noone___'s blog
0%

THM打靶日寄40-Advent of Cyber 2024:Day6

发表于 更新于 分类于
是不会的沙箱检测

  • 检测沙箱

    对于恶意软件来说,可以通过检测注册表路径是否存在 HKLM\\Software\\Microsoft\\Windows\\CurrentVersion 来确定是否在沙箱中,该目录通常在沙箱或虚拟化环境中不存在

    用于检测的代码如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    void registryCheck() {
        const char *registryPath = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion";
        const char *valueName = "ProgramFilesDir";
        
        // Prepare the command string for reg.exe
        char command[512];
        snprintf(command, sizeof(command), "reg query \"%s\" /v %s", registryPath, valueName);
        // Run the command
        int result = system(command);
        // Check for successful execution
        if (result == 0) {
            printf("Registry query executed successfully.\n");
        } else {
            fprintf(stderr, "Failed to execute registry query.\n");
        }
    }
    int main() {
        const char *flag = "[REDACTED]";
        registryCheck();
        return 0;

    }

    同时,可以运行这个脚本来持续监测注册表访问情况

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    rule SANDBOXDETECTED
    {
        meta:
            description = "Detects the sandbox by querying the registry key for Program Path"
            author = "TryHackMe"
            date = "2024-10-08"
            version = "1.1"

        strings:

        $cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase

        condition:
            $cmd
    }

  • 混淆与反混淆

    可以通过混淆使恶意软件更隐蔽:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    void registryCheck() {
    // Encoded PowerShell command to query the registry
        const char *encodedCommand = "RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=";
        // Prepare the PowerShell execution command
        char command[512];
        snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);

        // Run the command
        int result = system(command);

        // Check for successful execution
        if (result == 0) {
            printf("Registry query executed successfully.\n");
        } else {
            fprintf(stderr, "Failed to execute registry query.\n");
        }  
    }

    针对这种情况,可以使用 floss ,其可以从恶意软件二进制文件中提取混淆的字符串

    Powershell 中:

    1
    .\floss.exe C:\Tools\Malware\MerryChristmas.exe | out-file C:\tools\output.txt

  • sysmon 监控系统活动

    windows 服务提供有关进程创建,网络连接和文件更改的详细数据,用于追踪恶意软件行为:

    首先要找到恶意软件的 Event record id

    运行 JingleBells.ps1 持续监控,然后开 merrychristmas.exe,日志记录在 YaraMatches.txt,拿到 event record id

    随后去 windows event viewer

    Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational

    在右侧的 Filter Current Log

    xml 栏编辑:

    1
    2
    3
    4
    5
    6
    7
    <QueryList>
    <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
        <Select Path="Microsoft-Windows-Sysmon/Operational">
        *[System[(EventRecordID=[填event record id])]]
        </Select>
    </Query>
    </QueryList>

    • ParentImage 显示生成他的父进程
    • ParentProcessId ProcessId 用于后续检查日志中相关事件
    • user 用于查看是否创建隐藏用户来运行命令
    • commandline 显示具体运行的命令,用于识别行为
    • UtcTime 为时间框架,缩小查找范围
1
2
3
4
5
What is the flag displayed in the popup window after the EDR detects the malware?
THM{GlitchWasHere}

What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?
THM{HiddenClue}