Nessus
Walkthrough of the Nessus room.
Walkthrough of the Yara room.
Task 1: Introduction
Answer: No answer required.
Task 2: What is Yara?
What is the name of the base-16 numbering system that Yara can detect?
Answer: hex
Would the text “Enter your Name” be a string in an application? (Yay/Nay)
Answer: Yay
Task 3: Installing Yara (Ubuntu/Debian & Windows)
I’ve installed Yara and/or are using the attached VM!
Answer: No answer required.
Task 4: Deploy
I’ve either connected to my instance or installed Yara on my own operating system!
Answer: No answer required.
Task 5: Introduction to Yara Rules
One rule to – well – rule them all.
Answer: No answer required.
Task 6: Expanding on Yara Rules
Upwards and onwards…
Answer: No answer required.
Task 7: Yara Modules
Sounds pretty cool!
Answer: No answer required.
Task 8: Other tools and Yara
Cool tools. I’m ready to use one of them.
Answer: No answer required.
Task 9: Using LOKI and its Yara rule set
Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
Answer: Suspicious
What Yara rule did it match on?
Answer: webshell_metaslsoft
What does Loki classify this file as?
Answer: Web Shell
Based on the output, what string within the Yara rule did it match on?
Answer: Str1
What is the name and version of this hack tool?
Answer: b374d 2.2
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
Answer: 1
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
Answer: Benign
Inspect file 2. What is the name and version of this web shell?
Answer: b374k 3.2.3
Task 10: Creating Yara rules with yarGen
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
Answer: yara file2.yar file2/1ndex.php
Did Yara rule flag file 2? (Yay/Nay)
Answer: Yay
Copy the Yara rule you created into the Loki signatures directory.
Answer: No answer required.
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
Answer: Yay
What is the name of the variable for the string that it matched on?
Answer: Zepto
Inspect the Yara rule, how many strings were generated?
Answer: 20
One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
Answer: 700KB
Task 11: Valhalla
Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
Answer: Yay
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Answer: Webshell_b374_rule1
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
Answer: THOR APT Scanner
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Answer: Nay
Besides .PHP, what other extension is recorded for this file?
Answer: EXE
Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)
Answer: 2021/3
What JavaScript library is used by file 2?
Answer: Zepto
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools?
Answer: Nay
Task 12: Conclusion
No answer required.
Written by: Jamie Ngo
todayApril 2, 2024
Cyber Security + Cyber Crime Jamie Ngo
A recent article from ABC News reported The Queensland Police are concerned about Flipper Zero, as it could be used to hack car keys and security systems. This is all [...]
Copyright 2021
Post comments (0)