TryHackMe: Threat Hunting With YARA, detailed Write-up
Tags
country: | Belgium Brazil Germany |
maec-delivery-vectors: | Watering Hole |
attack-pattern: | Data Model Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Access Token Manipulation - T1134 Powershell - T1086 |
Common Information
Type | Value |
---|---|
UUID | 024dc4b6-d9c6-44cb-bb74-5c4c9a455520 |
Fingerprint | 362e1a1d2f1fdf9d |
Analysis status | DONE |
Considered CTI value | -2 |
Text language | |
Published | Nov. 26, 2024, 12:58 a.m. |
Added to db | Nov. 26, 2024, 2:19 a.m. |
Last updated | Dec. 23, 2024, 8:16 a.m. |
Headline | TryHackMe: Threat Hunting With YARA, detailed Write-up |
Title | TryHackMe: Threat Hunting With YARA, detailed Write-up |
Detected Hints/Tags/Attributes | 72/3/32 |
Source URLs
URL Provider
RSS Feed
Details | Id | Enabled | Feed title | Url | Added to db |
---|---|---|---|---|---|
Details | 167 | ✔ | Cybersecurity on Medium | https://medium.com/feed/tag/cybersecurity | 2024-08-30 22:08 |
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 2 | waterforvoiceless.org |
|
Details | Domain | 2 | invite.zip |
|
Details | Domain | 2 | siestakeying.com |
|
Details | Domain | 103 | abuse.ch |
|
Details | File | 2 | invite.pdf |
|
Details | File | 5 | invite.php |
|
Details | File | 3 | util.php |
|
Details | File | 2 | invite.txt |
|
Details | File | 2 | invite.zip |
|
Details | File | 4 | sqldumper.exe |
|
Details | File | 77 | vcruntime140.dll |
|
Details | File | 25 | auth.php |
|
Details | File | 111 | test.txt |
|
Details | File | 1 | file10.txt |
|
Details | File | 1 | file13.txt |
|
Details | md5 | 2 | fb6323c19d3399ba94ecd391f7e35a9c |
|
Details | md5 | 2 | 7a465344a58a6c67d5a733a815ef4cb7 |
|
Details | md5 | 2 | efafcd00b9157b4146506bd381326f39 |
|
Details | md5 | 2 | 44ce4b785d1795b71cee9f77db6ffe1b |
|
Details | md5 | 2 | f32c04ad97fa25752f9488781853f0ea |
|
Details | md5 | 2 | 5928907c41368d6e87dc3e4e4be30e42 |
|
Details | md5 | 2 | e017bfc36e387e8c3e7a338782805dde |
|
Details | md5 | 2 | 8bd528d2b828c9289d9063eba2dc6aa0 |
|
Details | MITRE ATT&CK Techniques | 135 | T1134 |
|
Details | Threat Actor Identifier - APT | 807 | APT29 |
|
Details | Url | 2 | https://waterforvoiceless.org/invite.php |
|
Details | Url | 2 | https://waterforvoiceless.org/util.php |
|
Details | Url | 2 | https://siestakeying.com/auth.php |
|
Details | Yara rule | 1 | rule myfirstrule { meta: Description = "Searches for the string THM{}" Author = "Rosana" strings: $s = "THM{" condition: $s } |
|
Details | Yara rule | 1 | rule myfirstrule { meta: Description = "Searches for the filename found in exercise 2. (Format: filnema.extension)" Author = "Rosana" strings: $provided_string1 = "Yet another" wide $provideds_tring2 = "Ridiculous acronym" wide condition: all of them } |
|
Details | Yara rule | 1 | rule mythirdrule { meta: Description = "Searches for the filename in exercise 3. (Format: filename.extension)" Author = "Rosana" strings: $provided_string1 = "THM{This was a really fun exercise}" base64 condition: $provided_string1 } |
|
Details | Yara rule | 1 | rule myfourthrule { meta: Description = "Searches for the filename in exercise 4." Author = "Rosana" strings: $provided_string1 = "THM{FoundSomethingHidden}" xor condition: $provided_string1 } |