jng | tribbletron
jng | tribbletron
  • About
  • CTFs
    • Target x WiCyS CTF 2024
      • D2 Look for Insider Threats
      • D8 YARA Analysis
      • O3 Constructing your Phish
      • O7 Bypass the EDR
      • O8 Performing an Exfil of a Filesystem
      • O9.1 Escalate your Privileges
    • US CyberGames IV 2024
      • USCG IV: Forensics
      • USCG IV: Web
    • DoD Cyber Sentinel 2024
    • Amazon x WiCyS CTF 2023
    • PicoCTF.org
      • PicoCTF 2024
      • PicoCTF 2023
  • Links
    • Readings
  • Tools
  • Notes
    • To Burp or Not to Burp
    • Common issues
    • Rankings
Powered by GitBook
On this page
  1. CTFs
  2. Target x WiCyS CTF 2024

D8 YARA Analysis

Last updated 10 months ago

You and the rest of The Lucky Lion's IR team are deep in your investigation, digging into hosts with signs of unusual activity. While pulling artifacts from host A (WDIGCVY2S), you identified the tool download utilized by the threat actor. You capture the file and submit it to Strelka, a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response. The strelka.json results identified the file as AnyDesk and you determined the file was downloaded and utilized by the threat actor.

Objectives

  • Create a YARA rule that will detect the target file. The target file has similar meta information identified in strelka.json. There are a total of 100 files, only one is the target file.

Flag Format Typical CTF flag th4t_l00kz_l1k3_th1s

Tools Required

  • yara

  • curl

Additional Resources

curl -H "Content-Type: text/plain" https://target-flask.chals.io/api/v1/yara-scan -X POST -d 'rule test {condition: true}'

Solution: The file we're looking for is a suspicious version of AnyDesk.exe, whose attributes have been logged by Strelka. This task basically required us to translate Strelka to Yara. Cause for each file attribute logged by Strelka, there's a counterpart rule for it in Yara. Yara rules are filters. Much of the work here is experimenting with Yara rules until the Yara server returns only 1 out of a 100 possibilities. I used an to 'spellcheck' my rules. And instead of curl, I prefer FireFox DevTools for sending JSON data. Careful reading of the Yara documentation shows there's a that we can use to create more accurate rules. "PE" stands of "Portable Executable", which an "exe" file would be.

My Yara rule included way more info than was needed. But I liked linking the Strelka attributes to their Yara counterparts in PE. Ultimately, you only need to filter for the file size, checksum, entry_point, and timestamp. Alternative Solution: curl -H "Content-Type: text/plain" https://target-flask.chals.io/api/v1/yara-scan -X POST -d 'import "pe" rule Detect_AnyDesk { condition: filesize == 5328200 and pe.entry_point == 4325 and pe.checksum == 5359632}'

Flag: y3t_an0th3r_r3curs1v3_acr0nym

YARA Documentation
YARA
Strelka
CyberChef
online Yara editor
PE module