TRYHACKME: Advent of Cyber 2022 [Day 18] -Sigma Lumberjack Lenny Learns New Rules
Scenario: Compromise has been confirmed within the Best Festival Company Infrastructure, and tests have been conducted in the last couple of weeks. However, Santa’s SOC team wonders if there are methodologies that would help them perform threat detection faster by analysing the logs they collect. Elf McSkidy is aware of Sigma rules and has tasked you to learn more and experiment with threat detection rules.
Day 18 Learning Objectives: Threat Detection using Sigma
Threat Detection
Threat detection involves proactively pursuing and analysing abnormal activity within an ecosystem to identify malicious signs of compromise or intrusion within a network.
The attack chain report included indicators of compromise (IOCs) and necessary detection parameters, as listed below.
About Sigma
Sigma makes it easy to perform content matching based on collected logs to raise threat alerts for analysts to investigate. Log files are usually collected and stored in a database or a Security Information and Event Management (SIEM) solution for further analysis. Sigma is vendor-agnostic; therefore, the rules can be converted to a format that fits the target SIEM.
Sigma was developed to satisfy the following scenarios:
- To make detection methods and signatures shareable alongside IOCs and Yara rules.
- To write SIEM searches that avoid vendor lock-in.
- To share signatures with threat intelligence communities.
- To write custom detection rules for malicious behaviour based on specific conditions.
Sigma Syntax
Answer of Questions
What is the Challenge #1 flag?
THM{n0t_just_your_u$ser}
From the Challenge 1 log, what user account was created?
BanditYetiMini
What is the Challenge #2 flag?
THM{wh@t_1s_Runn1ng_H3r3}
What was the User’s path in the Challenge #2 log file?
SIGMA_AOC2022\Bandit Yeti
What is the Challenge #3 flag?
THM{sch3dule_0npo1nt_101}
What was the MD5 hash associated with Challenge #3 logs?
2F6CE97FAF2D5EEA919E4393BDD416A7
If you want to support us then you can via the “buy me a Coffee” link given below.