THM - Advent of Cyber 2022 - Day 18

Difficulty:
Challenge Link
OS: Linux

Learning Objectives * Learn What is threat detection * Understand what is Sigma rules * Why are Sigma rules used * How to implement Sigma rules in threat detection

What is the Challenge #1 flag?

We can use the below and create a rule to detect a suspicious account.

title: Local Account Creation Detection
id: 1
status: experimental
description: Detects the creation of a local user account on a computer.
product: windows
service: security
EventID: 4720
level:  low

Abstract

THM{n0t_just_your_u$ser}

From the Challenge 1 log, what user account was created?

View the log.

Answer

BanditYetiMini

What is the Challenge #2 flag?

Edit the rule for #2 and use the below

product: windows
  service: sysmon
  category: process_creation
detection:
  selection:
    EventID: 1 
    Image|endswith:
    - reg.exe
    CommandLine|contains|all:
    - reg
    - quer
    - /v
    - svcVersion

Answer

THM{wh@t_1s_Runn1ng_H3r3}

What was the User's path in the Challenge #2 log file?

View the log.

Answer

SIGMA_AOC2022\Bandit Yeti

What is the Challenge #3 flag?

Edit the rule with the following.

product: windows
  service: sysmon
  category: process_creation
detection:
  selection:
    EventID: 1
    Image|endswith:
    - schtasks.exe
    CommandLine|contains|all:
    - schtasks
    - cmd.exe
    - /create

Answer

THM{sch3dule_0npo1nt_101}

What was the MD5 hash associated with Challenge #3 logs?

view the logs.

Answer

2F6CE97FAF2D5EEA919E4393BDD416A7