Cards on the table: I’m part way through the TryHackMe beginner course and I have a bit of hands on experience with Kali (mostly just nmap scans and practicing hacking my wi-fi), so this is the first challenging lab/real-world scenario-type thing I’ve done, at least where you’re not having your hand held. I had absolutely no idea if I would be able to do any of it.
SPOLIER ALERT: Throughout this post I have purposely not given too much away as the challenge is ongoing. So you won’t find anything too revealing, but you will find a few extra hints and tips on top of what RangeForce give you, so if you want to complete the challenge without any prior knowledge at all, this is where you stop reading.
You can join RangeForce’s community edition by signing up here.
Email Challenge
Examining headers in greater detail than what you see in the email was something new to me. I know how to spot spoofed emails, but had never looked at the source code before. The scenario was that you work on the security team for an organisation and you have a bunch of emails in your inbox from colleagues forwarding you emails they are concerned about.
The questions themselves point you to the tools you need to use (like MX Toolbox) and you are asked specific questions about the output from those tools.
I went through the questions pretty quickly after getting used to the platform, though it took me a little while to realise I could throw the whole source code in to MX Toolbox; initially I thought I needed to paste specific information.
I definitely felt a sense of achievement at getting through the challenge, but it was easier than I was expecting. On to the next.
Malware Analysis and YARA Rules
Right then. I didn’t know the first thing really about how to practically analyse malware, except that it should be done in an isolated environment. I also didn’t know what a YARA rule was (does it really stand for Yet Another Ridiculous Acronym?), although I’d seen the term before on LinkedIn.
The first question was about analysing the strings of the first sample and I jumped straight to the hint, which told me to use the “strings” command. Fair enough.
I first ran the strings command on the file and saw a very long list in the terminal window, and then I remembered that the question was about the number of strings over a certain length. So I checked the usage of the string command to find that you can indeed indicate the minimum length.
I adjusted the command to find strings at least 7 characters long and got another long list. I couldn’t see any way to count them using the strings command, but I knew how to number the lines in a file, so, wondering if there was a better way (I’ve since discovered that there is), I saved the output in a text file and then using the “cat” command with the n flag, I obtained the number of strings.
Surprise of surprises, it was the right answer! I gave a little cheer at my new-found skills. With the next question I was very quickly brought down to Earth. After a quick google search, I shut down the challenge and started learning more about malware analysis. I had an idea about what needed to be done, but I wasn’t sure how to write or save a YARA rule. So I started writing this blog post instead!
Jump forward a busy 48 hours or so, itching to get back to it, and I’m quite proud to say that I finished the malware analysis challenge, although some help was requried. I used several sources to study Yara rules, among them were a blog post on RangeForce’s site by Vickie Li, another being the Malware Analysis Bootcamp from Hackersploit on their YouTube channel, and another being a course on malware analysis from Skillsoft that I had access to through the training provider I’m studying with. By combining several resources, I think I have what would be considered a good, basic foundation in static analysis, and I highly recommend checking out the Hackersploit bootcamp, but if you have any suggestions for further study on malware analysis, please leave a comment or send me a message.
YARA rules themselves are not complicated, at least not in the way you use them for this challenge. You define your indicators, the conditions that must be met with regards to them, and run it on the files you want to check. I did run in to a snag because I hadn’t read the documentation on https://yara.readthedocs.io/en/v4.1.0/gettingstarted.html so I was getting an error when I ran my YARA rule on the sample file. The available hint told me that I needed to escape certain characters, which was easy enough to figure out by referring to the above documentation.
The next part of the challenge involved analysing a different sample using the string from the previous question and finding the offset, which meant running the rule on the other sample and out pops the offset. Not too bad.
For the next part of the challenge, you have to create a YARA rule to check if a file is of the Portable Executable (PE) type. I had a good idea of how this could be accomplished from the two courses I had done and the hint confirmed what I needed to do. My rule needed a little tweak, but I was beginning to think I was getting good at it. However, the final part of the challenge was still to come.
You are given a long list of strings with which to create a YARA rule, which you need to use to scan a couple of hundred suspicious files to check how many of them are malware. The list of strings is too long to think about typing the rule out manually and upon checking the hints, three for this final part of the challenge, they suggest you use scripting. They also tell you to include the PE check. The final hint threw me a bit, but I’ll come back to that. I thought I would just get started and see where it got me.
I don’t know bash scripting, but I’ve done Dr Charles “Chuck” Russell Severance’s course on Python For Everybody, which is brilliant and if you want to get started on Python, do check it out, it’s free by the way. So I knew I could script what I thought was required with Python, and before too long I had my rule set up.
I tried running it on one of the suspicious files and the rule threw out some errors. Checking the lines that the error indicated, I saw that a lot of the strings had special characters that needed to be treated in the same way as the string in the “Simple Rule” part of the challenge. I wasn’t sure if that was supposed to happen, but it made sense why RangeForce would choose that particular string for the first YARA rule.
I kept running the rule, correcting the errors until it wasn’t throwing up any more. Getting a little excited, I ran the rule on all the suspicious files and found that nearly every one of them was malware according to my rule, and I didn’t get the tick in the box.
Back to the final hint. It suggested I might need to use all of the indicators as some of the indicators might exist in insolation. I was already using all the indicators, but in such a way that if a file contained any one of the strings, along with the PE check, it would flag the file as malware. So I altered the conditions in my YARA rule so that the file must contain all of the indicators and ran it again. Nothing. It now didn’t detect any of the suspicious files as malware, and, I still didn’t have the tick in the box, not that I was expecting it now.
Feeling deflated, I ran just the PE check on the files to check that would at least work, and it did. I started to doubt the rule I had made, wondering if we were supposed to somehow write a script that ran each string individually on each file and returned the files that had all the strings in them all in one go. I did some Google searches to try to find something that would help, but was stumped, so I reached out for some help.
I contacted someone on LinkedIn who had offered me some advice with regards to the challenge, to ask about the last hint – I still wasn’t sure if I had understood it correctly, and I thought I might be able to glean some information that would help, without asking how to solve it completely. We discussed the scripts and having to manually alter the strings once the rule was set up – although he was planning to go back in and make that a part of his script. He then explained what I was missing in the final hint. Thanking him, I went back, altered my rule… and it still didn’t work.
I was also in conversation with someone else who was struggling with the same challenge, and I was offering hints for the earlier parts of the challenge. He had been sent a video of somebody completing that very challenge. At this point I didn’t think I was going to be able to complete the challenge so I watched the video.
The guy in the video also used Python to script his rule, though his command of Python was far superior to mine, but our output was the same. I actually think I preferred my simpler code, and I guess the guy who made the video is used to far more complicated coding. He used find and replace to make the necessary alterations, which hadn’t occurred to me, saved the YARA file and ran it. And it worked straight away.
It now dawned on me that I had messed up one or more of the strings when altering them manually, so I ran my script again, and used find and replace to make the alterations, which took a fraction of the time compared to doing it manually. There were still a couple of errors in my rule, but eventually, it worked. I’d completed the second challenge and a fanfare went off in my head.
Afterwards it occurred to me that I had just used Python to solve a “real world” problem, which is pretty cool. I have also redone the challenge and wrote the character escapes in to my script. I thought that might be beyond me, but Python is such a user-friendly language, it is made relatively easy for you. Though I will say, it is quicker to use find and replace unless you know exactly what your are doing.
SOC Detection Challenge
It was late by the time I’d finished the previous challenge, but buoyed by the excitement of finally getting it done, I thought I’d have a look at the SOC Detection Challenge. Remembering advice I’d been given about how to search, I started the module.
For this challenge you are working as a SOC Analyst and you have been made aware that Windows Security has been disabled on a particular host. You must investigate what happened using Splunk.
The first part of the challenge involves re-enabling Windows Security and you are given a couple of scripts to execute. So far so good and on to the first question. Now we start using Splunk. I’d been given the suggestion of going through the Splunk module on RangeForce, but I hadn’t gotten round to that yet. It was still fairly self-explanatory so far.
The next task starts to delve a bit deeper with a series of questions. It is just a case of picking out the required information and you can narrow down the search results by adding more search terms, which helped. My eyes were starting to feel a little heavy though, so I shut my laptop and went at it again the next day.
This time I did the community Splunk challenge first as had been suggested, but by this point, it didn’t teach me anything I hadn’t already picked up in the community challenge. So back to the final challenge I went and worked my way to the point I’d left off.
I wasn’t expecting the next part, which was about dynamic analysis of the malware stager. I had assumed the challenge was all about Splunk, although there isn’t much dynamic analysis about it. They tell you that the system has been sandboxed and off you go executing the malware before answering a couple of questions about it.
The final task is to delete the malware stager and that is it, all done! Everybody start cheering!
I really enjoyed my first taste of malware analysis and Splunk. RangeForce have put together a brilliant challenge for those inexperienced with these tools, and I have definitely learnt some things and gained some valuable practical experience.
As I said in the beginning I wasn’t sure if I would be able to do it, so I’m very happy that I could. It took me longer than I would’ve liked due to my inexperience and not always knowing if I was doing the right thing, but if you want me to create some YARA rules, sure I can do that now, need me to examine some emails, no problem, and I’ve made a tiny scratch on the surface of Splunk, which is what I really hoped to get out of this exercise.
I can’t wait to do more, but I can hear a Pentest+ exam calling my name, so it’s time to get back to study.
Securing the Cyber World 