Sigma Rules & Converter
uberAgent ESA ships with Activity Monitoring rules derived from Sigma signatures. These rules are grouped by severity: critical, high, medium, and low. ESA’s Sigma rules are stored in the configuration files
By their nature, Sigma rules are pretty dynamic and may change quickly. See below for instructions on how to convert Sigma rules yourself.
Following is an excerpt of some Sigma rules that ship with uberAgent ESA:
- Detect Ryuk ransomware command lines
- Detect DNS tunnel activity for Muddywater actor
- Detect a suspicious PowerShell command-line combination as used by APT29 in a campaign against US think tanks
- Detect Russian group activity as described in Global Threat Report 2019 by Crowdstrike
- Detect a suspicious DLL loading from
AppData\Localas described in BlueMashroom report
- Detect Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
- Detect CrackMapExecWin activity as described by NCSC
- Detect Elise backdoor activity as used by APT32
- Detect the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
- Detect a specific tool and export used by EquationGroup
- Detects Golden Chickens deployment method as used by Evilnum in a report published in July 2020
- Detect tools and process executions as observed in a Greenbug campaign in May 2020
- Detect Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
- Detect registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
- Detects Trojan loader activity as used by APT28
- …and hundreds more
Not all Sigma rules are enabled by default. Check the includes in
uberAgent-ESA.conf and adjust if necessary.
vast limits maintains a Sigma to uberAgent rule converter as part of the Sigma project. The converter is implemented as a Sigma backend. Please see the header of uberAgent’s Sigma rule files for instructions on how to invoke the conversion.