 0021-0002.1204.003 Execution - PowerExchangeDropper

description: Detect the dropping of PowerExchange components.

status: experimental

logsource:

product: windows

service: Sysmon

detection:

selection1:

EventID: 11

selection2:

TargetFilename|contains:

- 'c:\users\public\microsoftedge\autosave.exe'

- 'c:\users\public\microsoftedge\wsdl.ps1'

selection3:

Image|endswith: "brochure.exe"

condition: selection1 and selection2 and selection3

falsepositives:

- Unknown

level: high

Based on: Normalizer 11 of Sysmon event.

title → name

author → description

description→ description

status → description

logsource

DeviceVendor = Microsoft

DeviceProduct = Sysmon

selection1

DeviceEventClassID=11

selection2

FilePath contains

'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains ''

if the file path contains *

format in regexp

selection3

OldFilePath endswith ""

condition:

DeviceVendor = Microsoft AND

DeviceProduct = Sysmon AND

(DeviceEventClassID=11) AND

(FilePath contains 'c:\users\public\microsoftedge\autosave.exe' OR FilePath contains '') AND

(OldFilePath endswith "")

identical fields - specify the fields from the condition, except Name, deviceProduct, deviceVendor

level →severity

falsepositive → Description

DeviceVendor='Microsoft' AND

DeviceProduct='Sysmon' AND

DeviceEventClassID=11 AND

(

FilePath contains 'c:\\users\\public\\microsoftedge\\autosave.exe' OR

FilePath contains 'c:\\users\\public\\microsoftedge\\wsdl.ps1'

) AND

OldFilePath endsWith 'brochure.exe'

title: Domain joined host discovery

description: Detect an attacker enumerating domain-joined machines using PowerShell.

status: stable

logsource:

product: windows

service: security

detection:

selection:

EventID: 4104

ScriptBlockText|contains|all:

- 'System.DirectoryServices.DirectorySearcher'

- 'Properties.operatingsystem'

condition: selection

falsepositives:

- "Administrative scripts or tools like Vulnerability Scanners"

level: medium

ScriptBlockText → Message

title: 0022-0002.1053.005 Execution - PowerExchange Task

description: Detect the creation of a scheduled task by PowerExchange.

status: experimental

logsource:

product: windows

service: security

detection:

selection:

EventID:

- '4698'

TaskName|contains:

- 'MicrosoftEdgeUpdateService'

condition: selection

falsepositives:

- Unknown

level: medium

TaskName → SourceProcessName

title: Created Windows Shell from Critical Windows Process

description: Anomaly behavior critical windows process

status: stable

modified: 2023-07-18

tags:

- attack.defense_evasion

- attack.t1036

logsource:

product: windows

category: process_creation

detection:

selection:

ParentImage|endswith:

- '\searchindexer.exe'

- '\lsaiso.exe'

- '\lsm.exe'

- '\spoolsv.exe'

- '\wininit.exe'

- '\smss.exe'

- '\csrss.exe'

- '\lsass.exe'

- '\services.exe'

- '\winlogon.exe'

Image|endswith:

- '\powershell_ise.exe'

- '\cmstp.exe'

- '\appvlp.exe'

- '\mftrace.exe'

- '\scriptrunner.exe'

- '\forfiles.exe'

- '\msiexec.exe'

- '\rundll32.exe'

- '\mshta.exe'

- '\hh.exe'

- '\wmic.exe'

- '\regsvr32.exe'

- '\scrcons.exe'

- '\bash.exe'

- '\sh.exe'

- '\cscript.exe'

- '\wscript.exe'

- '\powershell.exe'

- '\cmd.exe'

condition: selection

falsepositives:

- Unknown

level: high

ParentImage → SourceProcessName

Page top