name: threat-hunting description: Hunt threats using Sigma detection rules and security analysis techniques. Use when investigating security incidents, creating detection rules, or analyzing suspicious activity.

Threat Hunting with Sigma Rules

When to Use This Skill

Investigating security incidents
Creating detection rules for SIEM
Analyzing suspicious activity patterns
Building threat detection pipelines
Converting detections between platforms

Sigma Rule Basics

Rule Structure

title: Suspicious PowerShell Download
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
status: experimental
description: Detects PowerShell commands downloading files from the internet
author: Security Team
date: 2024/01/15
modified: 2024/01/20

logsource:
  category: process_creation
  product: windows

detection:
  selection_process:
    Image|endswith: '\powershell.exe'
  selection_commands:
    CommandLine|contains|all:
      - 'Net.WebClient'
      - 'DownloadString'
  condition: selection_process and selection_commands

falsepositives:
  - Legitimate administrative scripts
  - Software installers

level: medium

tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1140

Field Modifiers

Modifier	Description	Example
`contains`	Substring match	`CommandLine\|contains: 'wget'`
`startswith`	Prefix match	`Image\|startswith: 'C:\Temp'`
`endswith`	Suffix match	`Image\|endswith: '.exe'`
`re`	Regex match	`CommandLine\|re: '.base64.'`
`all`	All values must match	`\|contains\|all:`
`base64`	Base64 decode first	`CommandLine\|base64\|contains:`
`cidr`	IP range match	`DestinationIp\|cidr: '10.0.0.0/8'`

Common Detection Patterns

Process Creation

title: Suspicious Process from Temp Directory
logsource:
  category: process_creation
  product: windows

detection:
  selection:
    Image|contains:
      - '\Temp\'
      - '\AppData\Local\Temp\'
    Image|endswith:
      - '.exe'
      - '.com'
      - '.scr'
  filter_known:
    Image|endswith:
      - '\setup.exe'
      - '\installer.exe'
  condition: selection and not filter_known

Network Connections

title: Outbound Connection to Known Malicious Port
logsource:
  category: network_connection
  product: windows

detection:
  selection:
    Initiated: 'true'
    DestinationPort:
      - 4444  # Metasploit
      - 5555  # Common RAT
      - 6666  # IRC
      - 8080  # Web proxy
  condition: selection

File Creation

title: Executable Created in Suspicious Location
logsource:
  category: file_event
  product: windows

detection:
  selection:
    EventType: 'creation'
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
      - '.ps1'
    TargetFilename|contains:
      - '\Windows\Temp\'
      - '\ProgramData\'
      - '\Users\Public\'
  condition: selection

Registry Modifications

title: Run Key Persistence
logsource:
  category: registry_event
  product: windows

detection:
  selection:
    EventType: SetValue
    TargetObject|contains:
      - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
      - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
  condition: selection

Hunting Queries

PowerShell Hunting

# Encoded PowerShell Commands
title: Encoded PowerShell Execution
detection:
  selection:
    CommandLine|contains:
      - '-enc'
      - '-EncodedCommand'
      - '-e '
    CommandLine|base64offset|contains:
      - 'IEX'
      - 'Invoke-Expression'
  condition: selection

Lateral Movement

# PsExec-like Activity
title: Remote Service Installation
logsource:
  product: windows
  service: system

detection:
  selection:
    EventID: 7045  # Service installed
    ServiceFileName|contains:
      - '\ADMIN$\'
      - '\C$\'
  condition: selection

Data Exfiltration

# Large Outbound Transfers
title: Large Data Transfer to External IP
logsource:
  category: proxy

detection:
  selection:
    bytes_out|gt: 10000000  # 10MB
  filter_internal:
    dst_ip|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter_internal

MITRE ATT&CK Mapping

tags:
  # Initial Access
  - attack.initial_access
  - attack.t1566        # Phishing

  # Execution
  - attack.execution
  - attack.t1059.001    # PowerShell
  - attack.t1059.003    # Windows Command Shell

  # Persistence
  - attack.persistence
  - attack.t1547.001    # Registry Run Keys

  # Defense Evasion
  - attack.defense_evasion
  - attack.t1140        # Deobfuscate/Decode

  # Credential Access
  - attack.credential_access
  - attack.t1003        # OS Credential Dumping

  # Lateral Movement
  - attack.lateral_movement
  - attack.t1021.002    # SMB/Windows Admin Shares

Converting Sigma Rules

To Splunk

# Using sigmac (legacy)
sigmac -t splunk -c sysmon rule.yml

# Using sigma-cli
sigma convert -t splunk -p sysmon rule.yml

To Elastic

sigma convert -t elasticsearch -p ecs-windows rule.yml

To Microsoft Sentinel

sigma convert -t microsoft365defender rule.yml

Investigation Workflow

1. Triage Alert

## Alert Triage Checklist

- [ ] Verify the detection fired correctly
- [ ] Check for false positive indicators
- [ ] Identify affected systems
- [ ] Determine timeline of activity
- [ ] Assess potential impact

2. Gather Context

# Related process activity
index=windows EventCode=1
| where host="affected_host"
| where _time >= relative_time(now(), "-1h")
| stats count by Image, CommandLine, ParentImage
| sort -count

# Network connections from host
index=network src_ip="10.1.1.50"
| where _time >= relative_time(now(), "-1h")
| stats count by dest_ip, dest_port
| sort -count

3. Timeline Analysis

| Time | Event | Source | Details |
|------|-------|--------|---------|
| 10:00 | Phishing email | Email logs | malicious.doc attached |
| 10:05 | Document opened | Process logs | WINWORD.EXE spawned |
| 10:06 | PowerShell | Process logs | Encoded command |
| 10:07 | Network conn | Firewall | C2 callback to 1.2.3.4 |
| 10:10 | New service | Event logs | Persistence installed |

4. Containment

# Isolate affected system
# Block IOCs at firewall
# Disable compromised accounts
# Preserve evidence

Rule Testing

# Test Sigma rule with pySigma
from sigma.rule import SigmaRule
from sigma.backends.splunk import SplunkBackend

rule = SigmaRule.from_yaml("""
title: Test Rule
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\cmd.exe'
  condition: selection
""")

backend = SplunkBackend()
print(backend.convert_rule(rule))

Best Practices

Test rules against known-good baseline
Include false positive documentation
Map to MITRE ATT&CK techniques
Version control all rules
Regular rule review and tuning
Document investigation runbooks
Share rules with community (when appropriate)

Name	threat-hunting
Description	Hunt threats using Sigma detection rules and security analysis techniques. Use when investigating security incidents, creating detection rules, or analyzing suspicious activity.

threat-hunting

SKILL.md

name: threat-hunting description: Hunt threats using Sigma detection rules and security analysis techniques. Use when investigating security incidents, creating detection rules, or analyzing suspicious activity.

Threat Hunting with Sigma Rules

When to Use This Skill

Sigma Rule Basics

Rule Structure

Field Modifiers

Common Detection Patterns

Process Creation

Network Connections

File Creation

Registry Modifications

Hunting Queries

PowerShell Hunting

Lateral Movement

Data Exfiltration

MITRE ATT&CK Mapping

Converting Sigma Rules

To Splunk

To Elastic

To Microsoft Sentinel

Investigation Workflow

1. Triage Alert

2. Gather Context

3. Timeline Analysis

4. Containment

Rule Testing

Best Practices