Hi. I can’t figure out the answer to the first question in the skill assessment of the above module. I’ve tried everything taught in this module’s Windows section (string analysis). The question is asking to inspect the seatbelt.exe file and and specify a string that could be used to detect the exe using a yara rule. There is a hint stating the string starts with ’ L ’ and ends with ’ r '. I’ve tried using HxD but couldn’t find the string. I’ve also tried 010 as it offers searching using a wild cards but couldn’t find the string. Has anyone else ran into this issue and if so, could you please point me in the right direction? Thanks in advance.
1 Like
grep ^L.*r$
2 Likes
Stuck on this question as well can you give a hint on how to solve this one.This is the only question i got stumped on.
I found the answer using this way as well, however I am wondering how the module would expect us to know this is the correct answer without going about it this way? What is special about that string?
can you explain me how to do this. the file is in windows machine and this ommand is from linux. any hint
You can transfer the Seatble.exe file from the RDP to your linux machine with these command
xfreerdp /v:TargetIP /u:htb-student /p:HTB_@cademy_stdnt! /cert:ignore +drive:smbfolder,/home/htb-ac-xxxxxx
This will create a shared folder in the RDP
The shared folder will be in available in the Network folder.
If you have any issues, just let me know
But I couldn’t find the answer yet
Hey, I tried to use the following command, but he didn’t find any answer
hexdump Seatbelt.exe -C | grep ^L.*r$ -n3
Did you used a different command?
You can use Windows strings from sysinternals, located under C:\tools folder.
1 Like
Thanks man for the help
This command helped me find the answer
just to correct you, in the command you put the * in the beginning instead in the match
This is how it should look
Get-Content -Path output.txt | Where-Object { $_ -match '^L.*r$’ }
I think there was something wrong when you pasted the command here
Again thanks man
1 Like
Indeed * shouldn’t be there. I wanted to put Emphasis on the commands to highlight these.
HF with other modules!
1 Like
Its EZ!! here i go;
strings C:\Samples\YARASigma\Seatbelt.exe | Select-String -Pattern “^L.*r$”
one of those it is…
bye friends! 
PD: 4 the second exercise its even easier just type this command:
C:\Tools\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_6.evtx -s C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_susp_win32_shadowcopy.yml --mapping .\mappings\sigma-event-logs-all.yml
Glad you found the answer!