TRYHACKME: Advent of Cyber 2022 [Day 18] -Sigma Lumberjack Lenny Learns New Rules

Published in

System Weakness

3 min readDec 28, 2022

Scenario: Compromise has been confirmed within the Best Festival Company Infrastructure, and tests have been conducted in the last couple of weeks. However, Santa’s SOC team wonders if there are methodologies that would help them perform threat detection faster by analysing the logs they collect. Elf McSkidy is aware of Sigma rules and has tasked you to learn more and experiment with threat detection rules.

Day 18 Learning Objectives: Threat Detection using Sigma

Threat Detection

Threat detection involves proactively pursuing and analysing abnormal activity within an ecosystem to identify malicious signs of compromise or intrusion within a network.

The attack chain report included indicators of compromise (IOCs) and necessary detection parameters, as listed below.

So we’ve to create detection rules for this MITRE TTP using Sigma.

About Sigma

Sigma makes it easy to perform content matching based on collected logs to raise threat alerts for analysts to investigate. Log files are usually collected and stored in a database or a Security Information and Event Management (SIEM) solution for further analysis. Sigma is vendor-agnostic; therefore, the rules can be converted to a format that fits the target SIEM.

Sigma was developed to satisfy the following scenarios:

To make detection methods and signatures shareable alongside IOCs and Yara rules.
To write SIEM searches that avoid vendor lock-in.
To share signatures with threat intelligence communities.
To write custom detection rules for malicious behaviour based on specific conditions.