Working with IDS/IPS - Skills Assessment Suricata

Hello,

the task for the Suricata skill assessment is about completing a rule for detecting WMI execution. I guessed the correct answer after 70 minutes, but I have no idea why it is correct or if I even understood the question.

The task: There is a file […], which contains network traffic related to WMI execution. Add yet another content keyword right after the msg part of the rule with sid 2024233 within the local.rules file so that an alert is triggered and enter the specified payload as your answer. Answer format: C____e

My interpretation: I need to find the right value for the additional content field. The answer is the value to which I set the new content field "content": "myanswer".

I first activated the unaltered rule with its two pre-existing content filter values and ran Suricata on the pcap. The problem is, the unchanged rule already created an alert for me, and inspection with Wireshark yields that this alert indeed flags the correct packet. So I was already stumped as to what I should do with that rule at all. As I said, after tinkering for 70 minutes I just guessed the answer. I then also tried it out by adding the relevant content filter to the rule, which resulted in the exact same alert(s) as before.

Is it possible for someone to explain to me how one should derive the correct answer without spoiling the task completely?

Hmm
Just try the following: Carefully review the task description and WMI discovery rules. Try to identify the key elements and symptoms associated with WMI execution to determine the correct answer. It may also be worth seeking help from more experienced users or teachers for further clarification or tips.

did you end up figuring out why? please help

As I said, at the time I just guessed it. I replicated it again and my finding is still that the addition of the answer to the rule does not change Suricata’s output for this pcap in any way - the WMI Execution is detected with or without it.

Reading the assignment and the linked article again however, I at least now understand how one would arrive at the answer without much guessing. It has to do with how the process is launched.

2 Likes

Hello I am currently working on the same question. What command did you use to decode the pcap file?

alert tcp any any → any any (msg:“WMI Execution Detected”; content:“Win32_ProcessStartup”; content:“powershell”; sid:2024233; rev:2;)

sudo suricata -r /home/htb-student/pcaps/pipekatposhc2.pcap

ja3 -a --json /home/htb-student/pcaps/pipekatposhc2.pcap

#all im getting is open and close bracket as an output

Am I using the wrong decoding tool? Or the alert content is wrong?

I figured out the answer but using wireshark inspection using DCERPC protocol. WMI, Win32_ProcessStartup and powershell keywords are there in that packet. I still want to understand why my suricata process is not working.

I have the same question: I also just guessed the answer, I mean used some logic to make the guessing a bit easier, but still, the task seems to be made porly, I personally couldn’t prictise my rules writing skill with this one :face_exhaling:

That one was odd, it’s just common word you need to add here, starting with C and ends with e. I have no a clue what’s the difference with and without it.

can you give a hint? i am using wireshark and i cant find the keyword