Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@qjerome
qjerome authored Oct 22, 2019
1 parent 279ad16 commit bfe7dd1
Showing 1 changed file with 21 additions and 17 deletions.
38 changes: 21 additions & 17 deletions 2019/hack.lu/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

## Outline

1. Introduction to WHIDS
2. WHIDS Installation and feature exploration
3. Writing rules: methodology and practical exercises
4. Putting everything together: one case study of your choice will be given to you and the objective will be to write your own rule(s)

The workshop will be in four parts, trying to put the focus on hands-on.
After this workshop, the attendees will be able to:

Expand All @@ -10,11 +15,6 @@ After this workshop, the attendees will be able to:
* Write custom detection rules
* Use helper tools like [Gene](https://github.com/0xrawsec/gene)

1. Introduction to WHIDS
2. WHIDS Installation and feature exploration
3. Writing rules: methodology and practical exercises
4. Putting everything together: one case study of your choice will be given to you and the objective will be to write your own rule(s)

## Materials

* One Windows 10 VM will be provided
Expand All @@ -39,36 +39,40 @@ events and create rules for those.
An attacker has gained access to your system and managed to elevate his privileges.
His goal is now to prevent you from receiving the logs of the machine.

Q1: There is one event in particular event which is typical of this technique. Hunt for it and create a rule (use of test flag operator would be appreciated).
**Q1**: There is one event in particular event which is typical of this technique. Hunt for it and create a rule (use of test flag operator would be appreciated).

#### Exercise 1.2: Maldoc has been run

A malicious document has been opened on the machine.

Q1: Identify the dropper and build a rule for it. Do you have an idea why the dropper payload is not executed by WINWORD ?
Q2: Identify the drop sites and create a rule for it (create a container rule).
**Q1**: Identify the dropper and build a rule for it. Do you have an idea why the dropper payload is not executed by WINWORD ?

**Q2**: Identify the drop sites and create a rule for it (create a container rule).

#### Exercise 1.3: Executable malware has been run

One of your colleague has received an email with a link.
He downloaded an executable and executed it.

#### Exercise 1.4: RAT
#### Exercise 1.4: RAT

A machine has been compromised by a Remote Administration Tool malware.
The SOC also told you that the credentials of the user were used on an unusual machine.

Q1: Identify its persistence mechanism and create a rule for it.
Q2: Credential stealing is often done with accessing the memory of a specific service. Identify that event and create a rule to catch it (use of test flag operator would be appereciated).
Q3: Create rules matching the command lines executed by the RAT
**Q1**: Identify its persistence mechanism and create a rule for it.

**Q2**: Credential stealing is often done with accessing the memory of a specific service. Identify that event and create a rule to catch it (use of test flag operator would be appereciated).

**Q3**: Create rules matching the command lines executed by the RAT

#### Exercise 1.5: Reflective PE Loading (windows 7)

During an incident you have identified that a threat actor is using a particular
technique to inject code into a foreign process.

Q1: Identify the suspicious patterns and create rule(s) for it.
Q2: Can you imagine another implementation of this technique that would bypass the rules you have just created ? How ?
**Q1**: Identify the suspicious patterns and create rule(s) for it.

**Q2**: Can you imagine another implementation of this technique that would bypass the rules you have just created ? How ?

### Case Study:

Expand Down Expand Up @@ -105,14 +109,14 @@ Create rules to catch instances of that malware
A malware reverser (or you :)) found out a new technique used by a malware or an attacker.
You identified how to replicate this technique in a lab and you now want to create a rule allowing you to catch any use of this technique.

Q1: do you understand why this technique is interesting for attackers ?
**Q1**: do you understand why this technique is interesting for attackers ?

Q2: do you remember a rule we have created earlier that would work to detect this technique ?
**Q2**: do you remember a rule we have created earlier that would work to detect this technique ?

## Reference

* Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
* jq documentation: https://stedolan.github.io/jq/manual/
* Regex syntax used in Gene rules: https://github.com/google/re2/wiki/Syntax
* Gene Documentation: https://github.com/0xrawsec/gene-rules
* Repository of Gene rules: https://github.com/0xrawsec/gene-rules
* Repository of Gene rules: https://github.com/0xrawsec/gene-rules

0 comments on commit bfe7dd1

Please sign in to comment.