Skills Assessment - Suricata

Question

There is a file named pipekatposhc2.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to WMI execution. Add yet another content keyword right after the msg part of the rule with sid 2024233 within the local.rules file so that an alert is triggered and enter the specified payload as your answer. Answer format: C____e

• Then after reading the pcap file within Wireshark, I also read the hyperlink that was mentioned in the Skills Assessment. The hyperlink mentioned that when detecting this attack to check for keywords such as ‘Win32_Process’ and ‘Create’. Seeing how that the rule already mentions ‘Win32_Process’ I decided to try ‘Create’.

• Following that I ran the command

sudo suricata -r /home/htb-student/pcaps/pipekatposhc2.pcap -l . -k none

• Then I checked the log to see if the detected the attack successfully.