Threat Hunting With YARA — Motion Graphics Writeup TryHackMe || Detailed Walkthrough || SuNnY

Detailed motion graphics writeup for the Room Threat Hunting with Yara

Room Difficulty

Easy → Difficulty
[ Name : Threat Hunting With YARA → Easy Room ]
This is a Free Room. Anyone can deploy virtual machines in the room
(without being subscribed)!

Kudos to the Creators of this Room →

Task 1 : Introduction

in this module basics like Learning Objectives and Prerequisites are shared
it’s adviced to go through this module at least once .

No answer needed 

Task 2 : Scenario Description

Question 1 : What technique does ID T1134 describe?

Click on this image to enlarge

Access Token Manipulation:
This technique involves manipulating access tokens to escalate privileges or to impersonate a different user on the system.

Question 2 : What does the detection rule M_APT_Dropper_Rootsaw_Obfuscated detect?

Click on this image to enlarge

Detects obfuscated ROOTSAW payloads :
The rule is designed to identify obfuscated versions of the ROOTSAW malware, specifically by looking for certain strings and code patterns used in its payload.

We have successfully completed Task 1 !

Task 3 : Opportunities for Threat Hunting

Question 1 : Which threat hunting style is proactive and uses indicators of attack and TTPs?

Structured hunting is a proactive approach to threat hunting where the focus is on detecting attacks early in the kill chain using Indicators of Attack (IOAs) and Tactics, Techniques, and Procedures (TTPs) of threat actors. This style involves creating a hypothesis about potential threats based on known attack patterns and behaviors, often using frameworks like MITRE ATT&CK.

Structured Hunting

Question 2 : In which phase of the threat hunting process, tools like YARA or Volatility are used?

The Investigation phase is when threat hunters actively look for evidence of malicious activity after a trigger has been identified. They use various tools to analyze data and find anomalies:

YARA: Used for pattern matching to detect specific malware signatures.

Volatility: A memory forensics tool to analyze volatile data and look for signs of malicious activity.

Investigation

Question 3 : You have received a threat intelligence report consisting only of Indicators of Compromise. What threat hunting style do you recommend to use?

When the threat intelligence report consists solely of Indicators of Compromise (IOCs) (e.g., hashes, IP addresses, domains), the hunting style best suited is Unstructured Hunting. This style focuses on searching the environment based on these indicators to detect potential infections.

Unstructured Hunting uses IOCs to fuel its search for threats, rather than relying on TTPs or a hypothesis about the attack.

It is often referred to as intel-based hunting because it leverages intelligence from sources like security blogs, threat feeds, and shared IOCs.

Unstructured Hunting

Task 3 is now Complete !

Task 4 : YARA: Introduction

Question : Apart from the rule name, which other section is also required in a YARA rule?

In a YARA rule, only two parts are mandatory: the rule name and the condition. The rule name identifies the purpose of the rule, while the condition specifies the logic for matching the malware.

The condition section is where the actual logic is defined to identify the malware. It uses Boolean operators to match the strings specified in the rule against files. If these conditions are met, YARA flags the file as a potential match.

The other sections of a YARA rule — meta and strings — are optional but recommended for clarity and effectiveness:

Meta provides additional descriptive information like the author or purpose of the rule.

Strings includes patterns or unique identifiers of the malware, which are referenced in the condition section to set the logic.

So, even though meta and strings enhance the functionality and readability of a YARA rule, they are not essential for a YARA rule to run. Only the rule name and condition are required.

condition

Task 4 is now Complete !

Task 5 : YARA: Strings and Conditions

Question 1 : What modifier should be used if you want to search for 2-byte encoded characters?

In YARA rules, strings can be encoded in different ways. One common encoding is wide-character encoding, where each character is represented by two bytes instead of one. This is often found in Windows executables and Unicode strings. To match such strings in YARA, you use the wide modifier.

For example:

rule wideTextString
{
  strings:
    $1 = "example" wide
  condition:
    $1
}

In this case, the string "example" will match the 2-byte encoded version like e\x00x\x00a\x00m\x00p\x00l\x00e\x00.

wide

Question 2 : What condition should be used if you want to exclude the defined strings from the matching process?

The condition none of them is used when you want the YARA rule to not match any of the defined strings. This is useful when you want to exclude certain patterns from being detected.

For example:

rule excludeStrings
{
  strings:
    $1 = "string1"
    $2 = "string2"
    $3 = "string3"
  condition:
    none of them
}

In this case, the rule will only match files that do not contain any of the specified strings (string1, string2, or string3).

Task 5 is now successfully Complete !

Task 6 : Environment and Setup

This task requires us to start the VM & installing YARA Locally
The login credentials are given below →
( Credentials are only required on your Personal VM connected through VPN )

Click on this image to enlarge

All files that will be used for this and future Tasks from now , will be located in →

C:\TMP\

Now Let’s start the VM , The Machine will start in a Split-View
Give it some time for the VM to completely start →

Click on this image to enlarge

Credentials are also shared if you want to connect using RDP →

Username : analyst
Password : THM-threathuntingwithyara

IP 10.10.x.x  ( Your IP can be different x.x ) 

For this room we are going to use the Attackbox

Task 7 : YARA: How To Use YARA Rules To Hunt for Indicators of Compromise

This module has some crucial information ,
it’s adviced to read it thoroughly before proceeding

Question : What option do you need to pass to ensure you scan all directories recursively?

The -r flag (or --recursive) is used when you want to scan not only the specified directory but also all subdirectories within it.
This is essential if you are hunting for malware or IOCs in a folder that may contain multiple layers of directories.

Answer : -r

Task 7 is now Complete !

Task 8 : Indicators of Compromise Detected — Now What

Question : What does DAIR stand for?

Dynamic Approach to Incident Response

Task 8 is now Complete !

Task 9 : YARA: Hands-on Exercise

There are some hints for this module already shared with us →

Question 1 : What is the flag found in exercise 1?

→ Let’s open the PowerShell/CMD and then Change the directory to C:\TMP
After Changing the directory → cd C:\TMP\
To list the contents of the Directory on Windows we have to use the command
dir

The Question Asks us to write a YARA rule that contains the pattern THM{}
and the Path to the target would be → C:\TMP\Exercise1

There are two ways of doing this room , The second way is basically confirming the flag value →

THE INTENDED WAY →

YARA Rule:

rule FindTHMFlag {
    strings:
        $pattern = "THM"
    condition:
        $pattern
}

Let’s select an already created YARA rule from → C:\tmp\YARARULES Folder and then copy + Paste the above YARA Rule to get to the Flag →

Click on the Image to expand it to fullscreen for better viewing experience

YARA Command:

yara64.exe C:\TMP\YARARULES\myfirstrule.yar C:\TMP\Exercise1\

This rule searches for any file containing the string THM{}. The output will include the file name, which is your flag.

THE UNINTENDED WAY ( To confirm the answer ) →

If you want to learn YARA Rules totally avoid this way ,
but you will still check this , so anyway →

Now we have to Change the Directory to Exercise1 and check it’s contents →

We see around 100 files named file1-100.txt

Since all the text files look almost similar except the numbering
we have to find another way of spotting the odd-one-out

if you look closely , all the text files from 1–100
have similar length of → 524288 except one → file26.txt

On trying to check the contents of file26.txt we found the Flag !

One Way of checking the contents would be →

type file26.txt

In windows we use type command to list the file contents , you can also use command → Get-Item
& in Linux its cat command

Since the file has a lot of gibberish put inside ,
it would be difficult to spot the flag for some ,
so let’s also do the second way

Open File Explorer and Navigate to TMP\Exercise1 and then double click the file26.txt to open its content →

Click on this image to enlarge

Answer : THM{Threathuntingisawesome}

Question 2 : What is the filename found in exercise 2? (Format: filename.extension)

Let’s do the same thing we did with exercise 1 ( Question 1 )
Change the directory to C:\TMP\Exercise2

rule FindAcronymFile {
    strings:
        $str1 = "Yet another" wide
        $str2 = "Ridiculous acronym" wide
    condition:
        2 of them
}

Answer : file10.txt

Question 3 : What is the filename found in exercise 3? (Format: filename.extension)

rule FindBase64Flag {
    strings:
        $base64str = "VEhNe1RoaXMgd2FzIGEgcmVhbGx5IGZ1biBleGVyY2lzZX0="
    condition:
        $base64str
}

Answer : file13.txt

Question 4 : What was the XOR key used for encryption in exercise 4?

By Now you should already be doing the next steps on your own !

Answer : 0x01

Question 5 : What encrypted string did you find in exercise 4?

Answer : UILzGntoeRnlduihofIheedo|

UILzGntoeRnlduihofIheedo|

Task 9 is now successfully Done !

Task 10 : Conclusion

Task 10 is now complete !

Congratulations ! We have solved the room together !

if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

Hope you have enjoyed solving this room as much i did , if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY