THM AOC2024 DAY 6: Malware Mayhem and Detection Mastery

Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!

---

Learning Objectives

1. Analyze Malware Behavior Using Sandbox Tools: Learn how sandboxes isolate malicious code and detect malware behavior.
2. Explore YARA Rules for Malware Detection: Understand how to create and use YARA rules to identify patterns in malware code.
3. Learn About Malware Evasion Techniques: Explore common methods attackers use to bypass detection mechanisms.
4. Implement an Evasion Technique to Bypass YARA Detection: Experiment with modifying malware to evade YARA rule detection.

---

Tools Used in This Task

• YARA: For detecting patterns in malware files.
• Sysmon: For monitoring system-level activities, including process creation and network connections.
• Floss: A tool to extract obfuscated or hidden strings from binaries.
• CyberChef: For decoding and analyzing encoded data.
• Windows Event Viewer: To analyze system logs and trace malware behavior.

---

Understanding the Tools

1. YARA: Known as the "pattern-matching Swiss Army knife," YARA is an essential tool for detecting malware. Its customizable rules allow analysts to pinpoint malicious patterns in files and processes.
2. Sysmon: A part of the Sysinternals suite, Sysmon logs detailed system activity such as process creation, which is crucial for identifying malware activity.
3. Floss: Unlike the basic strings command, Floss is optimized for malware analysis and extracts obfuscated strings, giving insights into the malware's true behavior.
4. CyberChef: Dubbed "the cyber Swiss Army knife," it decodes and analyzes encoded data, like the Base64 PowerShell command used in this exercise.
5. Windows Event Viewer: A core Windows tool for viewing detailed event logs, helping track the malware's operational history.

---

Task Walkthrough

Detecting Sandboxes

Mayor Malware started by writing malware designed to detect whether it's running in a sandbox environment. The malware queried the Windows registry to check for the presence of the C:\Program Files directory. This query helped the malware decide whether to execute its payload.

The detection capability was tested using a YARA rule to monitor the query. The rule identified commands accessing the registry path HKLM\Software\Microsoft\Windows\CurrentVersion.

Steps to replicate:

1. Run the custom EDR script: Launch the JingleBells.ps1 script to monitor Sysmon logs for registry queries.
2. Execute the malware: Run MerryChristmas.exe. The EDR detected the registry query and displayed a popup with the flag THM{GlitchWasHere}.

---

Adding Malware Evasion Techniques

To bypass the YARA rule, Mayor Malware added an evasion technique by encoding the PowerShell registry query in Base64. This added a layer of obfuscation to the command:

cCopy codepowershell -EncodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0...

To analyze this obfuscation:

1. Use CyberChef to decode the Base64 command.
2. Run Floss to extract hidden strings from MerryChristmas.exe. Floss uncovered the flag THM{HiddenClue} embedded in the binary.

---

Using YARA Rules on Sysmon Logs

YARA rules were applied to Sysmon logs to detect traces of the malware:

1. Extracted relevant logs using the Event Record ID from the EDR log file.
2. Applied a custom XML filter in the Event Viewer to isolate events tied to the malware.
3. Analyzed the event details, identifying:
   • Parent Process: MerryChristmas.exe
   • Command Line: The registry query used.
   • User: The privileges used during execution.

Recap of Learning Objectives

Implement Evasion Techniques to Bypass YARA Detection Attackers constantly adapt to detection tools by modifying their techniques. The use of Base64 encoding to bypass YARA rules in this exercise illustrates a common approach to evade static signature detection. This emphasizes the importance of designing dynamic detection methods that account for encoded, obfuscated, or polymorphic malware. For defenders, this means leveraging tools like Floss to uncover hidden strings, analyzing behavioral patterns instead of just static signatures, and continuously refining detection rules to counter new evasion tactics.

Analyze Malware Behavior Using Sandbox Tools Sandboxes are an indispensable tool for malware analysis, offering a controlled environment to observe potentially dangerous code. In real-world scenarios, organizations deploy sandboxes to test suspicious email attachments, executable files, and scripts before allowing them to interact with their networks. By simulating user activity, sandboxes capture the malware's behavior, such as registry queries, network connections, and file modifications. However, as seen in this exercise, attackers often design malware to detect sandbox environments and halt their operations. Understanding these checks, like the absence of certain registry entries or directories, helps defenders craft more effective sandbox environments that mimic real systems closely enough to deceive malware.

Explore YARA Rules for Malware Detection YARA rules provide a powerful way to detect malicious patterns across a variety of files and processes. They are highly customizable, allowing analysts to pinpoint specific behaviors or signatures associated with malware. In practical use, YARA is employed to scan large repositories, identify new malware families, or ensure files meet security policies. For example, a rule targeting registry queries like HKLM\Software\Microsoft\Windows\CurrentVersion can help detect malware that uses sandbox-detection techniques. Beyond malware detection, YARA can also aid in identifying data exfiltration attempts or unauthorized software within enterprise environments.

Learn About Malware Evasion Techniques Malware evasion techniques, like obfuscation, encoding, and sandbox detection, are a growing challenge for defenders. Attackers use these methods to bypass signature-based detection and delay analysis. In this task, encoding a PowerShell command in Base64 demonstrated how simple transformations can evade detection tools. Real-world malware often combines multiple evasion techniques, such as encryption of payloads, code injection into legitimate processes, and environmental checks to avoid detection. Understanding these methods enables security teams to enhance their detection mechanisms with heuristics, anomaly-based detection, and behavior analysis.

---

By leveraging sandboxes, YARA rules, and advanced log analysis, today's task demonstrated the interplay between attackers' evasion tactics and defenders' detection strategies. As malware evolves, so must our tools and techniques to stay one step ahead.