Skills Assessment

PreviousHunting Evil with Sigma (Splunk Edition)NextTryHackme SOC 1

Last updated 8 months ago

Skills Assessment

In this skills assessment section, we'll practice YARA rule development and using Sigma rules to hunt for threats within event logs.

For the initial question, you'll be tasked with developing a YARA rule aimed at identifying the malicious Seatbelt.exe file, commonly used by attackers for maintaining operational security.

In the subsequent question, you'll be using a Sigma rule to identify instances of shadow volume deletion - a technique often utilized by ransomware groups.

1) The "C:\Rules\yara\seatbelt.yar" YARA rule aims to detect instances of the "Seatbelt.exe" .NET assembly on disk. Analyze both "C:\Rules\yara\seatbelt.yar" and "C:\Samples\YARASigma\Seatbelt.exe" and specify the appropriate string inside the "$class2" variable so that the rule successfully identifies "C:\Samples\YARASigma\Seatbelt.exe".

First let's analyze seatbelt.yar.

Strings Section

This section defines specific patterns or strings that the rule will search for within a file:

$class1 = "WMIUtil": The string "WMIUtil" is likely a class or function name used in the Seatbelt tool.
$class2 = "": This is the string that we will try to identify from Seatbelt.exe so that the rule successfully identifies Seatbelt.exe
$class3 = "SecurityUtil": Another string that is likely part of the Seatbelt tool, possibly referring to a utility or class related to security functions.
$class4 = "MiscUtil": This string refers to a miscellaneous utility within the tool.
$dotnetMagic = "BSJB" ascii: The string "BSJB" is a magic header specific to .NET assemblies, which suggests that the tool is built using .NET.

Condition Section

The condition section is where the actual detection logic is defined. This part determines when the rule will trigger a match:

(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550):
- uint16(0) == 0x5A4D: This checks if the first two bytes of the file (at offset 0) are 0x5A4D, which is the magic number for the "MZ" header, indicating a Windows executable file.
- uint16(uint32(0x3c)) == 0x4550: This further checks if the PE header is present at the correct location, confirming the file is a valid PE (Portable Executable) file.
$dotnetMagic: This checks for the presence of the string "BSJB", confirming that the file is a .NET assembly.
4 of them: This condition checks that at least four of the defined strings ($class1, $class2, $class3, $class4, $dotnetMagic) are found in the file.

Let’s analyze Seatbelt.exe, considering the hint that the required string should start with L and end with r for successful detection by the rule.

strings Seatbelt.exe | findstr /R "^L.*r$"

Now, let’s insert this string into the seatbelt.yar file and utilize it against Seatbelt.exe.

yara64.exe -s c:\Rules\yara\seatbelt.yar c:\Samples\YARASigma\Seatbelt.exe -r 2>null

Answer: LsaWrapper

2) Use Chainsaw with the "C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy.yml" Sigma rule to hunt for shadow volume deletion inside "C:\Events\YARASigma\lab_events_6.evtx". Enter the identified ScriptBlock ID as your answer.

Logsource

product: windows: The rule applies to Windows systems.
category: ps_script: The rule targets PowerShell scripts.
definition: 'Requirements: Script Block Logging must be enabled': To detect the behavior, Script Block Logging must be enabled on the system, allowing detailed logging of PowerShell commands.

Detection

selection:: Defines the specific conditions that the rule looks for in the logs.
- ScriptBlockText|contains|all:: This indicates that the rule searches for logs where the script block text contains all of the following strings:
  - 'Get-WmiObject': A command that queries WMI for information.
  - 'Win32_Shadowcopy': Refers to the WMI class associated with Volume Shadow Copies.
  - '.Delete()': The method call to delete the shadow copy.
condition: selection: The rule will trigger if the selection criteria are met.

.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_6.evtx -s C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy.yml --mapping .\mappings\sigma-event-logs-all.yml

Answer: faaeba08-01f0-4a32-ba48-bd65b24afd28

PreviousHunting Evil with Sigma (Splunk Edition)NextTryHackme SOC 1

Last updated 8 months ago

In this skills assessment section, we'll practice YARA rule development and using Sigma rules to hunt for threats within event logs.

For the initial question, you'll be tasked with developing a YARA rule aimed at identifying the malicious Seatbelt.exe file, commonly used by attackers for maintaining operational security.

In the subsequent question, you'll be using a Sigma rule to identify instances of shadow volume deletion - a technique often utilized by ransomware groups.

First let's analyze seatbelt.yar.

Strings Section

This section defines specific patterns or strings that the rule will search for within a file:

$class1 = "WMIUtil": The string "WMIUtil" is likely a class or function name used in the Seatbelt tool.
$class2 = "": This is the string that we will try to identify from Seatbelt.exe so that the rule successfully identifies Seatbelt.exe
$class3 = "SecurityUtil": Another string that is likely part of the Seatbelt tool, possibly referring to a utility or class related to security functions.
$class4 = "MiscUtil": This string refers to a miscellaneous utility within the tool.
$dotnetMagic = "BSJB" ascii: The string "BSJB" is a magic header specific to .NET assemblies, which suggests that the tool is built using .NET.

Condition Section

The condition section is where the actual detection logic is defined. This part determines when the rule will trigger a match:

(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550):
- uint16(0) == 0x5A4D: This checks if the first two bytes of the file (at offset 0) are 0x5A4D, which is the magic number for the "MZ" header, indicating a Windows executable file.
- uint16(uint32(0x3c)) == 0x4550: This further checks if the PE header is present at the correct location, confirming the file is a valid PE (Portable Executable) file.
$dotnetMagic: This checks for the presence of the string "BSJB", confirming that the file is a .NET assembly.
4 of them: This condition checks that at least four of the defined strings ($class1, $class2, $class3, $class4, $dotnetMagic) are found in the file.

Let’s analyze Seatbelt.exe, considering the hint that the required string should start with L and end with r for successful detection by the rule.

strings Seatbelt.exe | findstr /R "^L.*r$"

Now, let’s insert this string into the seatbelt.yar file and utilize it against Seatbelt.exe.

yara64.exe -s c:\Rules\yara\seatbelt.yar c:\Samples\YARASigma\Seatbelt.exe -r 2>null

Answer: LsaWrapper

Logsource

product: windows: The rule applies to Windows systems.
category: ps_script: The rule targets PowerShell scripts.
definition: 'Requirements: Script Block Logging must be enabled': To detect the behavior, Script Block Logging must be enabled on the system, allowing detailed logging of PowerShell commands.

Detection

selection:: Defines the specific conditions that the rule looks for in the logs.
- ScriptBlockText|contains|all:: This indicates that the rule searches for logs where the script block text contains all of the following strings:
  - 'Get-WmiObject': A command that queries WMI for information.
  - 'Win32_Shadowcopy': Refers to the WMI class associated with Volume Shadow Copies.
  - '.Delete()': The method call to delete the shadow copy.
condition: selection: The rule will trigger if the selection criteria are met.

.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_6.evtx -s C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy.yml --mapping .\mappings\sigma-event-logs-all.yml

Answer: faaeba08-01f0-4a32-ba48-bd65b24afd28