Documentation

Contents
Contents
Contents
Contents

Sigma Rules

The ESA Activity Monitoring rules derived from Sigma signatures are third-party rules. They are stored in the configuration files uberAgent-ESA-am-sigma-*.conf.

ESA’s Sigma rules are grouped by severity: critical, high, medium, and low. By their nature, Sigma rules are pretty dynamic and may change quickly. Following is an excerpt of some Sigma rules that ship with uberAgent ESA:

  • Detect Ryuk ransomware command lines
  • Detect DNS tunnel activity for Muddywater actor
  • Detect a suspicious PowerShell command-line combination as used by APT29 in a campaign against US think tanks
  • Detect Russian group activity as described in Global Threat Report 2019 by Crowdstrike
  • Detect a suspicious DLL loading from AppData\Local as described in BlueMashroom report
  • Detect Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
  • Detect CrackMapExecWin activity as described by NCSC
  • Detect Elise backdoor activity as used by APT32
  • Detect the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
  • Detect a specific tool and export used by EquationGroup
  • Detects Golden Chickens deployment method as used by Evilnum in a report published in July 2020
  • Detect tools and process executions as observed in a Greenbug campaign in May 2020
  • Detect Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
  • Detect registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
  • Detects Trojan loader activity as used by APT28
  • …and hundreds more

Not all Sigma rules are enabled by default. Check the includes in uberAgent-ESA.conf and adjust if necessary.

Leave a Reply

Your email address will not be published. Required fields are marked *