YARA & Sigma for SOC Analysts - Skill assessment

Hi. I can’t figure out the answer to the first question in the skill assessment of the above module. I’ve tried everything taught in this module’s Windows section (string analysis). The question is asking to inspect the seatbelt.exe file and and specify a string that could be used to detect the exe using a yara rule. There is a hint stating the string starts with ’ L ’ and ends with ’ r '. I’ve tried using HxD but couldn’t find the string. I’ve also tried 010 as it offers searching using a wild cards but couldn’t find the string. Has anyone else ran into this issue and if so, could you please point me in the right direction? Thanks in advance.

1 Like

grep ^L.*r$

2 Likes

Stuck on this question as well can you give a hint on how to solve this one.This is the only question i got stumped on.

I found the answer using this way as well, however I am wondering how the module would expect us to know this is the correct answer without going about it this way? What is special about that string?

can you explain me how to do this. the file is in windows machine and this ommand is from linux. any hint

You can transfer the Seatble.exe file from the RDP to your linux machine with these command
xfreerdp /v:TargetIP /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore +drive:smbfolder,/home/htb-ac-xxxxxx

This will create a shared folder in the RDP
The shared folder will be in available in the Network folder.

If you have any issues, just let me know

But I couldn’t find the answer yet

Hey, I tried to use the following command, but he didn’t find any answer

hexdump Seatbelt.exe -C | grep ^L.*r$ -n3

Did you used a different command?

You can use Windows strings from sysinternals, located under C:\tools folder.

strings.exe “C:\Samples\YARASigma\Seatbelt.exe” > output.txt
then query file with PS matching to filter.

Get-Content -Path output.txt | Where-Object { $_ -match ‘^L.*r$’ }
One of the listed values is the answer.

1 Like

Thanks man for the help
This command helped me find the answer

just to correct you, in the command you put the * in the beginning instead in the match
This is how it should look
Get-Content -Path output.txt | Where-Object { $_ -match '^L.*r$’ }

I think there was something wrong when you pasted the command here

Again thanks man

1 Like

Indeed * shouldn’t be there. I wanted to put Emphasis on the commands to highlight these.

HF with other modules!

1 Like