<Bisrat />

Drapeau Angleterre
Drapeau Francais

<Bisrat />

Drapeau Angleterre
Drapeau Francais
Blog image 1Blog image 2

eSentire Seminar & CTF 2025

February 26, 2025by Bisrat (Seminar & CTF)

🔍 eSentire Seminar & CTF 2025: From Intel to Action

On Wednesday, February 26th, 2025, students and cyber enthusiasts at the University of Guelph were treated to an immersive full-day experience by eSentire, diving deep into the modern frontlines of cybersecurity. The event was split into two major parts — a seminar led by experts from eSentire’s Threat Response Unit (TRU), followed by a hands-on Capture the Flag (CTF) challenge that put participants’ skills to the test.

🎓 The Seminar: Building a Threat-Ready Mindset

The day kicked off with eSentire walking us through the evolving landscape of Threat Intelligence and Threat Hunting— two pillars of modern cybersecurity operations.

We explored what threat intelligence really means: it’s not just about knowing your adversaries, but understanding them at strategic, operational, and tactical levels. The TRU team showed how intelligence can guide decisions across the board — from CISOs to SOC analysts — and how they use open-source, government, and proprietary feeds to craft high-fidelity threat data.

One standout feature? eSentire’s ability to deliver high-confidence IOCs updated every 24 hours, many of which are seen before they hit commercial feeds. That’s a major edge in staying proactive.

We also learned about the “Pyramid of Pain” and how abstract analytics and behavioral indicators are often the most effective for detection. Their use of MITRE ATT&CK’s TTP-based hunting was a great framework for us to understand the “why” behind the hunts.

🕵️ The CTF: Turning Knowledge into Threat Hunts

After absorbing the theory, it was time to get our hands dirty. The CTF was a well-crafted, realistic environment where we applied our new skills. The mission: detect and report malicious activity using real logs, analytics, and investigative techniques.

Some of the key challenges included:

  • Parsing and investigating logs from a simulated attack scenario (including analyzing a noisy auth.log file full of brute-force SSH attempts).
  • Crafting and tuning YARA rules (such as one for detecting pspy, a known privilege escalation tool).
  • Using parsed logs and indicators to detect suspicious behavior, track attacker pivots, and hypothesize based on observed tactics.

We leveraged tools like custom log parsers, analysis scripts, and shared intelligence reports to track indicators and behavior over time. Many teams crafted detailed reports outlining attacker TTPs, including their initial access vectors, lateral movement, and persistence mechanisms.

🧬 Crafting Detection: The YARA Rule for pspy

One of the more technical — and fascinating — parts of the CTF involved writing a YARA rule to detect the pspy binary. pspy is a powerful privilege escalation and process monitoring tool that attackers often use to observe running processes without needing root. Detecting it accurately is crucial in early threat identification.

But here’s the catch: we weren’t just looking for basic file signatures. The challenge was to make a rule that’s:

  • Accurate (high true positive rate),
  • Reliable (resistant to obfuscation or byte-level changes), and
  • Efficient (minimizing false positives and CPU cost).

Using eSentire’s detection engineering methodology, the solution involved three main steps:

  1. Identify Unchangeable ELF Headers
    All Linux binaries start with a magic number. pspy, like any ELF binary, begins with \x7fELF. The rule accounted for both:

    • \x02\x01\x01 → 64-bit ELF
    • \x01\x01\x01 → 32-bit ELF

  2. Leverage Unique Build IDs
    The compiled version of pspy includes a unique Build ID — a fingerprint of the binary. Though attackers could recompile it, the inclusion of this ID still offers a high-confidence match for known versions.

  3. Target the Data Section
    Lastly, the rule focused on data bytes within the binary that were resistant to compilation changes. These were found by comparing multiple compiled versions of pspy with small source modifications.

Example Snippet (from the YARA Rule):

rule Detect_pspy {
    meta:
        description = "Detects pspy binary"
        author = "CTF Team"
    strings:
        $elf_magic_64 = { 7F 45 4C 46 02 01 01 }
        $elf_magic_32 = { 7F 45 4C 46 01 01 01 }
        $stable_bytes = { C7 45 FC 00 00 00 00 48 89 E5 48 83 EC 20 }
    condition:
        ($elf_magic_64 or $elf_magic_32) and $stable_bytes
}

This rule combines the format-level signature with stable instruction sequences, making it robust against binary changes while avoiding noisy detections.

🧠 What This Teaches Us

Detection engineering isn’t just about scanning for strings — it’s about understanding the nature of binaries, attacker behaviors, and the limits of obfuscation.

🧪 Breaking Down the Noise: Analyzing auth.log Like a Threat Hunter

One of the core exercises in the CTF was working with an extremely noisy auth.log file. Our mission? Detect signs of brute force or spray attacks, identify threat actors, and determine the success or failure of login attempts.

🧰 Step 1: Parse the Raw Log File

with open("auth.parsed", "r") as f:
    data = f.read()

# Format data as a JSON array
data = "[" + data.replace("}\n", "},").rstrip(",") + "]"
df = pd.DataFrame(json.loads(data))

🔍 Step 2: Detect Brute Force Attempts

invalid = df[df['result'] == 'invalid_user']
print(invalid.groupby('src_ip').size().sort_values(ascending=False))

🔐 Step 3: Investigate Suspicious Behavior

/usr/sbin/useradd -a -s /bin/bash -G sudo TekDestroyer

🧠 Step 4: Contextualize It All

  • No successful root logins (thankfully).
  • Multiple brute force attempts on random, nonexistent users.
  • Clear evidence of attacker enumeration and privilege abuse.
  • Extracted hash: 99b1f8f11781541f789f9bd41c4a17 → Flag: hello world

💡 Lessons Learned

Parsing a chaotic log file requires:

  • A structured approach using tools like pandas.
  • Pattern recognition — spotting repeated invalid_user entries.
  • Analytical thinking to distinguish noise from malicious signal.

📝 Reporting the Threat

The final deliverable was a Threat Intelligence Report with:

  • Executive Summary – simple and clear overview.
  • Recommended Actions – mitigation suggestions.
  • IOCs & Context – IPs, usernames, and behaviors.
  • References – both public and internal.

🧠 Final Thoughts

This wasn’t just a “click-through CTF” — it was about critical thinking. We formed hypotheses, tested them with data, and drew actionable conclusions.

ISA Cybersecurity seminar 2025Cybersecurity Trends 2025
12345
Back to Home