Week 28 – Detection Engineering

Week 28: Turning malware behaviors into actionable detections across YARA, Sigma, Suricata, and Wazuh.

Overview What you will accomplish

This week focuses on detection engineering — transforming your malware analysis findings into detection logic that can be deployed across your SIEM, IDS, and endpoint monitoring stack. You will write YARA rules, Sigma rules, Suricata signatures, and Wazuh decoders based on the IOCs and behavioral patterns identified in Weeks 26 and 27.

Create YARA rules based on static indicators.
Create Sigma rules based on Sysmon telemetry.
Create Suricata rules based on network behavior.
Create Wazuh decoders and rules for custom log patterns.
Validate detections using your malware samples.
Document detection logic and prepare for Month 8.

1. Build YARA Rules from Static Analysis Findings

This activity converts your static analysis findings from Week 26 into YARA rules. These rules detect malware based on strings, PE structure, metadata, and byte patterns.

Create a new YARA rule file

C:\Malware-Analysis\Detections\yara\sample001.yar

Add metadata

rule sample001_static {
  meta:
    author = "Mark"
    description = "Detects sample001 based on static indicators"
    date = "2026-04-21"

Add string indicators
Use strings extracted from FLOSS:

  strings:
    $s1 = "malicious_function"
    $s2 = "C:\\\\Temp\\\\payload.bin"
    $s3 = "POST /command"

Add PE structural indicators

    $pe1 = { 4D 5A }   // MZ header
    $pe2 = { 50 45 00 00 } // PE header

Define condition

  condition:
    any of ($s*) or all of ($pe*)
}

Test rule against sample

yara64.exe sample001.yar C:\Malware-Analysis\Samples\sample001.exe

Document YARA rule
Save:

C:\Malware-Analysis\Reports\sample001-yara-rule.txt

2. Build Sigma Rules from Sysmon Telemetry

This activity converts your dynamic analysis findings from Week 27 into Sigma rules. These rules detect malicious behavior in Sysmon logs and can be converted into SIEM‑specific queries.

Create a new Sigma rule file

C:\Malware-Analysis\Detections\sigma\sample001.yml

Add rule metadata

title: "Sample001 Process Behavior"
id: sample001-sigma-001
status: experimental
description: Detects process behavior associated with sample001
author: Mark
logsource:
  product: windows
  service: sysmon
detection:

Add process creation indicators

  selection_process:
    EventID: 1
    Image|endswith: "sample001.exe"

Add registry modification indicators

  selection_registry:
    EventID: 13
    TargetObject|contains: "Run"

Add network indicators

  selection_network:
    EventID: 3
    DestinationPort: 80

Define condition

  condition: selection_process or selection_registry or selection_network

Validate rule using Sigma CLI
```
sigma sample001.yml
            
```

Document Sigma rule
Save:

C:\Malware-Analysis\Reports\sample001-sigma-rule.txt

3. Build Suricata Network Signatures

This activity converts your network behavior findings from Week 27 into Suricata IDS signatures. These rules detect malicious domains, HTTP requests, user agents, and protocol anomalies.

Create a new Suricata rule file
On REMnux:

sudo nano /etc/suricata/rules/sample001.rules

Add domain-based detection
Example:

alert dns any any -> any any (
  msg:"Sample001 DNS Query";
  dns.query; content:"malicious-domain.com";
  sid:100001;
  rev:1;
)

Add HTTP request detection
Example:

alert http any any -> any any (
  msg:"Sample001 HTTP Beacon";
  http.uri; content:"/command";
  sid:100002;
  rev:1;
)

Add user-agent detection
Example:

alert http any any -> any any (
  msg:"Sample001 User-Agent";
  http.user_agent; content:"BadMalwareClient/1.0";
  sid:100003;
  rev:1;
)

Enable custom rule file
Edit:

sudo nano /etc/suricata/suricata.yaml

Add under rule-files::

- sample001.rules

Reload Suricata

sudo systemctl restart suricata

Validate rule loading

sudo suricata -T -c /etc/suricata/suricata.yaml

Document Suricata rules
Save:

C:\Malware-Analysis\Reports\sample001-suricata-rules.txt

4. Build Wazuh Decoders & Rules for Custom Log Patterns

This activity creates Wazuh decoders and rules to detect custom log patterns generated by the malware. These detections complement your Sigma and Suricata rules.

Create a new decoder
On Wazuh Manager:

sudo nano /var/ossec/etc/decoders/sample001_decoders.xml

Add:


  Sysmon
  .*sample001.exe.*

Create a new Wazuh rule

sudo nano /var/ossec/etc/rules/sample001_rules.xml

Add:


  
    sample001-decoder
    sample001.exe
    Sample001 execution detected

Restart Wazuh Manager

sudo systemctl restart wazuh-manager

Validate rule firing
Execute sample again:
```
sample001.exe
            
```
Check Wazuh dashboard for alert ID 900001.

Document Wazuh rule
Save:

C:\Malware-Analysis\Reports\sample001-wazuh-rule.txt

5. Validate All Detections (YARA + Sigma + Suricata + Wazuh)

This activity validates your detection logic by executing the malware sample and confirming that each detection mechanism fires correctly.

Validate YARA

yara64.exe sample001.yar sample001.exe

Validate Sigma
```
sigma sample001.yml
            
```

Validate Suricata

sudo tail -f /var/log/suricata/eve.json

Validate Wazuh
Check:

Security Events → sample001

Document validation results
Save:

C:\Malware-Analysis\Reports\sample001-detection-validation.txt

6. Document Detection Logic & Prepare for Month 8

This final activity documents all detection logic created in Week 28 and prepares your environment for Month 8, where you will begin building threat hunting workflows.

Compile detection logic
Include:
- YARA rules
- Sigma rules
- Suricata signatures
- Wazuh decoders and rules

Export all detection files

C:\Malware-Analysis\Detections\

Create final snapshots

win11-week28-complete  
remnux-week28-complete

Prepare for Month 8
Ensure:
- All detections validated
- All logs archived
- Snapshots created

◀️ Back to Week 27 | Next: Month 8 – Threat Hunting Foundations ▶️