Security BSides Las Vegas 2025

SIGMA, one rule to find them all
2025-08-04 , Firenze

SIGMA rules are an agnostic, text-based, open signature format written in YAML for creating threat detections, developed and open-sourced in 2017 by Florian Roth and Thomas Patzke. The project was conceived to address the challenges facing analysts when sharing and translating rule logic across the various SIEMs and EDRs tools.
I will share with you how I implemented the gift of SIGMAs in our hunting workflow to assist with sniffing out gremlins hiding in the network. I will walk through the SIGMA creation process, sharing tips on how to tackle some of the challenges you might run into in real life when working with SIGMA. Hopefully my story can prove helpful for you, whether you are looking for ways to mature and streamline your hunting programs or just getting started playing around with Sigma.


"The Gremlin Hunter" project was developed as a way to solve the challenges I had of searching in a consistent way, that could be tracked and then action that information to produce actionable intelligence. Together with my team, I developed a process modeled on a "guided" hunt framework, following the Intelligence Lifecycle. The hunts are developed using OSINT and internal research from our CTI team, which I use to put into the SIGMA rule format. I then inputted into our MISP instance, where we use pySIGMA to process and translate the rules. The rules are then sent over to our ticketing system where they are distributed weekly to the hunting team.
The hunt team takes the queries that are translated and tests them in the environments, running them to hunt for whatever evil it is they are looking for. Final queries that are deemed production worthy are submitted to our engineering team to deploy as permanent detections.
The training will include showing our guided hunt workflow setup as well as demonstrating the process I used to create a SIGMA rule to hunt for a particular threat or activity, as well as some tips and hints on how to overcome some of the challenges when writing rules.
Avatar of Gremlin Hunter is art by Phil Cho https://www.philchoart.com/featured/2020/11/13/gizmo-gremlin-hunter-earth-27-commission

HD Moore is a pioneer of the cybersecurity industry who has dedicated his career to vulnerability research, network discovery, and software development since the 1990s. He is most recognized for creating Metasploit and is a passionate advocate for open-source software and vulnerability disclosure.

HD serves as the CEO and co-founder of runZero, a provider of cutting-edge exposure management software and cloud services. Prior to founding runZero, he held leadership positions at Atredis Partners, Rapid7, and BreakingPoint. HD has also been a frequent speaker at industry events such as Black Hat and DEF CON.

HD’s professional journey began with exploring telephone networks, developing exploits for the Department of Defense, and hacking into financial institution networks. When he’s not working, he enjoys hacking on weird Go projects, building janky electronics, running in circles, and playing single-player RPGs.

This speaker also appears in:

Gremlin hunter, kitten and puppy wrangler, snickers fan.
Came into the field of cybersecurity a bit later in life after shifting into the field from a background in philosophy, psychology, and conflict resolution, which have given me a unique perspective.
I enjoy solving puzzles and scavenger hunts, so this kinda work suits me well.
I started in cyber in late 2016 and have been working in the field ever since. I have worked for a few state government agencies doing a bit of everything, security administration, awareness training, vulnerability testing, and incident response. I moved to the private sector and I am now working for a company that supports both public and private sector customers.
My roles have included SOC analyst tier I and II, and now I work with my company's Cyber Threat Intelligence team as a cyber threat analyst and cybersecurity content engineer.

This speaker also appears in: