This chapter covers SIGMA and YARA detection rules, two essential tools for threat detection and incident response. For the CS0-003 exam, this topic appears in Domain 1: Security Operations, Objective 1.2: 'Given a scenario, analyze indicators of compromise and formulate an appropriate response.' Expect 2-3 questions on creating or interpreting YARA rules and 1-2 on SIGMA rules. Understanding these rules is critical because they enable automated detection of known threats and adversary behaviors across diverse environments.
Jump to a section
Imagine you are a security officer protecting a large office building. YARA rules are like wanted posters: each poster describes a specific criminal's unique features—tattoos, height, scars—using very precise language. You hang these posters at every entrance, and when someone walks in, you check if they match any poster. If they do, you stop them. This works great for known criminals, but if a criminal changes clothes or shaves, the poster might not match. Now, SIGMA rules are like a national criminal database that describes behaviors: 'A person enters the building, goes straight to the server room without badge access, then leaves quickly.' This description is generic—it doesn't name the person but describes what they do. You can share this description across all your buildings, and each building's security system translates it into their own access control rules. YARA is file-based and specific; SIGMA is log-based and generic. In practice, YARA scans files for byte sequences, while SIGMA describes log events (like Windows Event ID 4688 for process creation) that can be converted to SIEM queries (Splunk, Elastic) or EDR rules. Both are detection rules, but they operate at different levels: YARA at the file content level, SIGMA at the log event level.
What Are SIGMA and YARA Rules?
SIGMA and YARA are both rule-based detection languages, but they serve different purposes and operate at different layers of the detection stack. YARA (pattern-matching tool) is designed for file-based detection: it scans binary or text files for patterns such as byte sequences, strings, or regular expressions. SIGMA, on the other hand, is a generic signature format for log events. It describes suspicious behavior in a SIEM-agnostic way, allowing analysts to write detection rules once and convert them to multiple SIEM query languages (Splunk, Elasticsearch, QRadar, etc.).
How YARA Works Internally
YARA rules are written in a C-like syntax and consist of three main sections: meta, strings, and condition. The meta section contains metadata like author, description, and date. The strings section defines patterns to search for—for example, $a = "malware" or $b = { 6A 40 68 00 30 00 00 } (hex). The condition section specifies the logic for matching, such as $a at 0 or 2 of ($a,$b,$c). When YARA scans a file, it reads the file content into memory, then applies the rules sequentially. For each rule, it searches for the defined strings using the Aho-Corasick algorithm (for multiple patterns) and evaluates the condition. If the condition is true, the rule matches. YARA uses fast pattern matching and can handle large files efficiently.
Key Components of YARA
Strings: Can be text strings (case-sensitive), hex strings (byte sequences), or regular expressions. Example: $hex_string = { 4D 5A 90 00 } matches the MZ header of a PE file.
Condition: Supports Boolean operators (and, or, not), arithmetic (# for count, @ for offset), and functions like filesize, entrypoint, for all of. Example: uint16(0) == 0x5A4D checks for MZ header at offset 0.
Modules: YARA can import modules like pe (portable executable) and elf to inspect file structures. Example: pe.imports("kernel32.dll", "CreateProcess").
Performance: YARA uses compiled rules for faster scanning. The -c flag compiles rules into binary form.
How SIGMA Works Internally
SIGMA rules are written in YAML format and describe log events using a generic field-value structure. Each rule has a title, description, logsource (e.g., product: windows, category: process_creation), and detection section. The detection section defines selection criteria using field names like EventID, Image, CommandLine and values. For example:
detection:
selection:
EventID: 4688
Image|endswith: '\\cmd.exe'
condition: selectionSIGMA rules are converted to SIEM queries using tools like sigmac (SIGMA converter). The converter maps the generic field names to the specific field names used by the target SIEM (e.g., EventID -> event_id in Elasticsearch). The resulting query can be executed against log data.
Key Components of SIGMA
Logsource: Defines the source of the logs (product, service, category). Common categories: process_creation, file_event, registry_event, network_connection.
Detection: Contains one or more selections (conditions) that define the malicious pattern. Selections can use modifiers like |contains, |endswith, |re (regex), |base64.
Condition: Specifies how selections are combined—e.g., selection1 and selection2, 1 of selection*, all of them.
Fields: SIGMA uses a standardized field naming convention. For Windows process creation, common fields are EventID, Image, CommandLine, ParentImage, ParentCommandLine.
Configuration and Verification
YARA: To create a rule, save it as a .yar file. To scan a file:
yara myrule.yar suspicious.exeTo scan a directory recursively:
yara -r myrule.yar /path/to/dirTo see which rule matched: yara -m myrule.yar file. For performance, compile rules: yara -c myrule.yar.
SIGMA: Rules are saved as .yml files. To convert a SIGMA rule to a Splunk query:
sigmac -t splunk -c config.yml myrule.ymlTo convert to Elasticsearch:
sigmac -t es-rule -c config.yml myrule.ymlVerification is done by running the converted query against the SIEM and checking for matches.
Interaction with Related Technologies
YARA integrates with security tools like VirusTotal (for crowdsourced scanning), ClamAV (via libclamav), and many EDR solutions (e.g., CrowdStrike, SentinelOne) that support YARA scanning on endpoints. SIGMA rules are commonly used with SIEM platforms (Splunk, Elastic Security, Azure Sentinel) and can be shared via repositories like the SIGMA GitHub repository. Both are often used in conjunction: YARA for file-based detection (e.g., scanning malware samples), SIGMA for behavioral detection (e.g., detecting process injection via log events).
Write a YARA Rule
Start by defining the rule's metadata: name, author, description, and date. Then define strings: text strings (e.g., `$s1 = "malicious"`), hex strings (e.g., `$h1 = { 6A 40 68 00 30 00 00 }`), or regex (e.g., `$r1 = /evil\..*/`). Finally, write the condition: `$s1` (match if string found), `2 of ($s1,$s2,$h1)`, or `all of them`. Use logical operators and functions like `filesize < 100KB` or `pe.sections[1].name == ".text"`. The rule is saved as a `.yar` file.
Test YARA Rule Locally
Use the `yara` command to test the rule against a sample file: `yara myrule.yar sample.exe`. If the rule matches, the output shows the rule name. Use `-m` to show matched strings, `-s` to print matching strings, and `-c` to compile the rule for faster scanning. For directories, use `-r`. Verify that false positives are minimal by testing against benign files. Adjust strings and conditions to reduce false positives.
Distribute YARA Rule to EDR
In enterprise environments, YARA rules are deployed to endpoints via EDR solutions. For example, in CrowdStrike, upload the rule via the Falcon console under 'Indicators of Attack' -> 'YARA'. The rule is then compiled and distributed to all sensors. When a file is created or executed, the sensor scans it with the rule. If it matches, an alert is generated. Monitor for performance impact: scanning large files can consume CPU.
Write a SIGMA Rule
Create a YAML file with fields: `title`, `id`, `status`, `description`, `references`, `author`, `date`, `logsource` (product, service, category), and `detection`. In detection, define a selection with field-value pairs. For example, detect reg.exe used to modify startup: `selection: Image|endswith: '\\reg.exe'; CommandLine|contains: 'ADD'; TargetObject|contains: 'Run'`. Then define condition: `selection`. Optionally, add `falsepositives` and `level` (low, medium, high).
Convert and Deploy SIGMA Rule
Use the `sigmac` converter to transform the rule into a SIEM-specific query. For Splunk: `sigmac -t splunk -c config.yml myrule.yml`. The output is a Splunk search like `index=windows EventCode=4688 Image=*\\reg.exe CommandLine=*ADD*`. For Elastic: `sigmac -t es-rule ...` outputs an Elasticsearch query DSL. Deploy the query to the SIEM as a correlation rule or saved search. Test by triggering the behavior (e.g., run reg.exe add command) and verify alert fires.
Scenario 1: Detecting Ransomware in a SOC
A SOC analyst needs to detect ransomware that encrypts files and drops a ransom note. They write a YARA rule that looks for the ransom note filename (e.g., DECRYPT.txt) and common encryption patterns (e.g., $a = { 6A 40 68 00 30 00 00 } for AES key scheduling). The rule is deployed to all endpoints via the EDR. When a user downloads a malicious executable, the endpoint scanner flags it within seconds. The SOC receives an alert and can quarantine the file before execution. Common issue: false positives from legitimate encryption software (e.g., VeraCrypt). Mitigation: add exclusion for known good software hashes.
Scenario 2: Detecting Lateral Movement with SIGMA A blue team wants to detect pass-the-hash attacks. They write a SIGMA rule that monitors Windows Security Event ID 4624 (logon) with LogonType 3 (network) and a specific authentication package (NTLM). The rule is converted to a Splunk query and deployed. When an attacker uses Mimikatz to perform a pass-the-hash, the SIEM alerts. However, the rule may generate false positives from legitimate network logins. To reduce noise, they add a condition to exclude known admin workstations. Performance: the query must be efficient to avoid high CPU on the SIEM; use indexed fields.
Scenario 3: Threat Hunting with YARA and SIGMA Combined
During an incident response, analysts receive a suspicious PowerShell script. They run a YARA rule on the script to identify known obfuscation patterns (e.g., base64 strings, encoding functions). The rule matches, confirming malware. Next, they write a SIGMA rule to detect similar PowerShell execution across the environment: EventID: 4688 and Image: *\\powershell.exe and CommandLine: *-EncodedCommand*. This rule is converted and deployed to the SIEM, revealing three other compromised hosts. The combination of file-level (YARA) and behavioral (SIGMA) detection provides comprehensive coverage.
The CS0-003 exam tests Objective 1.2: 'Given a scenario, analyze indicators of compromise and formulate an appropriate response.' Questions on YARA and SIGMA typically appear as scenario-based multiple-choice. You may be asked to identify the correct YARA rule syntax for a given IoC, or to choose the appropriate detection method (YARA vs. SIGMA) for a specific situation.
Common Wrong Answers:
1. Confusing YARA and SIGMA syntax: Many candidates mix up YARA's strings and condition with SIGMA's detection and logsource. Remember: YARA uses strings: and condition:, while SIGMA uses detection: and logsource:.
2. Choosing YARA for log-based detection: YARA scans files, not logs. If the scenario describes detecting a pattern in log events (e.g., Event ID 4688), the answer is SIGMA, not YARA.
3. Forgetting SIGMA requires conversion: SIGMA rules are not directly executable; they must be converted to a SIEM-specific query. A distractor might say 'SIGMA rules are directly imported into Splunk' – wrong.
4. Misunderstanding YARA modules: The exam may test knowledge of the pe module for PE file analysis. A common trap is using elf for Windows executables.
Specific Numbers and Terms:
- YARA string types: text strings (double quotes), hex strings (curly braces), regex (forward slashes).
- SIGMA logsource categories: process_creation, file_event, registry_event, network_connection.
- SIGMA field modifiers: |contains, |endswith, |startswith, |re, |base64.
- YARA condition: uint16(0) == 0x5A4D (MZ header), pe.imports("kernel32.dll", "CreateProcess").
Edge Cases:
- YARA can use for all of to require all strings to match, but any of is the default.
- SIGMA can define multiple selections and combine them with and/or. The condition 1 of selection* means any selection.
- Both rules can be used together: YARA for file scanning, SIGMA for behavioral detection.
How to Eliminate Wrong Answers:
- If the question mentions 'file' or 'binary', think YARA.
- If it mentions 'log', 'event', 'SIEM', think SIGMA.
- If a rule has strings: and condition:, it's YARA. If it has logsource: and detection:, it's SIGMA.
- Look for keywords like 'process creation', 'Event ID', 'CommandLine' – these are SIGMA fields.
YARA rules consist of meta, strings, and condition sections; strings can be text, hex, or regex.
SIGMA rules are YAML files with logsource, detection, and condition; they must be converted to SIEM-specific queries.
Use YARA for file-based detection (malware samples, documents); use SIGMA for log-based detection (process creation, network events).
YARA's `pe` module can inspect PE headers, imports, and sections; e.g., `pe.imports("kernel32.dll", "CreateProcess")`.
SIGMA logsource categories: process_creation, file_event, registry_event, network_connection; each maps to specific Windows Event IDs.
Common YARA condition: `$a at 0` (string at offset 0), `2 of them`, `all of them`, `filesize < 1MB`.
Common SIGMA condition: `selection` (single), `1 of selection*` (any), `all of them` (all).
YARA uses Aho-Corasick algorithm for fast multi-pattern matching; compiled rules (.yarc) improve performance.
SIGMA converter (`sigmac`) supports multiple targets: splunk, es-rule, qradar, elk, etc.
Both YARA and SIGMA are open-source and widely used in threat intelligence sharing (e.g., YARA rules on VirusTotal, SIGMA rules on GitHub).
These come up on the exam all the time. Here's how to tell them apart.
YARA
Scans file content (byte sequences, strings, regex).
Syntax uses `strings:` and `condition:` sections.
Deployed to endpoints via EDR or standalone scanner.
Supports modules like `pe` and `elf` for structured analysis.
Output: rule match (file is malicious or not).
SIGMA
Describes log events (field-value pairs from SIEM logs).
Syntax uses `logsource:` and `detection:` sections.
Converted to SIEM queries (Splunk, Elastic, etc.).
Supports field modifiers like `|contains`, `|endswith`.
Output: SIEM alert when log matches the rule.
Mistake
YARA rules can detect malware by analyzing network traffic.
Correct
YARA is designed for file scanning (binaries, documents, scripts), not network packets. For network traffic, use Snort/Suricata rules or Zeek scripts.
Mistake
SIGMA rules can be directly executed on endpoints without a SIEM.
Correct
SIGMA rules are generic signatures that must be converted to SIEM-specific queries (Splunk, Elastic) or EDR rules. They are not standalone executables.
Mistake
YARA rules only match exact byte sequences; they cannot use regular expressions.
Correct
YARA supports regular expressions in strings using forward slashes, e.g., `$re = /evil\..*/`.
Mistake
SIGMA rules use the same field names across all SIEMs without conversion.
Correct
SIGMA uses generic field names (e.g., `EventID`) that must be mapped to SIEM-specific fields via a configuration file during conversion.
Mistake
YARA and SIGMA are interchangeable; you can use either for any detection scenario.
Correct
YARA is for file content; SIGMA is for log events. They complement each other but are not interchangeable. Choose based on the data source.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
YARA rules detect patterns in file content (binary or text), while SIGMA rules detect patterns in log events. YARA is used for scanning files on endpoints or in malware analysis; SIGMA is used for converting detection logic into SIEM queries. For the CS0-003 exam, remember: YARA = file, SIGMA = log.
Use the `strings` section to define the string and the `condition` to require it. Example: `rule DetectString { strings: $s = "malicious" condition: $s }`. Save as `.yar` and run `yara rule.yar file.exe`.
SIGMA rules are designed to be converted to SIEM queries. Without a SIEM, you cannot execute them directly. However, some EDR tools may support SIGMA-like rules natively. For the exam, assume SIGMA requires a SIEM.
The `logsource` field specifies the source of the logs (e.g., product: windows, category: process_creation). This determines which logs the rule applies to and helps the converter map fields correctly. For example, `logsource: product: windows, category: process_creation` maps to Windows Event ID 4688.
Use the `-r` flag for recursive directory scanning: `yara -r myrule.yar /path/to/dir`. To see which strings matched, use `-m` or `-s`. For performance, compile the rule first with `-c`.
Common modules: `pe` (Windows PE files), `elf` (Linux ELF), `math` (arithmetic). Example: `import "pe"` then use `pe.imports("kernel32.dll", "CreateProcess")` to detect imports. Modules allow inspecting file structure beyond raw bytes.
Use the `sigmac` tool: `sigmac -t splunk -c config.yml myrule.yml`. The output is a Splunk search string. The config file maps generic fields to Splunk field names. Example output: `index=windows EventCode=4688 Image=*\\cmd.exe`.
You've just covered SIGMA and YARA Detection Rules — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?