Introduction
This book teaches threat detection with Sigma.
The source code is available here.
π§ The book is still under construction. New chapters will be added and the existing ones might be modified.
References
- SigmaHQ rules
- Sigma Taxonomy
- Sigma Modifiers
auditd- RHEL Audit System Reference
- Sysmon
- SysmonCommunityGuide
- MITRE ATT&CK - tactics
- MITRE ATT&CK - techniques
auditd overview
auditd is Linuxβs built-in auditing system. You write rules with auditctl and it logs kernel-level events (syscalls, file access, process execution, etc.). It is the go-to for getting visibility into what is actually happening on a Linux box.
Detecting competitor botnet cleanup with auditd
Mirai variants actively compete for control of infected devices. In SORAβs source code, mw_init_killer iterates through /proc, reads the /proc/[pid]/exe symlink for each running process and checks if the path contains .anime (a marker for the rival Anime botnet). If it finds a match, it deletes the binary (unlink) and kills the process with SIGKILL. With auditd, we can detect the deletion step by watching for unlink/unlinkat syscalls where the path contains .anime. Since auditd logs the syscall and the file path as separate records sharing the same event ID, detection relies on correlation at the SIEM level.
First, we need to log file deletions:
$ sudo auditctl -D
$ sudo auditctl -a always,exit -S unlink -S unlinkat -k delete
Test the rule:
$ touch .anime
$ rm .anime
$ sudo tail -f /var/log/audit/audit.log
...
type=SYSCALL msg=audit(1770665675.730:2022): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=562a95d7e4a0 a2=0 a3=0 items=2 ppid=3194 pid=40941 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=3 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete"ARCH=x86_64 SYSCALL=unlinkat AUID="gemesa" UID="gemesa" GID="gemesa" EUID="gemesa" SUID="gemesa" FSUID="gemesa" EGID="gemesa" SGID="gemesa" FSGID="gemesa"
type=CWD msg=audit(1770665675.730:2022): cwd="/home/gemesa"
type=PATH msg=audit(1770665675.730:2022): item=0 name="/home/gemesa" inode=257 dev=00:20 mode=040700 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="gemesa" OGID="gemesa"
type=PATH msg=audit(1770665675.730:2022): item=1 name=".anime" inode=1318807 dev=00:20 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="gemesa" OGID="gemesa"
type=PROCTITLE msg=audit(1770665675.730:2022): proctitle=726D002E616E696D65
...
Then, we can filter the logs via Sigma. The record types and fields can be found here. In this case, we filter for type SYSCALL with field syscall (unlink/unlinkat) and type PATH with field name (.anime).
# Rule 1: unlink syscalls
title: Auditd - unlink/unlinkat syscall
logsource:
product: linux
service: auditd
detection:
selection:
type: SYSCALL
syscall:
- unlink
- unlinkat
condition: selection
# Rule 2: .anime in path
title: Auditd - .anime file path
logsource:
product: linux
service: auditd
detection:
selection:
type: PATH
name|contains: ".anime"
condition: selection
Sysmon overview
Sysmon is a Sysinternals tool that enhances Windows logging. Out of the box, Windows event logs are pretty bare. Sysmon fills the gaps with process creation, network connections, file changes, etc. You configure what to capture via XML config files.
Detecting Remcos registry values with Sysmon
Remcos variants sets different registry values for persistence. We can detect the creation of these values by watching the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.
We can use the following simple Sysmon config for this purpose:
<Sysmon schemaversion="4.90">
Β <EventFiltering>
Β Β <RuleGroup groupRelation="or">
Β Β Β <RegistryEvent onmatch="include">
Β Β Β Β <TargetObject condition="contains">\Software\Microsoft\Windows\CurrentVersion\Run</TargetObject>
Β Β Β </RegistryEvent>
Β Β </RuleGroup>
Β </EventFiltering>
</Sysmon>
Register and start sysmon:
> sysmon64.exe -accepteula -i sysmonconfig.xml
Add a registry value:
> Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Rmc" -Value "remcos.exe"
Check the sysmon logs:
> Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath "*[System[EventID=12 or EventID=13 or EventID=14]]" -MaxEvents 5 | Format-List
TimeCreated : 2/9/2026 9:10:05 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 13
Message : Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2026-02-09 20:10:05.546
ProcessGuid: {d2b54b40-f1e3-6989-430c-0c0000003800}
ProcessId: 47960
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetObject: HKU\S-1-5-21-2185766489-2577382833-530242202-2112\Software\Microsoft\Windows\CurrentVersion\Run\Rmc
Details: remcos.exe
User: HIGHTEC\agemes
Then, we can filter the logs via Sigma. The record types and fields can be found here. Alternatively, the config schema can be printed via sysmon64 -s > sysmon_schema.xml. In this case, we filter for the TargetObject and Details fields.
title: Remcos RAT registry persistence
logsource:
category: registry_set
product: windows
detection:
selection_path:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\'
selection_remcos:
Details|contains:
- "remcos"
condition: selection_path and selection_remcos
The Sigma rule can be verified via Chainsaw.
> wevtutil epl "Microsoft-Windows-Sysmon/Operational" C:\Users\agemes\tmp\sysmon.evtx
> chainsaw.exe hunt C:\Users\agemes\tmp\sysmon.evtx -s remcos.yml --mapping C:\Users\agemes\git-repos\chainsaw\mappings\sigma-event-logs-all.yml
ββββββββββ βββ ββββββ βββββββ βββββββββββ ββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββββββββββββββββββββ βββ
βββ βββββββββββββββββββββββββ ββββββββββββββββββββββ ββ βββ
βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββ βββββββββββββ
ββββββββββ ββββββ βββββββββ ββββββββββββββββ βββ ββββββββ
By WithSecure Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: remcos.yml
[+] Loaded 1 detection rules
[+] Loading forensic artefacts from: C:\Users\agemes\tmp\sysmon.evtx (extensions: .evtx, .evt)
[+] Loaded 1 forensic artefacts (62.1 MiB)
[+] Current Artifact: C:\Users\agemes\tmp\sysmon.evtx
[+] Hunting [========================================] 1/1 - [00:00:01]
[+] Group: Sigma
βββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ¬ββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬ββββββββββββ¬ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β timestamp β detections β count β Event.System.Provider β Event ID β Record ID β Computer β Event Data β
βββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2026-02-09 20:06:30 β + Remcos RAT registry persistence β 1 β Microsoft-Windows-Sysmon β 13 β 95515 β HTNB-3006.hightec.htc β Image: C:\Windows\System32\Win β
β β β β β β β β dowsPowerShell\v1.0\powershell β
β β β β β β β β .exe β
β β β β β β β β TargetObject: HKU\S-1-5-21-218 β
β β β β β β β β 5766489-2577382833-530242202-2 β
β β β β β β β β 112\Software\Microsoft\Windows β
β β β β β β β β \CurrentVersion\Run\Rmc β
β β β β β β β β RuleName: '-' β
β β β β β β β β EventType: SetValue β
β β β β β β β β ProcessId: 47960 β
β β β β β β β β ProcessGuid: D2B54B40-F1E3-698 β
β β β β β β β β 9-430C-0C0000003800 β
β β β β β β β β User: HIGHTEC\agemes β
β β β β β β β β UtcTime: 2026-02-09 20:06:30.8 β
β β β β β β β β 28 β
β β β β β β β β Details: remcos.exe β
βββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2026-02-09 20:10:05 β + Remcos RAT registry persistence β 1 β Microsoft-Windows-Sysmon β 13 β 96317 β HTNB-3006.hightec.htc β Image: C:\Windows\System32\Win β
β β β β β β β β dowsPowerShell\v1.0\powershell β
β β β β β β β β .exe β
β β β β β β β β TargetObject: HKU\S-1-5-21-218 β
β β β β β β β β 5766489-2577382833-530242202-2 β
β β β β β β β β 112\Software\Microsoft\Windows β
β β β β β β β β \CurrentVersion\Run\Rmc β
β β β β β β β β RuleName: '-' β
β β β β β β β β EventType: SetValue β
β β β β β β β β ProcessId: 47960 β
β β β β β β β β ProcessGuid: D2B54B40-F1E3-698 β
β β β β β β β β 9-430C-0C0000003800 β
β β β β β β β β User: HIGHTEC\agemes β
β β β β β β β β UtcTime: 2026-02-09 20:10:05.5 β
β β β β β β β β 46 β
β β β β β β β β Details: remcos.exe β
βββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββ΄ββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββ΄ββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
[+] 2 Detections found on 2 documents