Skip to content

Sigma Modifiers

Introduced in 2019, Sigma modifiers were incorporated into the Sigma specification, allowing detection engineers to perform more complex operations on Sigma rules. These operations, including Regex, Boolean logic, and cidr notation, are supported by most SIEMs.

Overview

The values of given fields contained within Sigma rules can be changed using Value Modifiers. Value modifiers (or more simply, "modifiers") are appended after the field name with a pipe character | to each field you want to modify.

Example:

yaml
detection:
    selection:
        TargetFilename|endswith: '.cmdline'
splunk
TargetFilename="*.cmdline"

Modifiers can also be chained together to perform more complex operations.

Available Field Modifiers

Below is a list of available field modifiers.


all

yaml
detection:
  selection:
    c-uri|contains|all:
      - "/ecp/default.aspx"
      - "__VIEWSTATEGENERATOR="
      - "__VIEWSTATE="
  condition: selection
splunk
"c-uri"="*/ecp/default.aspx*" \
    "c-uri"="*__VIEWSTATEGENERATOR=*" \
    "c-uri"="*__VIEWSTATE=*"

Normally, lists of values are linked with OR in the generated query.
The all modifier changes this to AND.

This modifier is useful if you want to express a command line invocation with different parameters where the order may vary and removes the need for some cumbersome workarounds.

Note:

Single item values are not allowed to have an all modifier as some backends cannot support it. If you use it as a workaround to duplicate a field in a selection, use a new selection instead.


base64 / base64offset

yaml
title: Base64 shell usage in HTTP web traffic
---
detection:
  selection:
    fieldname|base64offset|contains:
      - /bin/bash
      - /bin/sh
      - /bin/zsh
  condition: selection
splunk
fieldname="*L2Jpbi9iYXNo*" \
    OR fieldname="*9iaW4vYmFza*" \
    OR fieldname="*vYmluL2Jhc2*" \
    OR fieldname="*L2Jpbi9za*" \
    OR fieldname="*9iaW4vc2*" \
    OR fieldname="*vYmluL3No*" \
    OR fieldname="*L2Jpbi96c2*" \
    OR fieldname="*9iaW4venNo*" \
    OR fieldname="*vYmluL3pza*"

The base64 modifier-set will encode the provided values as base64 encoded strings. Often used alongside contains to identify malicious injection into applications.

This technique is often used by malicious actors to hide behaviour by executing commands, or sending HTTP parameters, using base64, sometimes preventing traditional detection methods.

Tip:

The base64offset modifier is usually preferred over the base64 modifier, because an ASCII value encoded into base64 can have 3 different offsets (or shifts) that can occur when completing the encoding process.


cidr

yaml
detection:
  selection:
    first_ip_address|cidr: 192.0.0.0/8
    second_ip_address|cidr: 192.168.0.0/23
splunk
*
| where cidrmatch("192.0.0.0/8", first_ip_address)
| where cidrmatch("192.168.0.0/23", second_ip_address)
yaml
detection:
  selection:
    ipaddress|cidr: 2a03:2880:f132:83:face:b00c::/96
splunk
*
| where cidrmatch("2a03:2880:f132:83:face:b00c::/96", ipaddress)

The cidr modifier allows for CIDR-formatted subnets to be used as field values, where any IPv4 or IPv6 addresses are supported.


contains

yaml
detection:
  selection:
    fieldname|contains: needle
splunk
fieldname="*needle*"

The contains modifier will insert a wildcard token (usually *) around the provided value(s), such that the value is matched anywhere in the field.


startswith

yaml
detection:
  selection:
    fieldname|startswith: needle
splunk
fieldname="needle*"

The startswith modifier will insert a wildcard token (usually *) at the start of the provided value(s), such that the value is matched at the beginning of the field.


endswith

yaml
detection:
  selection:
    fieldname|endswith: needle
splunk
fieldname="*needle"

The endswith modifier will insert a wildcard token (usually *) at the end of the provided value(s), such that the value is matched at the end of the field.


expand

yaml
title: Administrator Usage
logsource:
  product: windows
detection:
  selection:
    user|expand: "%administrator_name%"
  condition: selection
yaml
name: value_placeholder_pipeline
vars:
  administrator_name: Administrator
transformations:
  - type: value_placeholders
splunk
user="Administrator"

The expand modifier can be used with Sigma Pipelines in order to replace placeholder values with another value common across that processing pipeline.


gt

yaml
detection:
  selection:
    fieldname|gt: 15
splunk
fieldname>15

The gt modifier will provide a search where the value of fieldname is greater than the value provided.


gte

yaml
detection:
  selection:
    fieldname|gte: 15
splunk
fieldname>=15

The gte modifier will provide a search where the value of fieldname is greater than or equal to the value provided.


lt

yaml
detection:
  selection:
    fieldname|lt: 15
splunk
fieldname<15

The lt modifier will provide a search where the value of fieldname is less than the value provided.


lte

yaml
detection:
  selection:
    fieldname|lte: 15
splunk
fieldname<=15

The lte modifier will provide a search where the value of fieldname is less than or equal to the value provided.


re

yaml
detection:
  selection:
    fieldname|re: .*needle$
splunk
* | regex fieldname=".*needle$"

The re modifier will provide a search where the value of fieldname matches the provided regex.


utf16 / utf16le / utf16be / wide

yaml
detection:
  selection:
    CommandLine|wide|base64offset|contains: "ping"
splunk
CommandLine="*cABpAG4AZw*" \
  OR CommandLine="*AAaQBuAGcA*" \
  OR CommandLine="*wAGkAbgBnA*"

Prepends a byte order mark and encodes UTF16, (only used in combination with base64 modifiers)

Don't end with utf16, utf16le, utf16be or wide

The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset)


windash

yaml
detection:
  selection:
    fieldname|windash|contains:
      - " -param-name "
      - " -f "
splunk
fieldname="* -param-name *" OR fieldname="* /param-name *" \
OR fieldname="* -f *" OR fieldname="* /f *"

The windash modifier will convert any provided command-line arguments or flags to use both -, as well as /.

This is incredibly useful in the the Windows ecosystem, where Windows has two standards for passing arguments to commands, usually - for PowerShell (e.g. -a), and / for cmd.exe (e.g. /a), but a large number of commands will commonly accept both.