Sigma Modifiers

Introduced in 2019, Sigma modifiers were incorporated into the Sigma specification, allowing detection engineers to perform more complex operations on Sigma rules. These operations, including Regex, Boolean logic, and cidr notation, are supported by most SIEMs.

Overview

The values of given fields contained within Sigma rules can be changed using Value Modifiers. Value modifiers (or more simply, "modifiers") are appended after the field name with a pipe character | to each field you want to modify.

Example:

detection:
    selection:
        TargetFilename|endswith: '.cmdline'

TargetFilename="*.cmdline"

Modifiers can also be chained together to perform more complex operations.

Available Field Modifiers

Below is a list of available field modifiers.

• all
• base64 / base64offset
• cidr
• contains
• endswith
• expand
• gt
• gte
• lt
• lte
• re
• startswith
• utf16 / utf16le / utf16be / wide
• windash

---

all

/rules/web/web_cve_2020_0688_exchange_exploit.yml

detection:
  selection:
    c-uri|contains|all:
      - "/ecp/default.aspx"
      - "__VIEWSTATEGENERATOR="
      - "__VIEWSTATE="
  condition: selection

Splunk Output

"c-uri"="*/ecp/default.aspx*" \
    "c-uri"="*__VIEWSTATEGENERATOR=*" \
    "c-uri"="*__VIEWSTATE=*"

Normally, lists of values are linked with OR in the generated query.
The all modifier changes this to AND.

This modifier is useful if you want to express a command line invocation with different parameters where the order may vary and removes the need for some cumbersome workarounds.

Note:

Single item values are not allowed to have an all modifier as some backends cannot support it. If you use it as a workaround to duplicate a field in a selection, use a new selection instead.

---

base64 / base64offset

/rules/base64_shell_usage_http_traffic.yaml

title: Base64 shell usage in HTTP web traffic
---
detection:
  selection:
    fieldname|base64offset|contains:
      - /bin/bash
      - /bin/sh
      - /bin/zsh
  condition: selection

Splunk Output

fieldname="*L2Jpbi9iYXNo*" \
    OR fieldname="*9iaW4vYmFza*" \
    OR fieldname="*vYmluL2Jhc2*" \
    OR fieldname="*L2Jpbi9za*" \
    OR fieldname="*9iaW4vc2*" \
    OR fieldname="*vYmluL3No*" \
    OR fieldname="*L2Jpbi96c2*" \
    OR fieldname="*9iaW4venNo*" \
    OR fieldname="*vYmluL3pza*"

The base64 modifier-set will encode the provided values as base64 encoded strings. Often used alongside contains to identify malicious injection into applications.

This technique is often used by malicious actors to hide behaviour by executing commands, or sending HTTP parameters, using base64, sometimes preventing traditional detection methods.

Tip:

The base64offset modifier is usually preferred over the base64 modifier, because an ASCII value encoded into base64 can have 3 different offsets (or shifts) that can occur when completing the encoding process.

---

cidr

/rules/needle_in_haystack.yaml

detection:
  selection:
    first_ip_address|cidr: 192.0.0.0/8
    second_ip_address|cidr: 192.168.0.0/23

Splunk Output

*
| where cidrmatch("192.0.0.0/8", first_ip_address)
| where cidrmatch("192.168.0.0/23", second_ip_address)

/rules/needle_in_haystack.yaml

detection:
  selection:
    ipaddress|cidr: 2a03:2880:f132:83:face:b00c::/96

Splunk Output

*
| where cidrmatch("2a03:2880:f132:83:face:b00c::/96", ipaddress)

The cidr modifier allows for CIDR-formatted subnets to be used as field values, where any IPv4 or IPv6 addresses are supported.

---

contains

/rules/needle_in_haystack.yaml

detection:
  selection:
    fieldname|contains: needle

Splunk Output

fieldname="*needle*"

The contains modifier will insert a wildcard token (usually *) around the provided value(s), such that the value is matched anywhere in the field.

---

startswith

/rules/needle_in_start_of_haystack.yaml

detection:
  selection:
    fieldname|startswith: needle

Splunk Output

fieldname="needle*"

The startswith modifier will insert a wildcard token (usually *) at the start of the provided value(s), such that the value is matched at the beginning of the field.

---

endswith

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|endswith: needle

Splunk Output

fieldname="*needle"

The endswith modifier will insert a wildcard token (usually *) at the end of the provided value(s), such that the value is matched at the end of the field.

---

expand

/rules/rule.yml

title: Administrator Usage
logsource:
  product: windows
detection:
  selection:
    user|expand: "%administrator_name%"
  condition: selection

/pipelines/value_placeholders_test.yml

name: value_placeholder_pipeline
vars:
  administrator_name: Administrator
transformations:
  - type: value_placeholders

Splunk Output

user="Administrator"

The expand modifier can be used with Sigma Pipelines in order to replace placeholder values with another value common across that processing pipeline.

---

gt

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|gt: 15

Splunk Output

fieldname>15

The gt modifier will provide a search where the value of fieldname is greater than the value provided.

---

gte

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|gte: 15

Splunk Output

fieldname>=15

The gte modifier will provide a search where the value of fieldname is greater than or equal to the value provided.

---

lt

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|lt: 15

Splunk Output

fieldname<15

The lt modifier will provide a search where the value of fieldname is less than the value provided.

---

lte

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|lte: 15

Splunk Output

fieldname<=15

The lte modifier will provide a search where the value of fieldname is less than or equal to the value provided.

---

re

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|re: .*needle$

Splunk Output

* | regex fieldname=".*needle$"

The re modifier will provide a search where the value of fieldname matches the provided regex.

---

utf16 / utf16le / utf16be / wide

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    CommandLine|wide|base64offset|contains: "ping"

Splunk Output

CommandLine="*cABpAG4AZw*" \
  OR CommandLine="*AAaQBuAGcA*" \
  OR CommandLine="*wAGkAbgBnA*"

Prepends a byte order mark and encodes UTF16, (only used in combination with base64 modifiers)

Don't end with utf16, utf16le, utf16be or wide

The value modifier chain must not end with character set encoding modifiers (utf16, utf16le, utf16be and wide). The resulting values are internally represented as byte sequences instead of text strings and contain null characters which are usually difficult to handle in queries. Therefore the should be followed by an encoding modifier (base64, base64offset)

---

windash

/rules/needle_in_end_of_haystack.yaml

detection:
  selection:
    fieldname|windash|contains:
      - " -param-name "
      - " -f "

Splunk Output

fieldname="* -param-name *" OR fieldname="* /param-name *" \
OR fieldname="* –param-name *" OR fieldname="* —param-name *" OR fieldname="* ―param-name *" \
OR fieldname="* -f *" OR fieldname="* /f *" \
OR fieldname="* –f *" OR fieldname="* —f *" OR fieldname="* ―f *" \

The windash modifier will convert any provided command-line arguments or flags to use -, as well as /, – (En Dash), — (Em Dash), and ― (Horizontal Bar).

This is incredibly useful in the the Windows ecosystem, where Windows has two standards for passing arguments to commands, usually - for PowerShell (e.g. -a), and / for cmd.exe (e.g. /a), but a large number of commands will commonly accept both. Many tools, including PowerShell, will not only accept a normal hyphen, but other similar looking dashes like – (En Dash), — (Em Dash), and ― (Horizontal Bar)